Securing Medical Devices, Rethinking OWASP’s Top 10 & BlackDuck CEO Lou Shipley

In this, our 70th episode of The Security Ledger podcast, we speak withXu Zou of the Internet of Things security startup Zingbox about the challenges of securing medical devices and clinical networks from cyber attack. Also: we take a look at the turmoil that has erupted around the OWASP Top 10, a list of common application security foibles. And finally: open source management vendor Black Duck Software announced that it was being acquired for more than half a billion dollars. We sit down with Black Duck CEO Lou Shipley to talk about the software supply chain and to hear what’s next for his company.

Becton, Dickinson and Company’s (BD) Alaris 8015 Point of Care (PC) is one of the most common tools that hospitals use to programming intravenous infusions. But when researchers at the firm Zingbox sat down to assess the security of the platform, what they found was concerning. Among other things, the Alaris ran from software loaded on removable memory chips – not so different from the cards you use to store photos on digital cameras. Zingbox researchers showed how BD allowed anyone with access to the Point of Care terminals to swap in their own card, potentially reprogramming the device and gaining access to a hospitals clinical network.

That kind of thing isn’t unusual. Medical devices are one of the most active fronts in the battle to secure the Internet of Things.  But even today hospitals and other clinical environments have few options for securing networks of such devices. In this edition of The Security Ledger podcast, we talk with Xu Zou of the firm Zingbox about his company’s research into medical device security, why healthcare firms are struggling to secure their clinical environments, and what needs to happen to turn the corner on security in clinical settings.

Also this week: when OWASP, the Open Web Application Security Project, proposed a draft to update its Top 10 list of Web application security vulnerabilities earlier this year – the first since 2013 – it wasn’t intended to be controversial. It didn’t turn out that way. The first “release candidate” for the updated list was roundly criticized for veering from a focus on application security risks to recommendations for security controls.

The response was swift and painful: with the first draft rejected and the group responsible for assembling the list reconfigured and told to start over. With the recent release of a second try – release candidate 2 – we sat down with John Steven of the firm Synopsys. Steven is a vocal critic of previous attempts to update the list and a luke warm supporter of the latest release. We talk with him about what’s improved in the latest draft and where the OWASP Top 10 goes from here. Steven tells us that, while the tech industry is overflowing with smart people, it is noticeably short on those willing to stick their neck out and challenge the status quo.

And finally, What the Duck? Two weeks ago, Black Duck Software was a relatively obscure, 15-year-old company that had built a good business helping companies to track and manage their use of open source software. Then Synopsys announced it was buying the Burlington-based Black Duck for a princely $565 million dollars. How does a company that specializes in tracking free and open source end up being worth more than half a billion dollars? We sat down with Black Duck CEO Lou Shipley on the sidelines of that company’s Flight User event in Boston to find out.

As always: check our full conversation in our latest Security Ledger podcast above or over at Soundcloud. You can also listen to it on iTunes.  As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.

Security Ledger wants to hear your thoughts! Leave a reply.