Product Security Incident Response Team (PSIRT)

In networked products, open source and commercial 3rd party libraries are integrated especially for the implementation of interfaces. Due to their high distribution in the field, security vulnerabilities in these libraries affect a large number of products and are therefore consistently exploited by attackers. In order to ensure the cybersecurity of these products over the product life cycle, it is therefore imperative to track and assess reports of potential security vulnerabilities in a timely manner so that PSIRT can respond to the potential vulnerabilities with appropriate measures.

Services

embeX offers the following services for PSIRT on behalf of customers at an unrivalled level of security:

  • Consulting on the structure and processes for PSIRT
  • Automated monitoring of security vulnerabilities in 3rd party libraries
  • Notification of potential security vulnerabilities in products
  • Assessment of vulnerabilities for relevance and criticality to products
  • Elimination of vulnerabilities - provided that the code is available

Service Level (SLA) for Product Maintenance

SLA 1: Standard Monitoring

  • Monitoring
  • Automated notification

SLA 2: Advanced Monitoring

  • Monitoring according to SLA 1
  • Analysis of monitoring results by experts
  • Filtering according to relevance and product affiliation
  • Notification with qualified assessment of possible impact of vulnerability

SLA 3: Supported Product, also according to IEC 81001-5-1

  • Monitoring and analysis according to SLA 1-2
  • Assessment according to CVSS
  • Analysis on the basis of source code and system descriptions, optionally also safety (SLA 3S)
  • Filtering according to relevance and product affiliation
  • Qualified report on possible impact of the vulnerability

SLA 4: Maintained Product, also according to IEC 81001-5-1

  • Monitoring and reporting according to SLA 1-3
  • Optionally for safety applications (SLA 4S)
  • Closing the vulnerability by revising the source code
  • If necessary: Revision of the product documentation such as the risk analysis

Your Advantages

  • You relieve your development team of time-consuming routine tasks.
  • You access the competence of the embeX experts.
  • For security reasons, a cloud solution that stores code and vulnerability together is not used.
  • Response times and scope of notifications are regulated in individual customer agreements.
  • Optional black- / whitelisting
  • Communication is always encrypted in two possible ways.

Standards and Directives

We work to the following standards and directives among others

  • IEC 62443: “Industrial communication networks - Network and system security”
  • IEC 29147: “Information technology - Security techniques - Vulnerability disclosure”
  • Guidance by Medical Device Certification Group MDCG 2019-16: “Guidance on Cybersecurity”
  • Guidance by Medical Device Certification Group MDCG - Draft: „Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity” (2022)
  • Guidance by FDA: “Cybersecurity in Medical Devices: ... Premarket Submissions; Draft Guidance for Industry and Food and Drug Administration Staff” (2022)
  • Guidance by FDA: “Postmarket Management of Cybersecurity in Medical Devices”
  • IEC 81001-5-1: “Health software and health IT systems safety, effectiveness and security”

Who to contact

psirt(at)embeX.de

For secure communication please use the Open PGP Public Key

Fingerprint: 578F D231 14D7 2BE8 DCD2 B41E 706A 46B6 38F2 7C2E

Hash SHA256: 5d95b0e5de56b2ef37d182df120b5f2fdc9e5bb95887c07632330d626cf16205

Contact

Tel.: +49 761 479799-0
psirt(at)embeX.de