Vulnerability, Penetration & Other Cybersecurity Testing Types Explained | Ep. 33 - Full Transcript | The Med Device Cyber Podcast

Welcome back to The Med Device Cyber Podcast. This is going to be an exciting episode. We're talking about the main fun part of cybersecurity that everyone wants to go over, which is cybersecurity testing. I'm your co-host, Trevor Slatterie, joined by the other co-host, Christian Espinosa. How are you doing right now, Christian? I'm doing well. I think it's interesting you think this is the exciting part. I guess it is. People think penetration testing and testing is sexy, and documentation is boring, typically, in cybersecurity. So maybe that's what you're referring to. I think documentation is sexy because without the documentation, the testing doesn't really matter. Yeah, no, that's what I get every time I say, "Yeah, I'm in cybersecurity." They go, "Wow, are you a penetration tester? That's so amazing." No, people usually go, "Oh, cybersecurity. Okay. Yeah. Awesome." Well, I'm doing pretty good. I'm a little bit tired. I've recently traveled about 28 hours, I think, from door to door, maybe like 30. Kind of like a six-hour layover in San Francisco. And slept a little bit, and slept in little hour chunks, and yeah, it is what it is. I was 15 hours time difference from where I am today, 15 hours ahead in the future. But that's part of, you know, growing a business and going to conferences and events is like dealing with jet lag. Yep. And I guess you're down in Singapore, so I guess you're getting used to the dry heat instead of the humid heat now. Yeah, Phoenix is a much drier heat, which is much more tolerable than the Singapore heat, which reminded me of growing up in Arkansas, just the humidity. It was like, it was miserable. I don't miss the humidity at all. I feel the opposite way. When I was living in Malaysia, I love the heat. It would be, you know, 95 degrees, 80% humidity all the time. When I go step outside in Phoenix, I mean, we'll start my car. It says it's 125 degrees inside the car. Feels like your soul's leaving your body when you step outside. I feel like my soul's leaving my body in the humidity when it's just like sweating out my soul. As soon as I take a shower, you step outside, it's like you lose a pound of sweat in like three minutes in Singapore. And you never feel clean. You feel sticky all the time. You do. Yes. And I can't sleep in humid either. I remember in Arkansas, actually in St. Louis, I got an ear infection. I'd went camping and I was sweating so much, my ear was like in water the whole time, basically, and I got an ear infection from it. So yeah, I'm not a big fan of humidity. Well, there you go. All right, so let's jump into our topic here. We're not talking about humidity. We're talking about our topic today is on cybersecurity testing for medical devices. And kind of what falls under that overall umbrella of cybersecurity testing, which are a lot of things that the FDA asks for and other regulatory authorities ask for. So where do, what do you want to start? Like what is like one of the main types of testing? Maybe we'll start with vulnerability testing. Let's start with that. That's one of the things the FDA asks for. And there's some common misconceptions between vulnerability testing and penetration testing. How would you explain like vulnerability testing first? So vulnerability testing, we're really looking for any risks through just various methods of information collection, through threat collection. This can be through automated tooling. This can be through manual review. But we're more looking at problems from, I guess, a static and automated perspective where penetration testing is going to be a little bit more of a dynamic and manual perspective. I think that the line is often drawn a little bit too explicitly between the two, since they often blend together very nicely, and vulnerability testing should be used in many cases as an input into penetration testing. But there is still a distinction in the tooling and in the process there. Yeah, and that's a good point. Vulnerability testing, you typically identify the vulnerabilities, and then that is often the first step in penetration testing because you have to identify a vulnerability to exploit it, and then penetration testing takes it a step further to see, once you exploit one vulnerability, what else can you therefore exploit, like once you're in a system or devices. For example, Exactly. And a lot of vulnerability assessments, so if we're looking at what the FDA wants to see, we'll pick one of the examples that they want to see, or static and dynamic testing of the source code. And so if we're looking at static testing of the source code, and we identify that we get a bunch of findings back saying they aren't handling any input sanitization in this codebase, and so we're making sure that they are making sure that bad input can't go into an input field, like a username or a password field, then that can be a good clue for the penetration tester to go, "Oh, well, if we're identifying this during the vulnerability testing phase, during our penetration testing phase, we're likely going to want to drill in a little bit deeper to these input fields, and see what we can do with that lack of sanitization."