Theatre

Why Cybersecurity Should be Earlier in the Design Cycle

Watch Now

20:05

EOC 2025

Login to Watch

Jeridiah Welti

Jeridiah is a Systems and Software Engineer based in Benchmark's Winona, Minnesota location. He serves as Benchmark's cybersecurity lead in the design engineering group, where he champions cybersecurity design practices and processes across the organization. During his tenure with Benchmark, he has led software development for multiple connected medical devices. Jeridiah also serves as an exam developer for the NCEES engineering and ISC2 cybersecurity licensing boards. He maintains a CSSLP certification among several other professional certifications, holds a B.S. in Computer Engineering from Kettering University, and is currently pursuing an MS in Engineering Management from Arkansas State University.

View full profile

Topics Covered

Security Design Cycle

Theatre

Why Cybersecurity Should be Earlier in the Design Cycle

Jeridiah Welti

20:05 EOC 2025

Jeridiah Welti

20:05

An exploration and justification of why cybersecurity needs to be an upfront consideration in design projects. The author examines the benefits of incorporating secure design early and integrating it throughout the entire lifecycle, as well as the drawbacks of postponing it until the end. Key considerations include budget, time to market, and overall security of the final product.

1 / 4

Please log in or create an account to test your knowledge and see the answers.

What is the primary practical reason the speaker gives for integrating cybersecurity at the start of the design cycle?

A It forces the development team to focus exclusively on security, which may delay feature delivery.

B It reduces rework and testing, leading to faster time-to-market and lower overall cost.

C It guarantees absolute security so the product will never be breached.

D It allows security to be completely deferred to a specialized team at project end.

E It eliminates the need for threat assessments later in the lifecycle.

Which relationship among threat, vulnerability, and risk did the speaker emphasize?

A The three terms are interchangeable and have no meaningful distinction.

B A vulnerability plus a risk equals a threat.

C A threat plus a vulnerability equals a risk.

D A risk is simply another word for an attacker.

E Removing the threat is always possible and therefore sufficient to remove risk.

What did the speaker recommend regarding operating system functions to reduce attack surface?

A Keep a stock OS and simply disable unneeded features at runtime to save development time.

B Custom-build the OS and remove unneeded functions rather than just disabling them.

C Use a full-featured stock OS but rely solely on network perimeter defenses to protect it.

D Permanently relax OS security during development so engineers can iterate faster in production builds.

E Avoid considering OS footprint; add external hardware to handle any security needs later.

When performing a threat assessment, what initial approach did the speaker advise?

A Begin coding security controls into firmware immediately before assessing physical interfaces.

B Start at the outside of the box and work in, examining every physical interface as a potential leverage point.

C Assume external systems are trustworthy and focus only on internal software vulnerabilities.

D Defer all threat analysis until after penetration testing at the end of development.

E Add as many communication interfaces (USB, Ethernet, BLE, Wi‑Fi) as possible to ensure flexibility.

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
inline code	surround text with single `backticks`
code block (multi-line)	wrap on its own lines with three backticks: ``` your code here ```
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

datamstr

Score: 0 | 1 year ago | no reply

Excellent presentation!

Nikos-veevue

Score: 0 | 1 year ago | no reply

Thanks for the talk! Among others, I found very unique and interesting the connection between early cybersecurity <-> simple design <-> improved battery life! I'm also 100% with you in your central message: cybersecurity should be a priority from the beginning.

bboniface

Score: 0 | 1 year ago | 1 reply

Hi Jeridiah, thanks for the talk! I'd like your take on the initial steps that should be taken to start addressing cybersecurity in the product development process, specifically for medical device development? Thanks.

JeridiahSpeaker

Score: 0 | 1 year ago | 1 reply

Can you clarify your question a little? Are you asking specifically first steps in any development process, or how do we start shifting the attitude(s) on cybersecurity in the process?

bboniface

Score: 0 | 1 year ago | 1 reply

What initial steps should be taken to go from a state of not addressing cybersecurity at all in a medical device design to making it a part of the product development process? Understandably this also requires a culture shift, but I'm more interested in the tangible process and potential compliance related considerations.

JeridiahSpeaker

Score: 0 | 1 year ago | 1 reply

Great question. If you have nothing now, I would highly recommend "Medical Device Security for Engineers and Manufacturers by Wirth, Gates and Smith". Excellent book on the topic and will help you to figure out what you know and what you don't. At the end of the day cybersecurity processes are largely risk management processes and if you have a risk management process in place you will see a lot of overlapping activities just with different names.
The FDA has a great guidance document on what they are looking for. https://www.fda.gov/media/119933/download
Reading that over will give you a good starting point of what they are looking for in a submission. They say "guidance" but it's really pretty mandatory now, and be assured they will bump you if you try to gloss over it.
Please reach out jeridiah.welti@bench.com and would love to discuss further how we can possibly help you.

bboniface

Score: 0 | 1 year ago | no reply

Very helpful! Thank you.

glennk

Score: 0 | 1 year ago | no reply

Very timely topic. Thanks for the talk, Jeridiah!

Partners & Sponsors

CodeSecure

atym

embedd.it

IAR

Become a Sponsor