Re: [External] Re: SearchSecurity: Medical Devices and Software Security

["Goertzel, Karen [USA]" <goertzel_karen () bah com>]

Ever since I read an article about the challenges of remote laser surgery being done by doctors at the Naval Hospital 
in Bethesda, MD, via satellite link on wounded soldiers in Iraq, I've been warning for years about the need to apply 
software assurance principles to the development and testing - and SCRM to the acquisition - of medical devices and 
their embedded software. I'm delighted to see someone with your influence start warning those who confuse software 
correctness and safety with software security of the potential havoc that can potentially be wrought by malevolent 
actors as these little widgets become increasingly networked and even Internet-accessible.

What I want to know is this: When is someone who can actually make a difference going to FINALLY figure out the real 
potential hazards of the Internet of Things. Certain physical systems and devices really should NEVER be connected to 
the public Internet - e.g., most Industrial Control Systems, all medical devices, any plane, train, or automobile. And 
others really never NEED to be Internet-connected. I mean, do we really, REALLY need to be able to access our 
refrigerators or washing machines over the Web? Aren't we all growing obese enough without making things so bloody 
convenient that we needn't even walk the 20 feet from the bedroom to the kitchen or laundry room to program the coffee 
maker or start another rinse cycle?

Manufacturers of the latter need to stop trying so bloody hard to "improve" products that no longer need improvement. 
There does come a time when a technology goes as far as it can go - and any further attempts to "improve" it are either 
purely cosmetic, unnecessary, or dangerous. I wish all these manufacturers who waste their times trying to invent a 
better toaster would, instead, invent something entirely new to solve a problem that hasn't already been solved quite 
adequately for many decades. No wonder American manufacturing is no longer competitive. All they do is continually 
rearrange deck chairs on the Titanic to improve the view as the boat sinks, instead of inventing a new means of 
transportation that actually CANNOT be taken down by an iceberg.


===
Karen Mercedes Goertzel, CISSP
Senior Lead Scientist
Booz Allen Hamilton
703.698.7454
goertzel_karen () bah com

"Answers are easy. It's asking the right questions which is hard."
- The Doctor

________________________________________
From: SC-L [sc-l-bounces () securecoding org] on behalf of security curmudgeon [jericho () attrition org]
Sent: 06 July 2014 01:21
To: Gary McGraw
Cc: Chandu Ketkar; Secure Code Mailing List
Subject: [External]  Re: [SC-L] SearchSecurity: Medical Devices and Software Security

On Mon, 30 Jun 2014, Gary McGraw wrote:

: Chandu Ketkar and I wrote an article about medical device security based
: on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor.
: In the article, we discuss six categories of security defects that
: Cigital discovers again and again when analyzing medical devices for our
: customers.  Have a look and pass it on:
:
: http://bit.ly/1pPH56p
:
: As always, your feedback is welcome.

Per your request, my feedback:

Why do so many security professionals think we need yet another article on
medical devices that give a high-level overview, that ultimately boils
down to "medical devices are not secure"?

We see these every month or three, and have for a long time. Other than
medical vendors who are very resistent to the idea that their devices have
issues, who is this written for? Who exactly outside medical vendors think
that those devices are secure?

These articles do nothing.. absolutely nothing, to fix problems. They are
bandwagon articles jumping on the 'medical security' wave that has some
attention right now. Everyone writing these articles seems to be
completely new to the medical arena. Most that write this crap that I have
talked to can't speak to any of the history of medical disclosures. Names
like Fu and Halperin are foreign to them, and the importance of 1985 in
the timeline of medical issues is lost on them. If you find yourself
Googling any of those, thanks for proving my point.

This shit is not new. These articles are NOT advancing our field or the
medical field. Sure, you are getting a slice of attention for the issue,
but mostly in our echo chamber.

Finally, your intro. "Since 1996 my company has analyzed hundreds of
systems..." Really? Hundreds? You might want to fix that, else you come
across as complete n00bz in the industry. I've done single engagements
that involved tends of thousands of machines. Perhaps you want to qualify
that to mean hundreds of vendors? Hundreds per months/year?

To illustrate I am not the only one who feels this way:
https://twitter.com/attritionorg/status/485652525589086209

1 minute later:
https://twitter.com/SteveSyfuhs/status/485652988044656640

Seriously, dare to evolve.

.b
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________