Skip to content

Automate software testing for medical devices

AI-automated fuzz testing solution by Code Intelligence helps developers keep critical bugs out of their code and ensure compliance with FDA’s and MDR’s testing requirements. 
industry-medical-devices-placeholder-cropped-small
TRUSTED BY
google-2015-3Deutsche_Telekom_2022 1-3bosch-logo-simple 1-2Secunet_Security_Networks_Logo-2Continental_AG_logo 1-2Cariad_Logo-2ETAS-Logo-2

The role of fuzz testing in medical device cybersecurity

Fuzz testing is highly recommended by several American and European standards and guidance for medical devices cybersecurity. Non-compliance with these documents may lead to the denial of market approval.
 
The most important guidance documents advocating for fuzz testing:
 
  • Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions by the U.S. Food and Drug Administration (FDA)
  • AAMI TIR 57:2016 Principles For Medical Device Security - Risk Management
  • Guidance on cybersecurity for medical devices (MDCG 2019-16) by the European Commission and the Medical Device Coordination Group
  • IEC 81001-5-1 Health software and health IT systems safety, effectiveness and security. Part 5-1: Security — Activities in the product life cycle.

FDA’s requirements for medical device security

Download the free white paper to discover: 

  • Key documents on USA cybersecurity requirements for medical devices
  • Fuzzing’s role in the FDA’s guidance on cybersecurity and AAMI TIR 57:2016
  • When manufacturers need to comply with the FDA’s security requirements
  • Why fuzzing is highly recommended for testing medical devices.
1200x627_text-1 (2)
1200x627_text-1 (2)

FDA’s requirements for medical device security

Download the free white paper to discover: 

  • Key documents on USA cybersecurity requirements for medical devices
  • Fuzzing’s role in the FDA’s guidance on cybersecurity and AAMI TIR 57:2016
  • When manufacturers need to comply with the FDA’s security requirements
  • Why fuzzing is highly recommended for testing medical devices.

Three reasons to use fuzzing for testing medical devices

Fuzz testing is widely used for testing embedded systems, not only for compliance reasons. Learn more about why fuzzing is a must in testing medical devices. 
CIFuzz-1-1
Detect critical issues
 
These include buffer overflows, memory corruption and other bugs relevant to memory-unsafe languages such as C/C++.
Fuzzing analyzes code dynamically. This ensures zero false positives - a finding is a finding.
CISpark-2
Uncover issues as early as you have executable code
 
Fuzz testing that analyzes source code can be integrated into the development process to test your code automatically as soon as you have an executable program - at the unit, integration, and system testing stages.
CIFuzz-3
Increase code coverage to up to 100%
 
Source code fuzzers leverage feedback about the software under test to reach the highest code coverage. Thus, you know how much of your code actually was executed during a test and what needs additional testing.

Fuzz Testing with Code Intelligence

Automate your software testing for medical devices with an AI-driven fuzzing platform. Ensure compliance with FDA’s and MDR’s testing requirements.
Examples of CWEs uncovered

Find what others miss – and get it fixed

Find safety and security issues like memory corruption, crashes, and runtime bugs. CI Fuzz automatically generates thousands of test scenarios to examine your code during runtime, pinpointing exactly where bugs are hidden and what triggers them. That helps quickly reproduce and fix issues.
Click here to see the full list of vulnerabilities you can find with CI Fuzz.
CWE-119 Improper Restriction of Operations Within the Bounds of a Memory Buffer CWE-416 Use After Free
CWE-823 Use of Out-of-Range Pointer Offset CWE-476 NULL Pointer Dereference
CWE-786 Access of Memory Location Before Start of Buffer CWE-590 Free Memory Not on the Heap
CWE-680 Integer Overflow to Buffer Overflow CWE-362 Signal Handler Race Condition
CWE-466 Return of Pointer Value Outside of Expected Range CWE-366 Race Condition Within a Thread
CWE-787  Out-of-Bounds Write CWE-367 Time-of-Check Time-of-Use (TOCTOU) Race Condition
CWE-125 Out-of-Bounds Read CWE-368 Context Switching Race Condition
CWE-129 Improper Validation of Array Index CWE-421 Race Condition During Access to Alternate Channel
CWE-193 Incorrect Calculation of Buffer Size CWE-1223 Context Switching Race Condition
CWE-193 Off-by-One Error CWE-662 Improper Synchronization
CWE-195 Signed to Unsigned Conversion Error CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
CWE-839 Numeric Range Comparison Without Minimum Check CWE-562 Return of Stack Variable Address
CWE-843 Access of Resource Using Incompatible Type ("Type Confusion") CWE-587 Assignment of a Fixed Address to a Pointer
CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Ranges CWE-588 Attempt to Access Child of a Non-Structure Pointer
CWE-190 Integer Overflow or Wraparound CWE-1102 Reliance on Machine-Dependent Third-Party Components
CWE-20 Improper Input Validation CWE-1105 Insufficient Encapsulation of Machine-Dependent Functionality
CWE-415 Double Free    

From start to findings – with one command

Save up to 1.000 hours of manual work by launching and running fuzz tests with a single command.  Spark, an AI Test Agent, will automatically run fuzz tests until it meets your pre-defined code coverage goal.
AI Test Agent

Don’t just comply – make your product robust

By using CI Fuzz, you not only comply with the FDA's and MDR's cybersecurity requirements but also implement state-of-the-art testing technology used by companies like Google and Microsoft. Thus, you deliver higher-quality products that your customers have complete confidence in.
“Fuzz testing is state-of-the-art for testing robustness. Although you can write your own tests, you can never perform as many random and denial-of-service tests as you can with fuzzing. You must perform fuzz testing to prove to the FDA that your device is reliable and that the most common bugs are caught.”
Verana Wieser
Verena WieserMedical Device Consultant, Lorit Consultancy
"Testing our embedded software with white-box fuzzing by Code Intelligence helped us achieve better, more secure code. We wouldn't achieve this with black-box fuzzers."
Senior Embedded Engineera MedTech company
“One of the biggest advantages of instrumented fuzz testing is that you can execute your code in a Software-in-the-Loop simulator. My favourite part of instrumented fuzzing is that finding the root cause is so easy, and for a manager, it means I can save budget.”
Michael von Wenckstern 2024
Michael Von WencksternProduct Cybersecurity Governance, Risk and Compliance Specialist, Continental AG
"Thanks to Code Intelligence fuzzing approaches, our security testing became significantly more effective. All our developers are now able to fix business critical bugs early in the development process, without false-positives."

 

Andreas Weichslgartner
Andreas WeichslgartnerSenior Technical Security Engineer, CARIAD
”Code Intelligence helps developers ship secure software by providing the necessary integrations to test their code at each pull request, without ever having to leave their favorite environment. It's like having an automated security expert always by your side.”
thomas-dohmke
Thomas DohmkeCEO, GitHub

See AI-Automated Fuzz Testing In Action

 

Book your free demo with one of our senior engineers now and take the first step towards robust, secure software development with Code Intelligence.

  • Automate software testing for embedded systems.
  • Detect critical bugs & vulnerabilities early in the development.
  • Uncover only actual issues without false positives.
  • Enable developers to reproduce & fix issues in minutes, not weeks.
  • Ensure compliance with industry standards.

Frequently asked questions

What is fuzz testing again?

Fuzzing is a dynamic application security testing method used for finding functional bugs and security issues in software. During a fuzz test, a program gets executed with invalid, unexpected, or random inputs, with the aim to crash the application. Fuzzing is proven highly effective for testing embedded systems like medical devices. Learn more about fuzzing in this blog post.

Does fuzzing integrate into CI/CD pipeline?

Yes, the integration allows automatically test your software with every pull request. This ensures regressions and release blockers are identified long before reaching production.

We regularly do penetration testing. How does fuzzing contribute to pentests?

Do fuzz testing first to identify all possible issues automatically, view the percentage of code covered, and identify parts of the software requiring targeted pentest. Thus, you can optimize the efforts of penetration testers by focusing on areas untouched by fuzzing.


Useful resources

Vector

Fuzzing in FDA’s requirements for medical device security

Learn about the United States Food and Drug Administration’s cybersecurity requirements for medical devices and how fuzz testing plays a role in compliance.  

Vector

Testing Medical Devices: Why Fuzzing is a Must 

The FDA and the European Commission are pushing for additional security measures for medical devices, including fuzz testing. Download the guide to learn why fuzzing is becoming a necessity.

Vector

Securing medical devices: role of fuzz testing in cybersecurity

Discover how fuzz testing addresses the 59% rise in medical device vulnerabilities in 2023. Learn why the FDA and European Commission recommend this method to enhance patient safety and device security.