MDIC Threat Modeling Bootcamp


In February I was fortunate to be selected to take part in a week long Threat Modeling Bootcamp (4 hours each workday) offered by the Medical Device Innovation Consortium (MDIC) in collaboration with MITRE. It was led by Adam Shostack – a renowned expert on threat modeling – as well as technical and regulatory professionals from the FDA and the medical industry. The project was implemented in collaboration with SMEs from FDA, MITRE, Shostack & Associates as well as MDIC member organizations via a grant from the FDA. It had a human medicine slant with strong relevance to the work I do in my daily job in secure software development.

The objective of the training was to educate those involved with medical device development – encompassing animal diagnostic medical devices, software and services – on how to conduct threat modeling sessions and apply those skills in their organization using a train-the-trainer approach. Threat modeling is the act of analyzing systems and services in order to identify threats that may impact security or privacy, as well as identifying remediation and mitigations for those threats. The bootcamp included intensive, interactive threat modeling sessions, as well as small group sessions with a focus on applying the concepts. There was also a daily supplemental session and a networking event at the end.

The sessions were kicked off by Adam, and small groups then met to apply threat modeling techniques to a hypothetical bike sharing service. The supplemental session focused on threat modeling a hypothetical wearable medical device and the related application and cloud components. The sessions were interactive and very engaging.

One of the outcomes of the workshop is the development of a Medical Device Threat Modeling Playbook, which is slated to be released later this year by MDIC. I’m sure it will be valuable to security organizations and will share it once it is available. The course aligns with one of my 2021 goals of evangelizing secure software and teaching developers to build secure software by design, and so it felt particularly timely and valuable for me.

Below are some links related to the course you might be interested in. Feel free to reach out with any questions or to share similar experiences you may have had!

MDIC Threat Modeling Bootcamp
Medical Device Innovation Consortium
Adam Shostack