Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Podcast · Episode 33

    Vulnerability, Penetration & Other Cybersecurity Testing Types Explained

    With MedTech leader - Which cybersecurity tests are the most crucial, and which ones does the FDA require for medical device approval? In this episode, Christian and Trevor break down the many types of cybersecurity testing required for medical devices.

    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Listen now

    Key takeaways

    • Vulnerability testing identifies potential weaknesses, often through static analysis, while penetration testing actively exploits these vulnerabilities to assess real-world impact.
    • The FDA requires various testing forms, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) to ensure device security.
    • A Software Bill of Materials (SBOM) is crucial for cataloging all third-party and open-source components, as these are a significant source of vulnerabilities.
    • Penetration testing can be categorized by the level of a tester's knowledge: Black Box (no knowledge), Grey Box (partial knowledge), and White Box (full knowledge), with White Box being the most comprehensive for medical devices.
    • For FDA compliance, medical device penetration testing must be conducted by an objective, independent third party.
    • Testing must cover all potential attack surfaces and entry points, including those designed for maintenance or charging, as these are frequently overlooked.
    • Manufacturers must implement abuse case testing to evaluate how a device responds to unintended or malicious inputs, ensuring it fails securely.

    Which cybersecurity tests are the most crucial, and which ones does the FDA require for medical device approval?

    In this episode, Christian and Trevor break down the many types of cybersecurity testing required for medical devices. They explore the distinctions between vulnerability assessments, penetration testing, and other critical methods like fuzz testing, security requirement testing, and dynamic analysis. Along the way, they share real-world examples, FDA compliance insights, and practical tips for ensuring no entry point goes untested.

    Key points: 

    (3:21) Vulnerability vs. Penetration Testing

    • Vulnerability testing identifies issues quickly, while penetration testing digs deeper to exploit them.

    (6:01) Software Composition and Static Analysis

    • Using SBoMs to identify risks in third-party and unknown code.

    • Dangers of insecure, copied code such as hardcoded credentials.

    (10:23) Penetration Testing Types and Abuse Cases

    • Differences between black, gray, and white box testing.

    • Abuse case testing for overlooked or “out of scope” device interfaces.

    (20:44) Fuzz Testing and Security Requirements

    • Fuzz testing for unexpected input handling and potential zero-day vulnerabilities.

    • Security requirement testing, dynamic analysis, and advice on choosing skilled third-party testers.

    Notable quotes

    “Vulnerability testing is about identifying potential weaknesses, often through automated tools and static analysis, similar to creating a map of potential entry points.”
    - Trevor Slattery
    “Penetration testing is the active process of trying to exploit those identified vulnerabilities to determine their real-world impact, simulating the actions of a malicious attacker.”
    - Trevor Slattery
    “A good penetration tester is hands-on keyboard or hands-on the device interacting with it directly trying to have a little bit more of an in-depth approach to really see how far you can take a problem.”
    - Christian Espinosa
    “Engineers don't want to have to reinvent the wheel if there's a code out there for it. That's why software libraries exist. That's why these alternative solutions exist. You shouldn't have to write everything from scratch, but you make sure that what you're using to build this need is safe and secure and you are introducing insecure code into your product.”
    - Christian Espinosa

    Frequently asked questions

    Bring this work to your device

    Need help with sbom management?

    Blue Goat Cyber delivers sbom & supply chain services for medical device manufacturers - from threat modeling to FDA-ready reports.

    SBOM & Supply Chain Services

    More on SBOM Management

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.