N° 01
IEC 81001-5-1
Health Software Product Lifecycle SecurityHealth software, Security activities in the product life cycle
Global · IEC
→
Overview
An international standard that defines security activities to be performed throughout the entire lifecycle of health software. It requires security to be built in from the design phase through to decommissioning.
Recommended Tests
- Threat modeling and security requirements definition
- Security design verification (SAST/DAST)
- Vulnerability assessment and penetration testing
- SBOM creation and verification
- Security update process review
Threat ModelingSAST/DASTVulnerability AssessmentSBOM
N° 02
ETSI EN 303 645
Cyber Security for Consumer IoTCyber Security for Consumer Internet of Things
EU · ETSI
→
Overview
A European standard that defines security baselines for consumer IoT devices. It specifies 13 mandatory security provisions including prohibition of default passwords, vulnerability disclosure policies, and software update mechanisms.
Recommended Tests
- Default password usage verification
- Vulnerability Disclosure Policy (VDP) establishment check
- Software update mechanism verification
- Data protection (encryption) testing for stored and transmitted data
- Attack surface minimization and unnecessary port inspection
IoT SecurityVDPUpdate SecurityEncryption Verification
N° 03
EN 18031-1/2/3
EU Radio Equipment Cybersecurity RequirementsCommon security requirements for radio equipment
EU · ETSI / CEN-CENELEC
→
Overview
A harmonized European standard specifying mandatory cybersecurity requirements under EU Radio Equipment Directive (RED) Article 3(3)(d)(e)(f). Compliance becomes mandatory for products placed on the EU market from August 2025.
Series Components
- EN 18031-1 Network Security
- EN 18031-2 Privacy Protection
- EN 18031-3 Financial Fraud Prevention
Recommended Tests
- Access control and authentication mechanism testing
- Secure communication channel (TLS/DTLS) verification
- Software update security mechanism inspection
- Stored data and transmitted data protection verification
- Vulnerability disclosure and patch management process review
REDAccess ControlEncryption VerificationUpdate SecurityPrivacy Protection
N° 04
UL 2900-1 / 2900-2-1
Software Cybersecurity for Network-Connectable ProductsSoftware Cybersecurity for Network-Connectable Products
USA · UL
→
Overview
A U.S. standard for evaluating cybersecurity requirements of network-connectable products. UL 2900-1 covers general requirements, while UL 2900-2-1 addresses requirements specific to medical devices.
Series Components
- UL 2900-1 General Network-Connectable Products
- UL 2900-2-1 Medical Device Specific
Recommended Tests
- Fuzz testing (all network interfaces)
- Static source code analysis (SAST)
- Known vulnerability (CVE) matching
- SBOM-based software composition analysis
- Access control and authentication mechanism testing
Fuzz TestingSASTCVE MatchingSBOM
N° 05
OWASP Top 10
Top 10 Web Application Security RisksOpen Worldwide Application Security Project
Global · OWASP
→
Overview
A project that catalogs the 10 most frequently occurring security vulnerabilities in web applications. Applied to web-based management interfaces of medical devices, cloud integration APIs, and similar components.
Recommended Tests
- Injection attack (SQL, OS, LDAP) testing
- Authentication and session management flaw inspection
- Sensitive data exposure verification
- Security misconfiguration assessment
- API security and SSRF testing
Web Penetration TestingAPI SecurityAuthentication AuditDAST
N° 06
CWE Top 25
Most Dangerous Software WeaknessesCommon Weakness Enumeration · Most Dangerous Software Weaknesses
Global · MITRE
→
Overview
The 25 most dangerous software weakness types as identified by MITRE. During source code analysis, defects are classified and prioritized based on this list.
Recommended Tests
- Buffer overflow and memory safety inspection
- Improper input validation (CWE-20) analysis
- Path traversal and command injection testing
- Improper privilege management inspection
- Static analysis (SAST) based CWE mapping
SASTMemory SafetyInput ValidationCode Analysis