Application Security Roundup - JuneInteresting appsec posts: from medical devices to bridges.
The most interesting #appsec articles I read this month were all about requirements — from medical devices to bridges.
- Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff. The title says it all. Comments due soon.
- Medical Device Security Offers Proving Ground for Cybersecurity Action (Jim Dempsey, Lawfare.) Perspective on a new law passed by the House, and how the draft guidance should be seen from a policy and implementation perspective.
- Engineer who designed Sask. bridge that collapsed hours after opening facing disciplinary hearing (Geoff Leo, CBC.) The client, a “Rural Municipality,” insisted that “no geotechnical investigation should be obtained as the RM was concerned about the additional cost and delay.”
Many of us in cybersecurity are told to avoid what the client thinks is meaningless cost and delay — or worse, looking under rocks for fear of what we'll see. Clearer guidance can help, but as Dr. Depmsey says in his Lawfare article, a lot is subsumed into what risk management is appropriate. Licensed engineers can be sanctioned, which gives them a basis to assert that steps are essential. We often lack data to quantify the probability that specific threats will manifest or to predict the outcomes, but that doesn't mean we should skip the geotechnical investigation.