Accessing ProdSecDesigner #
Product Security Hub is a web-based tool hosted at https://app.productsecurityhub.com/.
Access to the tool is granted following steps provided within the Product Security Hub – New User Instructions document. Refer to the New User Instructions for steps on obtaining access and registering your account.
If you have any questions, please contact your Product Security Hub representative or you may also email info@productsecurityhub.com.
Landing Page #
After you successfully authenticate to Product Security Hub you will end up on the Product Security Hub Landing page, shown below.
To access the product(s) you are working on, click on “ProdSecDesigner” to be taken to “My Product Dashboard”.
General Functions #
Many pages in PSH include the following general capabilities:
- A Navigation bar is available at the top of Product Security Hub providing quick access to the Landing Page, your Product Dashboard, along with your tenant and profile information.
- A Search bar is made available to search the pages line items and their details. Type in your search criteria and press the Enter key on your keyboard. To reset the page from a previous search or clear the search results, delete any information in the Search bar and click Enter on your keyboard.
*Note that the Search function may display results where the search criteria matches a hidden field. - To order the results by a specific field, use the arrow button next to the column you would like to order.
- The columns visible on the page can be hidden or displayed using the Settings icon available in the upper right corner.
- Use your internet browser’s zoom out capabilities to display more columns and information in the visible window.
- Where pages in PSH contain more than rows of information, PSH will automatically split the contents into pages which can be advanced using the page navigation presented at the bottom of the page.
- Open text fields presented throughout PSH have a character limit of 2,000 characters. Open-text fields support both alphanumeric and special characters. Text entries beyond 2,000 characters will be cut-off.
Product Dashboard #
If this is the first time your organization is using Product Security Hub, you will be presented with an empty dashboard.
From “My Product Dashboard” you can add new products or work with existing products.
- Click the “+Add a New Product” button to create a new product after completing the information required on the Product Details page.
- If you have existing products, identify which product you would like to work on and click the product name to access the Product Details.
Column Definition #
The Dashboard presents the following fields by default:
| Field Name | Description |
|---|---|
| Product | Your Product Name, defined within the Product Details page. Products with multiple versions are grouped together. |
| Version | Your Product Version, defined within the Product Details page. |
| Type | The Product Profile, defined within the Product Details page from a selection of Medical Device – Cloud Connectivity, Medical Device – Networked, Medical Device – Standalone, Medical Device Data System, Medical Device Data System (No Hardware) – Cloud Hosted, Mobile Medical Application, Non-medical Device Product, Other, Software as a Medical Device – Cloud Hosted, and Software as a Medical Device Only (No Hardware) |
| # of Vulnerabilities | Displays the total number of Vulnerabilities listed on the Vulnerabilities page |
| # of Residual Risks | Displays the total number of Residual Risks listed on the Residual Risks page |
| # of Patches | Displays the total number of Patches listed on the Patches page |
| # of KEV | Displays the total number of Vulnerabilities as identified on the Vulnerabilities page and identified as Known Exploited Vulnerabilities (KEV) from CISA’s KEV Database. This automated check is only available for vulnerabilities that document their CVE IDs (Common Vulnerability Enumeration ID). Vulnerabilities identified within CISA’s KEV data are refreshed daily in PSH automatically. |
| Product Status | The Product Status, defined within the Product Details page. |
| DET | A button to review or edit product details such as name, version, manufacturing location, etc. |
| COM | A button to access the Components page to add or remove product components based on the design. |
| THR | A button to access the Threats page to review and update cybersecurity threats for your product. |
| REQ | A button to access the Requirements page to review and update cybersecurity requirements for your product. |
| SBOM | A button to access the SBOM page to create, modify, import, and export SBOMs (software bill of materials). |
| RSK | A button to access the Risks page to review and update residual cybersecurity risks for your product. |
| VULN | A button to access the Vulnerabilities page to add, track, and manage vulnerabilities for your product. |
| PAT | A button to access the Patches page to add, track, and manage patches for your product. |
| DL | A button to download all the information related to the product into a Microsoft Excel file. |
| VER | A button to clone your product to create a new version. Cloning is limited based on the amount of product versions allowed in your subscription. |
| REM | A button to delete your product. |
From “My Product Dashboard” you can access the Settings modal by clicking on the Setting Wheel icon in the upper right corner of the dashboard. The Settings button will allow you to adjust the Column Configuration to add or remove visible fields, with the following additional fields available:
| Field Name | Description |
|---|---|
| # of Req | The total number of requirements listed on the Requirements page |
| # of Req WIP | The total number of requirements in “WIP” (Work In Progress) Status on the Requirements page |
| # of Req Met | The total number of requirements in “Met” Status on the Requirements page. |
| # of Req Not Met | The total number of requirements in “Not Met” Status on the Requirements page. |
| # of Req N/A | The total number of requirements identified as N/A (not applicable) in the Applicability field on the Requirements page. |
| Manufacturing Location | The Manufacturing Location, defined within the Product Details page. |
| Device Classification | The Device Classification, defined within the Product Details page. |
| Regulatory Submission Type | The Regulatory Submission Type, defined within the Product Details page. |
| Number of Products on the Market | The Number of Products on the Market, defined on the Product Details page. |
| Countries Commercializing the Product | The Countries Commercializing the Product, defined within the Product Details page. |
If you have existing products, identify which product you would like to work on and click the product name to access the Product Details.
Product Details #
The Product Details page is displayed after clicking on “+Add a New Product” or clicking on an existing product’s Product Name. The Product Details page allows you to enter or update information related to your product, using the following fields:
| Field Name | Description |
|---|---|
| Product Profile | A drop-down selection to define the type of Product from a selection of Medical Device – Cloud Connectivity, Medical Device – Networked, Medical Device – Standalone, Medical Device Data System, Medical Device Data System (No Hardware) – Cloud Hosted, Mobile Medical Application, Non-medical Device Product, Other, Software as a Medical Device – Cloud Hosted, and Software as a Medical Device Only (No Hardware) |
| Product | An open-text field to enter the Product Name that is used throughout PSH when accessing the Product. |
| Version | An open-text field to indicate the Product Version. |
| Manufacturing Location | An open-text field to indicate the Manufacturing Location(s) for your Product. This field is not mandatory. |
| Device Classification | A drop-down selection to indicate the Device Classification from a selection of Class I, Class 2, Class 3, MDDS, and non-medical device. This field is not mandatory. |
| Regulatory Submission Type | A drop-down selection to indicate the Regulatory Submission Type, from a selection of 510k, de Novo, Letter to File, N/A, or PMA. |
| Product Status | A drop-down selection to indicate the current status of the product, from a selection of Concept, Design & Development, Qualification, On Market, End of Support, and Decommissioning. |
| Number of Products on the Market | A number field to identify the Number of Products on the Market. This field is not mandatory. |
| Description of product’s intended use | An open-text field for describing the product and its purpose. |
| Please select all the countries where you intend to or are currently commercializing the product | A drop-down selection of countries to indicate in which countries the Product will be commercialized (e.g., made available). |
| Product Settings: Requirement Dashboard View Preference | A drop-down selection of Ungrouped (default) or Grouped view which allows you to enable Grouped view in the Requirements page as the default view. Refer to the Requirements page section below for more details. |
Click the “Save” button at the bottom of this page to save all information entered or updated on the Product Details page.
Components #
Overview #
The Components page is accessed using the Navigation bar at the top of the screen after accessing a Product or by clicking on the COM icon within the Product Dashboard.
This page displays the Components that have been added to your product.
On this page, manually add your product’s components by clicking “+Add a New Component” and selecting a component from the drop-down menu. You may also adjust the component’s name using the Component Name field.
Click the Add button to add the component to your product. As components are added to the component list, corresponding threats and security requirements will be generated and added to the Threats and Requirements pages.
Additional Details #
- You can also build custom components by selecting “Other” from the components drop-down menu. Note that the “Other” component does not contain any pre-built Threats and therefore no Cybersecurity Requirements.
- Once the Component is listed on the Components page, you can adjust the Component Name, adjust the Hardware or Software indication, and add an Addendum to the component’s Description using the editable text fields.
- If the product design changes, you can easily add or delete components. When a component is deleted, all associated threats, requirements, residual risks, SBOMs, and vulnerabilities will be deleted as well.
Threats #
Overview #
The Threats page displays the list of pre-built threats for our catalog of Components. After selecting Components on the Components page, access the Threats page to review and update the applicability of each threat, based on what is relevant to your product’s design.
Each Threat has a unique ID number along with a description of the Threat, potential risk impact and recommended cybersecurity Requirement(s) to eliminate the threat.
Review and update the Applicability for all Threats that are pre-populated based on the product’s Components. All Threats by default are set to “Yes.” In some cases, our pre-built Threats may include use-cases that do not apply, hence the Applicable field should be adjusted to “No.”
In the Threat field, you may optionally add Addendum details to include context or capture considerations for other users to know about the Threat as it applies to your product.
In the Potential Risk Impact field, you may optionally add comments in the “Add Addendum” field related to the potential impact of the threat being realized.
In the Status field, you can optionally indicate the Status of the Threat, such as WIP, Mitigated, Eliminated, Partially Mitigated, or Unmitigated. This field is useful for tracking and summarizing each Threat’s Status in terms of its implemented Requirements and any associated Residual Risks. With that approach, after progressing through product design and development along with completing tasks related to the PSH Requirements and Risks page (detailed further within these instructions) you may revisit the Threats page to update this Status field.
If there are custom Threats you would like to add, click on the “+Add a New Threat” icon. A pop-up will appear with information to fill out to create a new threat. Note that custom Requirements are also added using this same pop-up window and at the same time as adding a new Threat. Once the required information has been entered, click “Add” and the Threat will be added to the list as a custom Threat. The fields available for adding custom Threats using the “Add New Threat” pop-up window are as follows:
| Field Name | Description |
| Threat | An open-text field to indicate a brief description of the threat identified. |
| Component | Select the relevant product Component from this drop-down selection. |
| Potential Risk Impact | Select the relevant STRIDE category for the Threat (i.e., Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of Privileges). |
| Risk | An open-text field to define the Risk for the Threat. |
| Requirement | An open-text field to define the Cybersecurity Requirement that should be implemented to eliminate or mitigate the Threat. |
Additional Details #
- If a Threat is marked as Not Applicable, the associated requirements will be removed from the Requirements field on the Threats page as well as the traceable requirements for that Threat on the Requirements page.
- Advanced import and editing features using Microsoft Excel are available and described further below.
Column Definition #
The Threats page presents the following fields by default:
| Field Name | Description |
|---|---|
| Threat | A brief description of the threat identified. The Threat field also includes the Threat Unique Id generated for each threat which is traceable to the Cybersecurity Requirements and also to applicable Residual Risks. Optionally add addendum details to include context or capture considerations for other users to know about the Threat. |
| Component | Provides traceability to the unique Component ID along with the Component Name identified in the Components page. |
| Applicable | A drop-down selection of Yes or No to indicate if the Threat is applicable to the Product. |
| Potential Risk Impact | A detailed description of the resulting cybersecurity risk identified and the STRIDE category identified (i.e., Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of Privileges). |
| Risk Addendum | Additional notes for the cybersecurity risk identified. Note that this addendum is the same field as the “Residual Risk” addendum field on the Residual Risks page. |
| Cybersecurity Requirement Mapping | Lists the ideal cybersecurity requirements/controls by PSH Requirement ID number that would mitigate or eliminate the Threat and associated Risk. You can hover-over each Requirement to see the Requirement’s details in a pop-up. |
| Req Met | Automatically populated with Requirement IDs that are marked as Status = “Met” with Applicability = “Yes” on the Requirements page. |
| Req Not Met | Automatically populated with Requirement IDs that are marked as Status = “Not Met” with Applicability = “Yes” on the Requirements page. |
| Req N/A | Automatically populated with Requirement IDs that are marked as Applicability = “No” on the Requirements page. |
| Vuln ID | Automatically populated with Vulnerability IDs where a Vulnerability on the Vulnerability Mgmt page has been linked to the Threat. |
| CRA ID | Automatically populated with Cybersecurity Risk IDs where cybersecurity Risks on the Residual Risks page trace to the Threat. This traceability is based on Requirement IDs that are marked as Status = “Not Met” with Applicability = “Yes” on the Requirements page, which automatically creates a Residual Risk and associated ID. |
| Patch ID | Automatically populated with Patch IDs where a Patch on the Patch Mgmt page has been linked to the Threat. |
| Status | A drop-down selection to indicate the Status of the Threat, such as WIP, Mitigated, Eliminated, Partially Mitigated, or Unmitigated |
The following fields may be optionally added to the Threat page using the Settings button:
| Field Name | Description |
|---|---|
| CVSS Score | Automatically populated with CVSS Score defined for the cybersecurity Risk on the Residual Risks page trace to the Threat. |
| Notes | An open-text field to optionally add any general notes or comments for any Threat. |
| CWE Mapping | The Common Weakness Enumeration (CWE) identifier mapped for each Threat. CWEs are published by the Mitre Corporation and is available at https://cwe.mitre.org/. |
| CWE | The Common Weakness Enumeration (CWE) identifier + CWE title mapped for each Threat. |
| Chained Attack | Displays a predefined consideration if the Threat can be chained to other attacks. |
| Design Feature Mitigation | Summarizes ideal features and mitigations that would mitigate or eliminate the threat and risk and is useful for quick planning. The features listed in this field do not describe any confirmed, implemented controls for the Product. |
