I would like to remind you that I’ll be participating in a webinar titled “Medical Device Software Security: Leveraging SBOMs and Cross-Industry Practices” next Wednesday at noon EDT/9 AM PDT, sponsored by Medcrypt. I want to point out that, other than the fact that medical devices are regulated by the FDA, there is no real difference, as far as software security is concerned, between medical devices and any other intelligent devices that are used for critical infrastructure purposes. The three participants have already met twice to discuss the content of our presentations, and I can assure you that – other than knowing that “HDO” refers to a hospital organization and “MDM” refers to a medical device maker – you won’t need any medical device background to understand the discussion.
However, I also want to point out that, in case you haven’t
noticed from the topics of my posts lately, I’m primarily concerned about
vulnerability reporting and identification now - especially in light of what
looks more and more like the collapse of the National Vulnerability Database
(NVD). SBOMs themselves are still important, but if there isn’t an easy-to-use
source of up-to-date vulnerability data available, the primary use case for
SBOMs, vulnerability management, becomes moot.
In the webinar, I will focus on questions about how device
makers should report vulnerabilities, how they should coordinate reports with
their patching schedules, etc. It should be an interesting discussion, and I
want to thank Medcrypt for inviting me to participate in it.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum, which works to understand and address issues like what’s
discussed in this post; please email me to learn more about what we do or to
join us. You can also support our work through easy directed donations to OWASP,
a 501(c)(3) nonprofit. Email me to discuss that.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment