In this episode of the Redefining CyberSecurity Podcast, host Sean Martin talks with Kostas Papapanagiotou about the critical importance of holistic cybersecurity practices for medical devices and the role of regulatory bodies like the FDA. Kostas shares valuable insights on shared responsibility, proactive threat modeling, and how lessons from the medical sector can improve cybersecurity in other industries.
Guest: Dr. Kostas Papapanagiotou, Advisory Services Director, Census S.A.
On LinkedIn | https://www.linkedin.com/in/kpapapan/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
Cybersecurity practices for medical devices are crucial, touching on compliance, patient safety, and the rigorous demands of various sectors such as automotive and financial services. In an insightful conversation between Sean Martin, host of the Redefining CyberSecurity Podcast, and Kostas Papapanagiotou, leader of the advisory service division at Census, several key takeaways emerge. Kostas, who has over 20 years of experience in cybersecurity and application security, underscores the complexity of medical devices.
No longer confined to standalone units, modern medical devices may encompass hardware components, software, connectivity to hospital networks or cloud services, and more. Thus, they require a comprehensive security approach.
Kostas notes that the FDA views these devices holistically, requiring all components to be evaluated for security risks. One of the most significant points highlighted is the concept of shared responsibility. According to Kostas, it is essential for medical device manufacturers to consider how their products integrate with existing hospital networks and what security measures are necessary to protect patient information. This extends to issuing guidelines and documentation for secure network integration, an effort that underscores the necessity of thorough and clear documentation in maintaining cybersecurity standards.
Furthermore, Kostas points out that regulations like the FDA’s post-market plan necessitate that manufacturers prepare for the entire lifecycle of a device, including potential vulnerabilities that may arise years after deployment. He shares real-world examples, such as the challenge of outdated Android versions in medical devices, which can no longer receive security updates and thus present vulnerabilities. In addition to compliance, the podcast discusses the shift left security paradigm, which emphasizes integrating security measures early in the software development lifecycle to prevent costly and challenging fixes later.
Kostas advocates for proactive threat modeling as a tool to foresee potential risks and implement security controls right from the design phase. This approach aligns with the FDA's emphasis on mitigating patient harm as the ultimate priority.
The conversation also touches on how these rigorous requirements from the medical device sector can inform cybersecurity practices in other critical areas like automotive manufacturing. Kostas remarks that the automotive industry is yet to reach the maturity seen in medical device regulations, often grappling with interoperability and supply chain complexities.
This podcast episode offers vital insights and actionable advice for cybersecurity professionals and organizations involved with critical, life-impacting technologies. Engaging discussions such as these underline the importance of regulatory compliance, thorough documentation, and proactive security measures in safeguarding both technology and human lives.
___________________________
Sponsors
Imperva: https://itspm.ag/imperva277117988
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Traceability in cyber security: lessons learned from the medical sector (Session): https://owaspglobalappseclisbon2024.sched.com/event/1VTbW/traceability-in-cyber-security-lessons-learned-from-the-medical-sector
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Traceability in Cyber Security: Lessons Learned from the Medical Sector | A Conversation with Kostas Papapanagiotou | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new redefining cybersecurity podcast. I am Sean Martin, your host, and this is actually an extension of the on location coverage I did for OWASP, the AppSec Global Conference in Lisbon. And, uh, I saw a talk and met Kostas, uh, there at the event and the, the two came together and I was like, I need you on the show.
I need you on the show and Costas agreed. How are you? I'm very good. Thank you. That's great. It's great to have you on the show. And the title of the talk just so folks know traceability and cybersecurity lessons learned from the medical sector. And for those who. me, uh, know that I kind of dabble in some of the health care stuff for many years now, primarily driven by regulations, HIPAA and high tech and, and then, uh, some of the frameworks and stuff that [00:01:00] followed and.
Of course, IT systems are one thing, but then when you get into medical devices, it's a whole nother world and the FDA gets involved and there's big cycles and things take forever and because people's lives are at stake, right? So, uh, I'm interested in this talk for a gazillion reasons, and I'm excited to have, uh, Kostas share some of the, some of the information that he shared from, uh, his presentation at OWASP app cyclism.
So Kostas, it's a pleasure to have you on, uh, can you take a moment maybe and kind of give folks a. A bit of background on, uh, your journey into the space and what you're currently up to.
Kostas Papapanagiotou: Sure. Yeah. Sean, thanks for having me. It's great to be here in this podcast. It was also great meeting you back in Lisbon.
Uh, really great conference there. Uh, good talks, great discussions, lots of energy by the community. And so, uh, here we are. Few things about me. Uh, I've been [00:02:00] working on the field of cyber security and application security for more than 20 years now. Done a lot of projects, um, uh, in Europe, in the Middle East, uh, also have some customers in the US.
So I have seen pretty much the entire landscape of cyber security. Um, nowadays I'm, uh, leading the advisory service division for a census. I'm based in Athens, Greece. Sensus is a Greek boutique cyber security firm. We offer services around product security, organizational security, and I'm in charge of advisory services, the consulting part, where we focus a lot on compliance issues.
And, um, we help companies around the world build secure products and secure solutions, which are also compliant to the various regulations.
Sean Martin: Oh yeah. Go ahead, please.
Kostas Papapanagiotou: Um, so I joined sensors like one and a half year ago, and, um, we [00:03:00] work in a really startup mode, really aggressive modes, a lot of customers coming in, lots of projects.
And, uh, we, we focus on, um, on two main sectors, three, actually. I mean, we do a lot of engagements around the financial sector, which is really popular, and it has also regulatory requirements that are pretty much well known for so many years now. But we also focus on the automotive sector and the healthcare sector, medical device.
And, uh, I have never been involved before in those sectors. I was doing more, let's say, mainstream stuff. And what surprised me, especially when working with the medical sector, which is regulated primarily by the FDA, uh, where that, uh, was that, uh, the FDA has some really interesting requirements. Which seemed very natural to me.
And I was wondering, why don't we do that in all the other sectors, you know, the other products, why don't we treat everything this way? And then I figured out that [00:04:00] these requirements are not something new. They've been around for almost 15 years. And I'm like, Can we, can we learn some things from, from these compliance mandates?
This was actually the inspiration for the talk as well.
Sean Martin: Perfect. Perfect. Cause the, and I'm glad you went to the FDA thing because as it came out of my mouth, I was thinking that's very us centric, but just that view of the FDA. Are there other regulatory bodies in Europe and elsewhere that kind of put their fingers on some of these devices that manufacturers need to pay attention to as well?
Kostas Papapanagiotou: You're right. It is very U. S. centric. But as a matter of fact, and what I've come to learn is that all the companies that build medical devices they want to sell to the U. S. market because that's the biggest market, right? So in order to sell to the U. S. market. They need to be compliant with the FDA. So this is what they focus [00:05:00] on firstly.
And actually we have many customers in the EU that they want to pursue FDA compliance because they want to sell to the U S market. Uh, but other than that, pretty much every other country in the world has introduced. Similar requirements. I think the FDA was the first one to do it. Um, but we also have, here in the EU we have the EU MDR directive, which follows, um, a similar path with the FDA, uh, in Canada.
They, we have the Canadian MDR requirements. Again, there are some similarities with the, with the FDA. Um, so nowadays, no matter where you wanna do business, no matter where you wanna sell your medical devices. You pretty much need to follow what FDA says. That's, that's the standard.
Sean Martin: So I, I have, uh, some experience building products and not necessarily for medical devices, but for defense, uh, [00:06:00] organizations.
And they have, in my view, similar rigorous requirements that are defined. And then once the product life cycle starts, you can't, you can't really mess with things. And until the approval comes, you can't sell and or can't be deployed in the case of the defense. And once it's deployed, you can't change it.
So that I think there's a parallel there as well. So how, how does the medical device industry help us perhaps in the fast moving world of Software, uh, can get some lessons there. Cause the first thing that comes to mind is, well, I don't want to slow down development delivery and, and certainly don't want the, the lack of an option to update things, uh, when I want to, when I want to push it up, push an update out, so,
Kostas Papapanagiotou: So you're, you're right.
I [00:07:00] mean, both the defense sector, uh, we also have some engagements there. We have some experience there and the medical sector are what we call critical sectors. I mean, these are two sectors where if you make mistakes, it can cost lives, literally. So you need to be extra careful about that. And, um, you're right about companies being in a rush to, uh, create new products, put them in the market and so on.
And this is where regulatory bodies come in and, uh, force you to follow these requirements. But, uh, you know, as a matter of fact, and this is also what we advocate through OWASP is that if you start from the beginning, uh, by, uh, introducing security requirements by doing a threat model. By following the best practices around security design.
Um, all this, uh, shift left security paradigm. Uh, if you do things right at the end of the day, uh, it will not take you more time than it would actually, if you leave everything to the end. If you don't care about security during [00:08:00] development life cycle, and you just do a test in the end, you will end up spending more time trying to fix things.
And also there are cases that you will not be able to fix things because the design is flawed and you can't go that back. So you need to find a workaround and you end up with a product that has a big security debt, big technical debt that cannot be solved eventually. Uh, but you're also right about the fact that we're talking about, uh, Highly complex devices that are going to be left in the market for a long time.
It's not like a mobile application that gets updated literally daily. Nowadays, it's about a medical device that will be installed somewhere in the hospital and will stay there for years. Maybe it's connected, maybe it's not, but, you know, at least the hardware will be there for. For a long time, and we've run into some issues with some of our customers that, I mean, they, they created a medical device, like, uh, 5 or 6 years back, they used Android, and now the version of Android that they used cannot, [00:09:00] can no longer be updated.
It has vulnerabilities, but they cannot update the Android platform. They need to replace the hardware. So this introduces a practical issue, they need to go out and see where they have deployed devices, buy new hardware and install the new hardware, or they somehow need to find another kind of control to solve this, which makes you, which creates a need to think more proactively when you design this medical device, try and think what will happen further away in the years.
And be proactive about that.
Sean Martin: And hopefully from the design and development perspective, but then also for The case that you just described, right? Which is what if the hardware goes or the connection technology or the communication technology changes or whatever it is, you have to prepare for some of that in, in real time stuff as well, right?[00:10:00]
Kostas Papapanagiotou: Well, you need to have a plan. The FDA calls it the post market plan. So you need to have a plan in place, uh, and be able to, uh, respond to Whatever may happen. I mean, we get new vulnerabilities all the time. New vulnerabilities get discovered. You need to be prepared to face these vulnerabilities and introduce new controls, be able to patch or even change hardware at some point.
It's not easy. It requires a change of mindset, at least in my case, I was more familiar with, you know, traditional applications, web applications, mobile applications, and so on. So it's not straight, it was not straightforward for me, and I guess it's not straightforward also for the medical device manufacturers.
And again, this is the role of the regulator, right? They come in and they really make you focus there and think about what will happen. And these are actually things that we think over when we do threat modeling. [00:11:00] Uh, when we have, uh, you know, the, the, the real, uh, initial design of the product, we try to identify such kinds of threats, uh, looking down, uh, into time and see what may happen, not in a few months, but also in a, in a few years, depending on the lifespan of the device and so on.
Sean Martin: So I do the three 60 for you. Cause he, he came from the. Traditional IT software world moved into the device world and in medical and automotive and whatnot, and I have experience in both now. So how do you, or I guess what I'm really trying to figure out is what, what are you taking from the hardware device perspective, which of course has cloud and apps and all that stuff as well.
Um, and bringing that back to the overall.
Kostas Papapanagiotou: So [00:12:00] one of the first things that, uh, made an impression on me was the fact that the FDA views the medical device as one single entity. I mean, medical devices can be really complex. Nowadays, we're not talking about just a pacemaker. It might be a device that has a probe that takes blood from the patient.
And then there is a controller that does the readings, which may be connected to a tablet. And then this tablet may be connected to the hospital network to a backend application. Or even to the cloud for, uh, backing up information and so on. So this is a really, really complex device. And, uh, when we need to address cybersecurity for that device, we need to see it as a whole, we should not only focus on the tablet because this is what we know.
This is what runs for example, Android or iOS. So we feel comfortable with that. Let's, let's do that. Let's test that and see how safe it is, or we should only focus [00:13:00] on the embedded device because maybe these are what the most important risks are. And as a matter of fact, we need to view everything. We need to see everything, check everything, we need to test everything, and we need to do a threat model, taking everything in mind.
So this is how FDA views things and this is how things should be viewed not only in the medical sector But also in in other industries For example, the automotive industry in my opinion is not so mature yet We've heard how problematic the supply chain Is for the automotive industry. I think it was the CEO of Ford Uh, last year was, um, complaining about the fact that cars are running mostly on software right now.
And it has become really, really complex with different suppliers, uh, creating software in different languages, which does not necessarily operate, interoperate with each other and so on. And, um, this is how the automotive industry works, right? [00:14:00] Uh, also also today, uh, tier one manufacturers get components from different suppliers.
And then they put everything together and hope it works. And guess what? Most of the times it doesn't and they need to find ways to fix things, which causes bugs in the car. Bugs that we as drivers get to see literally every day. The medical industry has tried to fix this issue right from the beginning.
So the FDA tells you have one device. I don't care if it runs Android or it has three different components, if it's connected or not. You need to test everything and you need to make sure that everything is secure and everything works securely together. It also introduces the concept of shared responsibility in the past.
I mean, in other sectors, some manufacturers have the opinion that I have built my product, I will ship the product to my customers and then the customers need to do whatever they [00:15:00] need to do to make sure that it's plugged in securely in their network. I don't care if they're using firewall and I don't care if they have network segmentation in place.
I don't care if they're using like, um, easy administrative passwords in their network. It's their problem. I will not, uh, do anything about that. Um, so the FDA talks about shared responsibility. Uh, the medical device manufacturer is not running the hospital network. But they should make sure that they include specific requirements on how this device should be plugged in the hospital network.
What ports should be left open, what ports should be shut down, what kind of other controls they need to be in place so that the entire environment is also secure. And if there is a, if there is some kind of a breach or some kind of a hack. Um, it's not easy to put the blame on the hospital or on the customer.
Uh, you need to make sure that you have included in your documentation, all necessary advice on how to [00:16:00] secure the environment where the medical device operates.
Sean Martin: Is it a, is, is it a default to fail safe in most cases? Meaning if there's something bad happens in the environment. Be it malicious or accidental or power outage or whatever it might be, the human does something.
Um, the, the device or the system, which can include cloud and, and device and apps and all that stuff. It has to fail safe or what, what's the view on that?
Kostas Papapanagiotou: Yeah, yeah, that's, that's right. And, um, this is another interesting topic that the FDA cares mostly about patient harm. And this was again a mind shift, mind shift for me, because as a traditional security guy, I was always, uh, fascinated by the different vulnerabilities, the zero days and the nice hacks and so on.
Uh, but the FDA doesn't care that much about how nice a vulnerability looks or about the fancy technique that you found to get root access for whatnot. [00:17:00] Um, but the FDA cares if there is harm for the patient. So you might find you may find a sequel injection vulnerability in the product, which is a really, really important vulnerability.
But if this doesn't result in patient harm, if you cannot, for example, change medical information, if you cannot change data and you can only view data and this data is anonymized, then it's. Is it a big deal? Probably not. Uh, maybe it is, but maybe not. If it doesn't result to patient harm, um, FDA, uh, says that this is not very severe.
You should not prioritize fixing. I don't really care about that, which puts, uh, puts you at risk based perspective into what we do in cybersecurity. It's not just about the vulnerabilities. It's also about understanding the context and the overall risk. So we need to go back and think what we are doing right now.
What are our major risks? What do we care most about? When we handle medical devices, we care about our patients. We need to make sure that they are, they get healthy and they're healthy and there's no [00:18:00] patient harm. So again, this is a very important lesson learned for me. And when I tried to, to put that context into other types of engagements that we have in other sectors,
Sean Martin: is what one of the things that I heard, I think the, uh, from the conference over and over and over.
And I think they even had a whole day after the conference dedicated to the threat modeling. And you mentioned it a couple times here. How does that relate to risk management, given what you know now? Because my, my experience, uh, talking to a lot of people is that when we do threat modeling, it is really to uncover.
Vulnerabilities. And to me, it should be more about kind of the more of the logic that this is how the system works. And I want to uncover areas where it's going to pop the bubble or pop the balloon over this side to make it look weird or whatever it is. So how does what you know? [00:19:00] Change how we do threat modeling.
I don't know if that's one of the lessons learned or not.
Kostas Papapanagiotou: Uh, it is, and you're right about the threat model being the first opportunity to think about the application in its greater context and start putting a risk perspective into what we're going to build, uh, simply viewing the threat model as an exercise to early identify vulnerabilities.
I mean, we need to do that as well, but it should not be the main focus. In my opinion, I think that threat model is a process where it's a great opportunity to bring in different stakeholders, uh, developers, security people, designers, some business people as well, and make, help them understand what are the actual risks, uh, on what we are building and how we can be proactive about controlling and minimizing those risks.
Understanding their importance, their severity, and also try to figure out really early in [00:20:00] the life cycle, what kind of controls we will be introducing to face those risks. It's also a great opportunity to make decisions about residual risk because we cannot fix everything. So we need to understand, um, all together, uh, what kind of things we will be fixing and what kind of things we will leave as a residual risk.
And of course, this is not a one off project. It's also Uh, stressed out in the FDA when the, with the term of traceability, you do the threat model in the beginning, but you're not done. As you develop the application, things might change in the design, uh, you might, uh, introduce a different perspective into risk.
Uh, something that you have not thought of. You need to go back into your threat model and see what, uh, these changes, uh, bring about. And finally, when you, when you do the security assessment, and you eventually you'll find some vulnerabilities. Had you thought about these risks when you did threat model?
If you hadn't, maybe you have missed something really [00:21:00] big. And again, you need to go back and for a few, for a few minutes, reconsider have I missed something or is it something minor? Uh, so threat modeling is a continuous process in my opinion, and, uh, a very helpful tool into building secure products.
Sean Martin: Absolutely. Absolutely. What, um, I think we probably touched on a little bit of the more big things here and there. What's over some of the other. I think that's the big points you shared with the group in Lisbon there.
Kostas Papapanagiotou: Yeah, so another issue has to do with who is using the device, the different actors that are using the device, which again might make a difference.
So some devices are only used in the touched by by doctors. We consider those to be safer. Other devices are also may also be controlled by patients, which introduces a greater risk. And again, this is a an issue that is required by [00:22:00] the FDA to consider. And again, it makes you think about the overall risk.
It's not a standalone device, and I don't care who's going to use it. I need to understand who will be using it and plan for it. Introduce controls that will make the device safer for the end user and then for everyone. Again, goes, extends the concept of shared responsibility and risk management into an understanding who will eventually use a device.
The FDA even mentions the security administrators of the hospital network, which will potentially may need to have access or the people that will have to update the device. It might not necessarily be the manufacturer. I mean, the manufacturer may be issuing patches and instructing the administrator of the hospital to how to, to install these patches.
Um, so again, you need to consider all that. And, um, one more thing has to do with documentation. Uh, I mean, a lot of us, uh, security and it guys hate documentation. I mean, we hate writing. We like [00:23:00] to write code tests and when it comes to writing the report or write the instructions, it's It's not a happy moment, at least for some of us, but again, the medical sector, the medical device manufacturers make you understand how important documentation can be, especially for a device that, uh, is life critical.
And it's also going to be around for so many years, uh, documenting the risks, documenting the controls that you took. Documenting residual risk. This is another requirement. You need to document in the device instructions what kind of residual risk there is, and also suggest potential controls that your customers might want to take to tackle this residual risk.
Again, it gives you a different perspective. It makes you understand how important this can be, especially for these kind of devices.
Sean Martin: So as we, um. Unless there's another, another huge one you want to share, which [00:24:00] I, uh, suddenly you can do that, but I wanted to kind of get a sense of the feedback or the engagement from the, uh, the audience there in Lisbon.
Um, I don't know how many medical device folks were in the room or were they all software oriented and what were some of the takeaways. Feedback that you got.
Kostas Papapanagiotou: So, to be honest with you, uh, I was stressed about potential feedback. And I mean, these were things that, uh, really strike me out, strike out on me, and I thought it was, uh, things that I hadn't thought of, even though I have a, a lot of experience in the sector.
At the same time, I thought that this is not rocket science. I mean, these are very, these are, these are things that should come naturally during the process. I mean, it's one device. You should see that as one device. If you need to do threat modeling, you needed to have traceability. You need to consider risks.
It's not like something really exciting. It's not a new, uh, zero day or anything like that. So I was a bit stressed about how the [00:25:00] audience would receive that. Uh, but as a matter of fact, uh, that was very, very positive feedback. And a lot of people came to me after the talk saying that this was really interesting.
I had never thought about product security this way. I had never. Imagine that, you know, I know that there are several risks, but I hadn't imagined this was part of my job to consider all, all risks and consider context and consider shared responsibility. And, um, I was, I was relieved and I was also very happy to, to see a lot of people engaging and making questions both during the talk and after that.
And, um, I don't know if there were people in the medical device manufacturing business in the audience, but there were a few people that came in and they told me that I have this application that takes input a lot of health care information and then helps doctors make decisions. Is this a medical device?
The short answer is yes, but it gave me a different, you know, I, I came to understand that a lot of people may be [00:26:00] creating software that's considered to be a medical device and they might not be fully aware that they have compliance requirements with FDA because, uh, you know, we have medical device as a software.
It can be a complete application. that may be considered as a medical device. It doesn't need to involve hardware or anything like that. If you have an application that makes medical related decisions based on medical data, then the FDA may be considering this to be a medical device. So you're under FDA compliance.
So this was another interesting thing that came out of the talk. I was also really impressed by the turnout. A lot of people seemed interested. Uh, in these topics and also in traceability on how you start with a threat model, you, you, you understand the risks there and then you keep, uh, you keep having them in mind until you do the security assessment and you find fixed vulnerabilities.
And you have end to end traceability between threats, vulnerabilities, and controls. [00:27:00]
Sean Martin: Yeah. Yeah. Traceability to me is the documentation part of it. And then the demonstrability is kind of the capturing the proof. Um, I don't know if that's the right word either, but I think it's both, right? So you have to, you have to be able to say, this is what we did and back it up with, With demonstrating that it actually does what we, what we said we did super, uh, super fun.
I'm glad you had good turnout. I know presenting, uh, uh, any topic can be, uh, challenging, not challenging. Um, yeah, stressful. Let's just say stressful audience is going to take it.
Kostas Papapanagiotou: Especially with that kind of audience. I mean, we had a very successful conference in Lisbon around 1000 attendees. I think it was one, probably the biggest EU OWASP conference ever, and, uh, a lot of great folks also participating, a lot of knowledgeable folks, [00:28:00] which makes the presentation more challenging.
Sean Martin: The bar was high and you, you cleared it.
Well, great, uh, great topic. And, uh, thanks for sharing a bit more here with me. And I don't know if the sessions are recorded or not, but, uh, nonetheless, they, they can connect with you and pick your brain directly if they want to, I suppose. And yeah, hopefully you'll join me again. I think I need to do something on threat modeling.
So maybe, uh, maybe I'll pull a group of folks together and talk, talk about that. Maybe Adam and. Uh, show stack and a few others and yourself, maybe. So we'll see how that goes. But, uh, in the meantime, I want to thank you Costas for joining me. It was a pleasure meeting you in person and, uh, in Lisbon and a pleasure having you on the show today.
Hopefully you'll join me again.
Kostas Papapanagiotou: Thanks for having me, Sean. It's been great fun and great pleasure being in your, uh, your show. And, uh, yeah, absolutely. I'm looking forward to doing this [00:29:00] again sometime in the near future. Perfect.
Sean Martin: Perfect. And thanks everybody for listening and watching this episode of Redefining Cybersecurity here on ITSP Magazine.
Another installment of On Location. This one for OWASP AppSec Lisbon. And yeah, that's coming up for BlackHat. That's the next one. Hacker Summer Camp. So stay tuned for all that stuff. Thanks, everybody.
Kostas Papapanagiotou: Thanks.