When developing medical software, you want to make sure it's safe and secure for its users. When looking for more information, you might come across the term OWASP. What is it? Why should you care about OWASP in medical software? And how to include its guidelines? Today, we will answer all those questions.

TL;DR

One of the reasons you should include OWASP in your medical software is the requirements by the standards you have to comply with. So, what is it?

OWASP (The Open Worldwide Application Security Project) is a nonprofit foundation that supports organisations in maintaining secure software apps. They offer guides and checklists on providing and maintaining your medical software safe, such as the Secure Coding Practice Guide and OWASP Top 10 (a list of top security risks).

Following OWASP guidelines is crucial when developing medical software as it provides a reliable and safe system, which is necessary when introducing medical software to the EU or U.S. market. To make sure that your system is secure, you might want to check out standards named ASVS and MASVS.

When introducing medical software to a medical facility, check out the OWASP SMDD, meaning OWASP Secure Medical Device Deployment Standard.

What is OWASP in medical software?

OWASP stands for The Open Worldwide Application Security Project, a nonprofit foundation aiming to improve the security of software applications. They offer many free tools and documents which support organisations in developing trusted software (source: OWASP).

Although it is a standard that did not originate directly for medical software, it is worth knowing it in this context too. Thus, when considering including guidelines by OWASP in medical software, you might reach terms such as OWASP Top 10 or OWASP SMDD.

What is the OWASP Top 10?

The OWASP Top 10 is a document describing current critical security risks to web applications. It’s designed by security experts worldwide based on the data gathered from organisations that test vendors by trade, bug bounty vendors, and organisations that contribute internal testing data.

What are OWASP Top 10:2021 vulnerabilities?

The current list of the security risks comes from 2021. What can you learn from it? The list consists of the following ten critical security vulnerabilities.

  1. Broken Access Control – the protection system doesn’t work as needed and allows attackers to break them.

  2. Cryptographic Failures – lack of cryptography might result in sensitive data exposure or system compromise.

  3. Injection – harmful data is sent into the system, which interprets it as part of its commands.

  4. Insecure Design – risk related to design flaws and deficiencies in risk analysis and management.

  5. Security Misconfiguration – apps can be vulnerable due to outdated components, weak security settings, and unnecessary features.

  6. Vulnerable and Outdated Components – risks coming from using outdated, unpatched, or improperly managed software components.

  7. Identification and Authentication Failures – describes authentication vulnerabilities that can lead to attacks.

  8. Software and Data Integrity Failures – risks from compromised dependencies,  insecure CI/CD pipelines or improper update verification.

  9. Security Logging and Monitoring Failures – response to active breaches.

  10. Server-Side Request Forgery – attackers might manipulate a web app to send unauthorised requests to internal or external resources.

You can learn more about the above threats and how to prevent them on the OWASP website.

When will OWASP Top 10:2025 be published?

This year, we will get an update on security risks, as pointed out by OWASP experts. They’ve spent the autumn and the winter months of 2024 collecting data. We can expect a publication of OWASP Top 10:2025 in the first half of 2025 (source: OWASP).

The role of ASVS and MASVS in medical software

When developing medical software, you might want to check out the ASVS and MASVS. What are those documents? What’s the difference between them? And how to use them? We will discuss this step by step in the following section.

What is OWASP ASVS?

The OWASP Application Security Verification Standard (ASVS) provides “a basis for testing web application technical security controls and provides developers with a list of requirements for secure development” (source: OWASP).

Its goal is to assist organisations in developing and maintaining secure web applications while enabling security service providers, security tool vendors, and consumers to align their needs and solutions.

The most important thing you should know is that this standard defines three security verification levels, each demanding to meet more requirements.

  • ASVS Level 1 should be met by all the manufacturers. Achieving this level states that your web app defends against security threats included in OWASP Top 10.

  • ASVS Level 2 is addressed to applications that contain sensitive data, yet it’s still recommended for most apps.

  • ASVS Level 3 is for applications that “perform high-value transactions, contain sensitive medical data, or any application that requires the highest level of trust” (source: OWASP).

In the OWASP Application Security Verification Standard, you will find requirements you should meet based on the level you want to achieve. The document addresses the entire development process, so we encourage you to read it.

What is OWASP MASVS?

The OWASP MASVS (Mobile Application Security Verification Standard) was developed to complement ASVS, focusing on mobile applications. It is aimed at mobile software architects and developers who strive to create a secure app.

In this framework, you will find controls divided into eight groups. All of them provide guidance in terms of providing the highest level of security. They are:

  • secure storage of sensitive data on a device,

  • cryptographic functionality used to protect sensitive data,

  • authentication and authorisation mechanisms used by the mobile app,

  • secure network communication between the mobile app and remote endpoints, 

  • secure interaction with the underlying mobile platform and other installed apps,

  • security best practices for data processing and keeping the app up-to-date,

  • resilience to reverse engineering and tampering attempts,

  • privacy controls to protect user privacy (source: OWASP).

We recommend getting to know this standard, if you are developing a medical app. You can download the MASVS document here.

What is OWASP SMDD?

OWASP wants to guarantee security for both software manufacturers and its users. So, if you represent a medical facility where you want to integrate medical devices securely, look at OWASP SMDD.

OWASP SMDD stands for the OWASP Secure Medical Device Deployment Standard version 2.0. It was developed through the cooperation of The Cloud Security Alliance (CSA), an organisation dedicated to ensuring a secure cloud computing environment, and OWASP.

The currently applicable version of the document was updated in 2018. It stood as an answer to the rise of developing medical devices that were neglected in terms of security. The guide specifies security controls and requirements for testing, purchasing, and configuring medical devices.

TIP

The newest version of the OWASP SMDD included guidance from the Federal Drug Administration. Following this guide might be especially helpful if you represent a U.S. medical facility.

What are the security controls of the OWASP SMDD?

The OWASP SMDD contains security controls for testing, purchasing, and configuring medical devices. They are divided into seven categories:

  1. Purchasing controls – which is all about making sure that only secure devices are acquired. It can be achieved through security audits, privacy impact assessments, and support evaluation.

  2. Perimeter defences – which control the flow of information between medical devices and external resources and services. Those controls include firewalls, network intrusion detection, and proxy server/web filters.

  3. Network security controls – include seven types of security measures for a medical device. They are network segmentation, internal firewalls, internal network IDS/IPS, syslog server, log monitoring, vulnerability scanning, and DNS sinkholes.

  4. Device security controls – this part concerns devices connected to a network, such as infusion pumps, pacemakers, or MRI machines. There, you will have many security measures you can undertake.

  5. Interface and central station security – which can be achieved through OS hardening, encrypted data transport, and message security, including HL7 security standards.

  6. Security testing – is a part in which you can learn more about the security testing you might want to perform, such as penetration testing.

  7. Incident response – describes the process of responding to the incident and the process of mocking the possible threats (source: CSA).

Do you want to learn more about the OWASP SMDD? You can download the guide here.

Why is it important to follow the guidelines of OWASP in medical software?

Including another guideline in your medical software might seem time-consuming and redundant. However, you should keep your device safe for many reasons. What are some of them?

Regulatory compliance

One of the reasons you should include OWASP in your medical software is the requirements by the standards you have to comply with. The European Union (through Medical Device Regulation) and Federal Drug Administration (FDA) demand that your medical software align with security and privacy standards.

Are you interested in introducing your medical software to the European market? Read our guide for managers on medical software certification.

Patient’s safety

You are handling sensitive patients’ data (such as personal health information) through your medical software, which can be compromised if your system isn’t secure enough. Such a situation can lead to potentially fatal outcomes – such as improper treatment of the patients or users’ data breaches.

You can read more about GDPR and HIPAA in our article.

Reputation 

As a medical software company looking to work with Healthcare Practitioners, you must ensure an impeccable reputation. By including OWASP in medical software, you will prove that security is crucial to you.

So, is OWASP still relevant?

Of course! It is a trusted resource for developers and security professionals, providing up-to-date tools, best practices, and frameworks to identify and mitigate common web application vulnerabilities. We advise using it when developing a medical software to ensure safety and security of your app.

OWASP in medical software – where to start?

When you look at all the threats that can happen to your software, it can be overwhelming. So, where do we start with OWASP in medical software?

Find out the OWASP checklist

One of the things that we recommend doing is searching for an OWASP checklist. You can find many examples of them throughout the internet. Some are published on private websites, others on GitHub, but we recommend reviewing the list prepared by OWASP.

OWASP has prepared a Secure Coding Practice Guide, where you will find an in-depth checklist of the activities OWASP recommends undertaking to ensure your system is safe.

They are divided into 14 categories:

  • input validation,

  • output encoding, 

  • authentication and password management,

  • session management,

  • access control,

  • cryptographic practices,

  • error handling and logging,

  • data protection,

  • communication security,

  • system configuration,

  • database security,

  • file management,

  • memory management,

  • general coding practices.

It might seem like a lot, but it’s better to be safe than sorry and take time into preventing security breaches.

Learn what OWASP Dependency-Check is

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies (source: OWASP). After checking all the project’s libraries, the system gives you a report showing which ones might be unsafe.

Get in touch with a company which works in line with OWASP

Does following rules by OWASP seem intimidating? You can make it easier for yourself by trusting a company to develop your medical software in line with OWASP guidelines. It is another challenge to make sure that you choose a reliable company. We advise you to check out their previous projects and – if possible – consult their clients about their opinions. You can also ask about scheduling a meeting with a technical expert.

Do you have questions about OWASP in medical software?

Let’s discuss your idea for a medical app – we’re here to make it safe.

Category:

Tags:

You may also like