Episode 47 · August 19, 2025 · 29m listen · 4,468 words · ~22 min read
Vulnerability, Penetration & Other Cybersecurity Testing Types Explained | Ep. 33 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 47 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa provide a comprehensive overview of cybersecurity testing specifically for medical devices. They begin by differentiating between vulnerability testing and penetration testing—two terms that are often used interchangeably but have distinct meanings. Vulnerability testing is described as the process of identifying potential weaknesses, often through automated tools and static analysis, similar to creating a map of potential entry points. Penetration testing, on the other hand, is the active process of trying to exploit those identified vulnerabilities to determine their real-world impact, simulating the actions of a malicious attacker. The hosts emphasize that while people often consider penetration testing the 'sexy' part of cybersecurity, both it and the underlying documentation and vulnerability assessments are critical for creating a secure product.
The discussion delves into the various types of testing required by regulatory bodies like the FDA. This includes Static Application Security Testing (SAST), which analyzes the source code without running it to find coding errors and potential security flaws, and Dynamic Application Security Testing (DAST), which tests the application while it is running. A significant portion of the conversation is dedicated to Software Composition Analysis (SCA) and the creation of a Software Bill of Materials (SBOM). They explain that an SBOM is a complete inventory of all software components, including third-party and open-source libraries, used in a device. This is crucial because these external components are a major source of vulnerabilities, and without a complete inventory, manufacturers cannot effectively manage their risk.
The hosts also detail different methodologies for penetration testing, including Black Box (where the tester has no prior knowledge of the system), Grey Box (partial knowledge, such as user credentials), and White Box (full access to source code and documentation). They recommend a comprehensive White Box test for medical devices to ensure thorough coverage and note that the FDA requires this testing to be conducted by an independent third party for regulatory submissions. They conclude by stressing the importance of testing all interfaces and considering 'abuse cases'—scenarios where the device is used in unintended ways—to build a robust and secure medical device that meets regulatory expectations and protects patient safety.
Key takeaways from this episode
Cybersecurity testing for medical devices is an umbrella term that includes multiple testing types, not just penetration testing.
Vulnerability testing focuses on identifying potential weaknesses, while penetration testing involves actively exploiting those weaknesses to assess real-world risk.
The FDA requires various forms of testing, including Static (SAST), Dynamic (DAST), and Software Composition Analysis (SCA) to ensure device security.
A Software Bill of Materials (SBOM) is essential for listing all third-party and open-source components, as these are a primary source of vulnerabilities.
Penetration testing can be categorized as Black Box (no knowledge), Grey Box (partial knowledge), or White Box (full knowledge), with White Box being the most comprehensive for medical devices.
For FDA compliance, medical device penetration testing must be performed by an objective, independent third party.
Testing should cover all potential attack surfaces and entry points, even interfaces intended only for maintenance or charging, as these are often overlooked.
Manufacturers must consider 'abuse cases'—testing how a device responds to unintended or malicious inputs—to ensure it fails securely.
Welcome back to the Med Device Cyber podcast. This is going to be uh exciting episode. We're talking about the main fun part of cyber security that everyone wants to go over which is cyber security testing. I'm your co-host Trevor Slattery, joined by the other co-host Christian Espinosa. How are you doing right now, Christian?
I'm doing well. I I think it's interesting you think this is exciting part. I guess it is. People think penetration testing and testing is sexy and documentation is boring typically in cyber security. So maybe that's what you're referring to.
I think documentation is sexy because without the documentation, the testing doesn't really matter.
Yeah. No, that's what I get every time I say, yeah, I'm in cyber security. They go, wow, are you a penetration tester? That's so amazing. No, people usually go, oh, cyber security, okay.
Yeah. Awesome. Well, I'm doing pretty good. I'm a little bit tired. I've uh recently traveled uh about 28 hours I think from door to door, maybe like 30. Kind of like a six-hour layover in San Francisco and slept a little bit and slept in a little hour chunks and yeah, it is what it is. And I was 15 hours time difference from where I am today, 15 hours ahead in the future. But uh that's part of um you know, going in business and going to conferences and events is like dealing with jet lag.
Yep. And uh guess you, you're down in Singapore so I guess you're getting used to the dry heat instead of the humid heat now.
Yeah, Phoenix is a much drier heat, which is much more tolerable than uh the Singapore heat, which reminded me of growing up in Arkansas, just uh the humidity is like is miserable. I don't miss the humidity at all.
I feel the opposite way. When I was living in Malaysia, I love the heat. It would be, you know, 95 degrees, 80% humidity all the time. When I go step outside in Phoenix, I mean, I'll start my car, it says it's 125 degrees inside the car. Feel's like your soul's leaving your body when you step outside.
I feel like my soul's leaving my body in the humidity when it's just like sweating out my soul. It's like a shower. You step outside it's like it's like you lose a pound of sweat in like three three minutes in Singapore.
And you never feel clean, you feel sticky all the time.
You do. Yes. And I can't sleep in humidity either. I remember in Arkansas, actually in St. Louis, I got a ear infection and I'd went camping and I was sweating so much my ear was like in water the whole time basically and I got ear infection from it. So, yeah, I'm not a big fan of humidity.
Oh, there you go.
All right, so let's jump in our topic here. We're not talking about humidity. We're talking about uh our topic today is on cyber security testing for medical devices and kind of what falls under that overall umbrella of cyber security testing, which are a lot of things that the FDA asked for and other regulatory authorities ask for.
So what do what what do you want to start? Like what is like one of the main types of testing. Maybe we'll start vulnerability testing. Let's start with that. That's one of the things the FDA asked for and there's some common misconceptions between vulnerability testing and penetration testing. Uh how would you explain like vulnerability testing first?
So, vulnerability testing, we're really looking for any risks through just various methods of information collection, through threat collection. This can be through automated tooling, this can be through manual review, but we're more looking at problems from I guess a static and automated perspective where penetration testing is going to be a little bit more of a dynamic and manual perspective.
Um I think that the line is often drawn a little bit too explicitly between the two since they often blend together very nicely. And vulnerability testing should be used in many cases as an input into penetration testing. But there is still a distinction in the tooling and in the process there.
Yeah, and that's a good point. Vulnerability testing you typically identify the vulnerabilities and then that is often the first step in penetration testing because you have to identify a vulnerability to exploit it, and then penetration testing takes it a step further to see once you exploit one vulnerability, what else can you therefore exploit like once you're in a system or devices, for example.
Exactly. And a lot of vulnerability assessments, so if we're looking at what the FDA wants to see, we'll pick one of the examples that they want to see, static and dynamic testing of the source code. And so if we're looking at static testing of the source code and we identify that we did a bunch of findings back saying they aren't handling any uh input sanitization in this code base and so we're making sure that they are making sure that bad input can't go into an input field like a username or a password field. Then that can be a good clue for the penetration tester to go, oh, well, if we're identifying this during the vulnerability testing phase, during our penetration testing phase, we're likely going to want to drill in a little bit deeper to these input fields and see what we can do with that lack of sanitization. Maybe we can find an injection attack or try to extract some sensitive information through those fields.