Codenomicon, the leading fuzz-testing solution provider, announced today that the United States Food and Drug Administration (FDA) is soliciting bids for Codenomicon Defensics. The FDA is developing a cybersecurity laboratory where a fuzz-testing capability is to be integrated. The FDA has deemed Codenomicon Defensics one of the best fuzz-testing solutions on the market, since it provides both ongoing support and top quality output reports.
Codenomicon CEO David Charier said: "This is excellent news for the medical device industry. Cybersecurity for medical devices has been lacking in standardised testing procedures, and the FDA introducing fuzz-testing capabilities is big step forward."
The FDA states that software errors, or bugs, often create vulnerabilities because they cause software to behave differently than intended. The software might crash, making it unavailable, consume all available resources or cause other unpredictable consequences. In the worst case scenario, attackers might be able to trigger the bug in a special way such that they can run their own commands in a system.
Devices used in healthcare increasingly rely on software, and therefore the software quality and reliability must be high. Some bugs are exposed and fixed during the testing phase of a software development process. The bugs that slip past the testing phase without being found or fixed are unknown vulnerabilities which can be triggered after the product release, sometimes with catastrophic results.
In healthcare, devices that use Bluetooth or Wi-Fi for connecting to computers may be vulnerable. These devices include heart rate monitors, insulin pumps, pacemakers and possibly even surgery robots. Their software robustness and quality is therefore paramount, as human lives are at stake.
The best way to discover unknown vulnerabilities is through fuzzing, a negative software testing method that feeds a programme, device or system with malformed and unexpected input data in order to find defects. When software is fuzz-tested proactively, vulnerabilities can be found and fixed before deployment, resulting in more secure and robust, high-quality software. Fuzz-tested products have considerably fewer critical vulnerabilities that need to be patched. This means less cost from patch development and release, less product recalls and ultimately safer medical devices.