What is an SBOM and why is it important for medical devices?

An SBOM, or Software Bill of Materials, is a comprehensive inventory of all software components used in a product. For medical devices, it's crucial because it provides transparency into the software supply chain, helping identify and manage security vulnerabilities and ensuring regulatory compliance with agencies like the FDA.

Do SBOMs create a security risk by revealing vulnerabilities?

The notion that an SBOM provides a 'playbook for attackers' is a misconception. While an SBOM lists components that might have known vulnerabilities, a transparent and well-managed SBOM demonstrates a proactive security posture. Organizations should focus on addressing identified vulnerabilities rather than withholding SBOMs.

How should organizations prioritize the numerous vulnerabilities found in an SBOM?

Prioritization should go beyond just high CVSS scores. A more effective strategy involves leveraging data from the CISA Known Exploited Vulnerabilities (KEV) list and the Exploit Prediction Scoring System (EPSS) to focus on threats that are actively being exploited in the wild. Reachability analysis, which determines if vulnerable code segments are actually called by the application, is also key to focusing remediation efforts on genuine risks.

What are the unique challenges of managing software security for medical devices?

Medical devices present unique challenges due to the high cost and complexity of post-market remediation. Unlike easily updated software, patching deployed medical devices is difficult and expensive. This makes proactive SBOM management, vulnerability triage, and secure development practices essential from the earliest stages of development.

What role does the FDA play in the use of SBOMs for medical devices?

The FDA now mandates the use of SBOMs for medical devices as part of its regulatory requirements. This is driven by major supply chain incidents and government initiatives, emphasizing the critical role of SBOMs in ensuring the cybersecurity of medical devices throughout their lifecycle.

What is 'Software of Unknown Provenance' (SOUP) and how does it relate to medical device security?

SOUP refers to software components in medical devices whose origin or development process is not fully known or documented. This can complicate SBOM accuracy and security management, making it harder to track and address vulnerabilities. Proactive SBOM efforts aim to minimize SOUP and ensure a clear understanding of all software components.

SBOMs Unpacked: Myths, Risks, & Benefits with Cortez…

By Christian Espinosa, MBA, CISSP

Founder & CEO · Blue Goat Cyber

Listen now

Key takeaways

An SBOM is a formal, machine-readable inventory of all software components in a product, which has become a regulatory necessity for medical devices.
The concern that an SBOM provides a 'playbook for attackers' is a misconception; a transparent and clean SBOM indicates a strong security posture, rather than a liability.
Effective vulnerability prioritization should move beyond basic CVSS scores to focus on evidence of active exploitation, utilizing resources like the CISA KEV catalog and EPSS scores.
Reachability analysis is a crucial method for vulnerability triage, as it determines if a vulnerable function within a third-party library is actually callable and used by the application's code.
Unlike easily updated SaaS applications, patching medical devices in the field is logistically complex and expensive, making proactive security during development paramount.
In addition to identifying security vulnerabilities, SBOMs are critical for managing open-source license compliance, especially with 'copyleft' licenses that can legally obligate a company to open-source its proprietary code.
The FDA now requires SBOMs for medical devices, making their generation and analysis a necessary part of the regulatory process.

Why are Software Bill of Materials (SBOMs) critical for medical device security?

In this episode, Cortez Frazier Jr. joins Christian and Trevor to discuss SBOMs, vulnerability prioritization, and why companies should stop fearing software transparency. The conversation covers real-world security challenges, regulatory trends, and how organizations can protect themselves before a major breach forces them to act.

Cortez Frazier Jr. is a principal product manager at FOSSA, where he helps companies navigate software supply chain security with a mix of technical expertise and strategic foresight.

Key points:

Overview of FOSSA and its role in software composition analysis.
The increasing importance of SBOMs in regulatory compliance.
(10:30) Understanding SBOMs
How the SolarWinds attack changed the conversation around software transparency.
Why some manufacturers are reluctant to release SBOMs.
(20:45) Prioritizing Vulnerabilities
The difference between CVEs and actual exploitability risks.
Why blindly patching everything isn’t an effective security strategy.
(30:20) Legal and Compliance Risks
How open-source licenses can force companies to disclose their source code.
What manufacturers need to do to avoid unexpected legal issues.
(40:50) Future Trends
How hospitals and customers will soon start demanding SBOMs.
Cortez’s advice for companies looking to improve their cybersecurity posture.

Resources mentioned in this episode that you can Google:

Executive Order 14028.
SPDX and CycloneDX - Machine-readable SBOM formats
EPSS (Exploit Predictability Scoring System) - A better way to assess vulnerability risk
CISA Known Exploited Vulnerabilities List - The vulnerabilities that actually matter

Notable quotes

“I like to think about exploitable in a few orders of magnitude. The lowest fidelity is just a CVE in and of itself.”

- Cortez Frazier Jr.

“Cybersecurity 101 is you cannot defend or protect something that you don't know exists. And so getting an accurate and up-to-date inventory is always priority number one.”

- Cortez Frazier Jr.

“Often times we're relying on these third-party software, what they will call the software supply chain, if you will, and that is actually like a big area of risk. A lot of people were not actively paying attention to.”

- Cortez Frazier Jr.

Frequently asked questions

Bring this work to your device

Need help with fda premarket cybersecurity?

Blue Goat Cyber delivers fda premarket cybersecurity services for medical device manufacturers - from threat modeling to FDA-ready reports.

FDA Premarket Cybersecurity Services

SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr.

Key takeaways

Notable quotes

Read the conversation

Frequently asked questions

Need help with fda premarket cybersecurity?

Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners

Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health

Get FDA cleared without the cybersecurity headaches.

SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr.

Key takeaways

Notable quotes

Read the conversation

Frequently asked questions

Need help with fda premarket cybersecurity?

Keep listening

Why MedTech Needs Specialists with Zoltan Kevei and Saby Toth of Bishop & Co

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

De-Risking Product Decisions in MedTech Startups with Brent Lavin of Ironwood MedTech Partners

Who Owns Patient Data Security in Trials with Rob Bedford, CEO of Franklyn Health

Get FDA cleared without the cybersecurity headaches.