Re: SearchSecurity: Medical Devices and Software Security

[security curmudgeon <jericho () attrition org>]

On Mon, 30 Jun 2014, Gary McGraw wrote:

: Chandu Ketkar and I wrote an article about medical device security based 
: on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor.  
: In the article, we discuss six categories of security defects that 
: Cigital discovers again and again when analyzing medical devices for our 
: customers.  Have a look and pass it on:
: 
: http://bit.ly/1pPH56p
: 
: As always, your feedback is welcome.

Per your request, my feedback:

Why do so many security professionals think we need yet another article on 
medical devices that give a high-level overview, that ultimately boils 
down to "medical devices are not secure"?

We see these every month or three, and have for a long time. Other than 
medical vendors who are very resistent to the idea that their devices have 
issues, who is this written for? Who exactly outside medical vendors think 
that those devices are secure?

These articles do nothing.. absolutely nothing, to fix problems. They are 
bandwagon articles jumping on the 'medical security' wave that has some 
attention right now. Everyone writing these articles seems to be 
completely new to the medical arena. Most that write this crap that I have 
talked to can't speak to any of the history of medical disclosures. Names 
like Fu and Halperin are foreign to them, and the importance of 1985 in 
the timeline of medical issues is lost on them. If you find yourself 
Googling any of those, thanks for proving my point.

This shit is not new. These articles are NOT advancing our field or the 
medical field. Sure, you are getting a slice of attention for the issue, 
but mostly in our echo chamber. 

Finally, your intro. "Since 1996 my company has analyzed hundreds of 
systems..." Really? Hundreds? You might want to fix that, else you come 
across as complete n00bz in the industry. I've done single engagements 
that involved tends of thousands of machines. Perhaps you want to qualify 
that to mean hundreds of vendors? Hundreds per months/year?

To illustrate I am not the only one who feels this way:
https://twitter.com/attritionorg/status/485652525589086209

1 minute later:
https://twitter.com/SteveSyfuhs/status/485652988044656640

Seriously, dare to evolve.

.b
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________