Name: Product Security Hub
Brand: Product Security Hub
Price: Contact for pricing USD
Availability: OnlineOnly
Rating: 5 (1 reviews)

Before You Begin

You have created a product in Product Security Hub
You have a basic understanding of your product's components (hardware, software, external interfaces)

🔑 Key Concept: Component Types Drive Everything

Each Component Type in Product Security Hub is mapped to a curated library of threats and security requirements based on FDA guidance, industry standards, and real-world attack patterns. When you select a Component Type, you get expert-level security analysis without being a security expert.

Component Type Reference

Use the exact terminology below when adding components to draw.io diagrams in the app. Click on a category to expand and see all component types.

DataAccountsCredentialsandPasswords	An object or data that binds an identity to at least one authenticator (e.g., password) possessed and controlled by a subscriber (e.g., person, application, system service)
DataCryptographickeys	A secret used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm in such a way that an entity with knowledge of the key can reproduce or reverse the operation while an entity without knowledge of the key cannot
DataDICOM	Digital Imaging and Communications in Medicine (DICOM) is a standard and protocol for the communication and management of medical imaging information and related data, most commonly used for storing and transmitting medical images
DataPIIPHI	Any information that permits the identity of an individual or health attributes of an individual to be directly or indirectly inferred - including Personally Identifiable Information (PII), Personal Health Information (PHI), Individually Identifiable Health Information (IIHI), or Personal Data (as defined in GDPR)
DataQRCode	A Quick Response (QR) code is a printed pattern which often contains data for a locator, identifier, or tracker that points to a website or application
DataFlowComponenttoComponent	The device communications and interfaces between unique physical components within a system or device
DataFlowComponenttoExternalEntityExternalEntitytoComponent	The device communications and interfaces between external systems and other external entities
DataFlowUsertoWebApplication	The network based communication and transmission of data from a user interacting with a web application, typically through an internet browser
DataflowWireless	Wireless data flow refers to the communication and transfer of information among two or more devices without a wire. The most common wireless data flows use various forms of radio communications
DataStorageDatabase	An organized collection of structured information, or data, stored electronically in a computer system
DataStorageEEPROMFlashnonvolatilememory	Non-volatile memory (retains data without power) typically embedded on a circuit board
DataStorageHardDrive	Also called a Hard Disk - a magnetic disk within a drive unit used for storing data
DataStorageInternalFlashSD	Removable Flash memory (e.g., SD card) internal or external to the device
DataStorageNetwork	Storing data using a method that is made available to clients on a network, including Network Attached Storage (NAS) devices or general purpose computing devices and servers

HardwareBattery	A battery is a component that stores electrical energy, generally in the form of a chemical material that can be converted to electrical energy, enabling a device to be portable or otherwise operate without a wired electrical connection
HardwareeFuses	Also called electronic fuses - are integrated circuits used as a one-time programmable ROM
HardwareEmbeddedSingleBoardComputer	A complete computer built on a single circuit board, with microprocessor(s), memory, input/output and other features required of a functional computer
HardwareInterfaces	The interfaces used to connect two devices or components together, specifically with SoC (system on chip) peripherals and how they interact with a CPU or other device components
HardwareJTAGSWD	JTAG (Joint Test Action Group) is an industry standard that specifies the use of a dedicated debug port implementing a serial communications interface for low-overhead access without requiring direct external access to the system address and data buses. SWD is a low pin-count physical interface for JTAG debugging on ARM-processors
HardwareMicrocontroller	A microcontroller unit/MCU is a small computer on a single integrated circuit (IC) chip and contains one or more CPUs (processor cores) along with memory and programmable input/output peripherals
HardwarePINS	Printed Circuit Board (PCB) pins, also called general-purpose input/output (GPIO) pins, are an uncommitted digital signal pin on an integrated circuit or electronic circuit board which may be used as an input or output, or both
HardwarePortableStorageDevice	Portable device that can be connected to a computer, device, or network to provide data storage
HardwarePrintedCircuitBoardAssembly	A printed circuit board (PCB) or PCBA is hardware that affixes electronic components and connections to a board to provide reliable electrical connections and circuits between the circuit board components
HardwareSingleUseCartridge	A disposable component used for a single application of medication or other therapy
HardwareSpecializedServiceDeviceorPC	Devices used by staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
HardwareSystemonModule	A System-on-a-Chip (SOC) or System on Module (SOM) brings components of a computer into a single chip or integrated circuit, including CPU, RAM, ROM, and other peripherals
HardwareVirtualCOMport	Also called a virtual serial port, a virtual or emulated port for wired communications used due to a lack of a dedicated, physical communication interface

SoftwareAIModel	A program that has been trained on a set of data to recognize certain patterns or make certain decisions without human intervention
SoftwareAPI	An Application Programming Interface (API) allows services and products to communicate with each other and leverage each other's data and functionality through a shared software interface generally over a network
SoftwareBIOS	Basic Input/Output System (BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process
SoftwareBootLoader	Also called a boot manager, the bootloader is a small program that places the operating system (OS) into memory after a device is powered on and initialized by a BIOS
SoftwareContainer	A lightweight package of software that operates within an operating system and include system libraries, system tools, and other platform settings required by the software
SoftwareDesktop	Also called a program or application - is a set of code and instructions stored in and executed by a computing device assigned to an individual (e.g., a user's computer or workstation)
SoftwareFieldService	Software used by staff employed by or managed by a device manufacturer to conduct service to device and components installed at a customer site
SoftwareFirewall	An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network
SoftwareFirmwareControl	Software that is purpose built for controlling hardware through defined interfaces with firmware
SoftwareGateway	An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks
SoftwareGatewayWebClient	Software acting on behalf of a human user to access and make use of a published service (API) or web application provided by a Gateway
SoftwareLoginform	A software-based input form, generally included as part of an application or operating system, for entering authentication credentials to access a restricted area of software, application, or operating system
SoftwareMobileApp	A computer program or software application designed to run on a mobile device such as a phone, tablet, or watch
SoftwareMQTTClient	MQTT Clients can publish data to a topic to send messages to any subscribers through a MQTT Server/Broker and can subscribe to a topic to be notified when a message is published on a MQTT Server/Broker
SoftwareMQTTServerBroker	MQTT Servers, also called Brokers, are central software entities in the MQTT architecture. An MQTT broker is an intermediary entity that enables MQTT clients to communicate. MQTT brokers allow clients to make connection requests, perform authentication of clients, and stores, queues, and caches messages to clients. MQTT is a standard messaging protocol designed as an extremely lightweight publish/subscribe messaging transport
SoftwareOnProduct	Also called a program or application - is a set of code and instructions stored in and executed by the host computing device
SoftwareOPCUA	OPC Unified Architecture is a cross-platform, open-source, IEC62541 standard for data exchange from sensors to cloud applications
SoftwarePACSDICOMServer	Picture archiving and communication system (PACS) - a medical imaging technology which provides storage and network-based access to images from multiple source devices, generally in DICOM format
SoftwareRemoteAccess	Software that facilitates access to a device by a user through a non-organization-controlled network
SoftwareSFTPClient	File Transfer Protocol (FTP) is a communication protocol used for the transfer of computer files from a server to a client on a computer network. The FTP Server hosts the information for FTP clients to access, and is secured with SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP)
SoftwareSFTPServer	File Transfer Protocol (FTP) is a communication protocol used for the transfer of computer files from a server to a client on a computer network. The FTP Server hosts the information for clients to access, and is secured with SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP)
SoftwareSSHServer	Software that provides access over a network to a SSH client - for securely exchanging data between two computers
SoftwareUpdatePackages	The package or files constituting a software update, which is a new, improved, or fixed software, which replaces older versions of the same software. May also be called a patch or service pack
SoftwareUserManagement	Software that provides the ability for administrators to create and manage users or staff identities, roles, permissions, and access management within a system, device, or software
SoftwareVPNClient	Client-side software for securing and encrypting IP communications to a VPN Server
SoftwareVPNServer	Server-side software for securing and encrypting IP communications with VPN Clients
SoftwareWebApplication	A set of code and instructions stored on a separate device and hosted by a Web Server so that users can access it through a web-browser or custom software client
SoftwareWebServer	Software that provides internet or intranet services, typically to provide access over the network for a Web Application or API

CloudAWSAPIGateway	Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale
CloudAWSAthena	Amazon Athena is an interactive query service that analyzes data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL
CloudAWSCloudFront	Amazon CloudFront is a web service that speeds up distribution of static and dynamic web content, such as .html, .css, .js, and image files
CloudAWSDocumentDb	Amazon DocumentDB (with MongoDB compatibility) is a fast, reliable, and fully managed database service
CloudAWSEC2	Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud
CloudAWSECR	Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service
CloudAWSEFS	Amazon Elastic File System (Amazon EFS) provides a serverless, set-and-forget elastic file system for use with AWS Cloud services and on-premises resources
CloudAWSEKS	Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that can run Kubernetes on AWS without needing to install, operate, and maintain Kubernetes control plane or nodes
CloudAWSElastiCache	Amazon ElastiCache is a web service that makes it easier to set up, operate, and scale a distributed cache in the cloud
CloudAWSELB	Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones (AZs)
CloudAWSFirehose	Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and any custom HTTP endpoint or HTTP endpoints owned by supported third-party service providers, including Datadog, Dynatrace, LogicMonitor, MongoDB, New Relic, and Sumo Logic
CloudAWSGlue	AWS Glue is a serverless data integration service that allows for analytics to discover, prepare, move, and integrate data from multiple sources
CloudAWSKinesis	Amazon Kinesis Data Streams collect and process large streams of data records in real time
CloudAWSLambda	AWS Lambda is a serverless, event-driven compute service that lets permits running code for many application types or backend services without provisioning or managing servers
CloudAWSNeptune	Amazon Neptune is a fully managed graph database service that makes permits building and running applications that work with highly connected datasets
CloudAWSRDS	Amazon Relational Database Service (Amazon RDS) is a web service that sets up, operates, and scales a relational database in the AWS Cloud
CloudAWSS3	Amazon Simple Storage Service (Amazon S3) is an object storage service that offers scalability, data availability, security, and performance
CloudAWSSNS	Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers)
CloudAWSSQS	Amazon Simple Queue Service (Amazon SQS) offers a secure, durable, and available hosted queue that integrates and decouples distributed software systems and components
CloudAppService	Cloud App Services are a wide range of specific application services for applications deployed in cloud-based resources
CloudB2C	Azure Active Directory B2C provides business-to-customer identity as a service
CloudCloudPlatform	A Cloud Platform is a set of technologies for a wide range of tasks including developing and running applications, and storing and processing huge data assets, often provided by a 3rd party and available in public or private configurations
CloudContentDeliveryNetwork	A cloud content delivery network (CDN) is a distributed group of servers which work together to provide fast delivery of Internet content
CloudDatabaseBlobStorage	Blob storage is an object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data
CloudDatabaseCosmosDB	Cosmos DB is a fully managed, serverless NoSQL database for high-performance applications of any size or scale
CloudDatabaseSQLDB	Cloud SQL DBs are cloud based relational databases
CloudEventGrid	Event Grid is a highly scalable, serverless event broker that can be used to integrate applications using events
CloudFunctions	Cloud Functions (e.g., Azure Functions, Event Hubs, AWS Lambda) are event-driven serverless platforms for a lightweight solution to support individual services
CloudGoogleCloudPlatform	Google Cloud Platform (GCP) is a cloud computing platform developed by Google
CloudKeyVault	A cloud service for securely storing and accessing secrets
CloudManagementConsole	Cloud management consoles are how administrators control and orchestrate all products and services that operate in a cloud: the users and access control, data, applications, and services
CloudMonitor	Cloud Monitor (also known as Azure Monitor, Application Insights, Azure Log Analytics, AWS Cloudwatch, AWS Application Insights) provides Application Performance Monitoring (also known as "APM") features

Navigate to the Components Tab

From your product page, click on the Components tab in the navigation bar. This takes you to the Components dashboard where you can add, view, and manage all components in your product.

You'll see the user instruction banner: "Add components based on your design". The dashboard displays a table with columns for ID, Component Name, Component Type, Hardware/Software, and Description.

Add a New Component Manually

Click the + Add a New Component button. A modal will appear with options to define your component.

In the Add Component modal:

Select a Component Type from the dropdown list. This is the critical field that determines what threats and requirements will be generated.
Enter a Component Name (optional). If left blank, the component type name will be used. Use a custom name to identify specific instances (e.g., "Main MCU" vs "Sensor MCU").
Click Add to create the component.

Once added, the component appears in the table with an auto-generated ID (e.g., A.286), the Component Type, Hardware/Software classification, and a default Description. You can click "Add addendum" to add additional notes.

Import Components from Diagram

If you've already built an architecture diagram with Component Types assigned (see Build Your Architecture), you can import those components directly.

To import from a diagram:

Click the + Add Components from Diagram button
Product Security Hub scans your diagram for shapes with Component Types
A review screen appears showing all discovered components
Review the list and click Save to import

💡 Smart Duplicate Detection

Product Security Hub automatically checks for existing components. If a component already exists in your product, it won't be added again—no duplicates to clean up!

🔄 Two-Way Sync

If you update a component's name on the Components page, that change will be reflected in the data type field on your diagrams. Your architecture stays in sync.

Bulk Import via Excel

Need to add many components at once? Use our Excel template for bulk import.

Bulk import process:

Download the Excel template from the Components page
Fill in your components with their types and names
Import the completed spreadsheet back into Product Security Hub
All components are created at once with their associated threats and requirements

💡 Tip: Great for migrations

If you have existing component lists in spreadsheets or other systems, the Excel import makes it easy to bring everything into Product Security Hub quickly.

What Happens When You Add a Component

This is where Product Security Hub saves you weeks of work. When you add a component:

Generates Threats

Relevant threats from our catalog are automatically associated with your component based on its type.

Suggests Requirements

Security requirements that address those threats are automatically suggested for your review.

Navigate to the Threats and Requirements tabs to review what Product Security Hub has generated. You can accept, modify, or dismiss these suggestions based on your product's specific context.

🚀 The Power of Component Types

Each Component Type is mapped to a curated library of threats and security requirements based on FDA guidance, industry standards, and real-world attack patterns. You get expert-level security analysis without being a security expert.

Deleting Components

To delete a component, click the trash icon (🗑️) in the component's row on the dashboard.

⚠️ Important: Cascade Delete Warning

When you delete a component, Product Security Hub will warn you that all associated data will also be deleted:

• Threats linked to this component
• Requirements addressing those threats
• Residual Risks associated with the component
• SBOM entries for the component
• Vulnerabilities identified for the component
• Patches tracked for the component

💡 Tip: Review before deleting

Before deleting a component, check the Threats and Requirements tabs to understand what will be removed. If you're unsure, consider marking items as "Not Applicable" instead of deleting.

Best Practices

Be specific with Component Types

Choose the most specific Component Type available. "Hardware - Microcontroller (MCU)" will generate more relevant threats than a generic "Hardware" type.

Use meaningful names

Name components based on their role: "Patient Data Database", "Wireless Communication Module", "Firmware Update Service".

Start with your diagram

Build your architecture diagram first with Component Types, then import. This keeps your visual architecture and component list in sync.

Include external systems

Don't forget to add external systems your product communicates with—cloud services, mobile apps, hospital networks. These interfaces are often attack vectors.

What's Next?

Now that you've added components, explore what Product Security Hub has generated:

1
Build Your Architecture View
Create visual diagrams that connect to your components
2
Run Your Threat Model
Review threats and assess their applicability to your components
3
Manage Security Requirements
Accept or modify auto-generated security requirements

MobileAppBinary	The file format used to package and distribute mobile apps
MobileAppStore	A storefront provided by operating system providers (typically mobile devices such as Apple App Store and Google Play Store) to allow access to and purchase of software applications

OperatingSystemLinux	An open source Unix-like operating system based on the Linux kernel
OperatingSystemRTOS	A real-time operating system (RTOS) is an operating system (OS) for real-time applications that processes data and events that have critically defined time constraints
OperatingSystemSystemAccounts	User accounts and service/application accounts used within the Operating System
OperatingSystemWindows	Proprietary graphical operating system developed and marketed by Microsoft

PeripheralsLocalPrinter	A peripheral device attached via a physical wire or USB which prints information (makes a persistent representation of graphics or text on paper or other medium)
PeripheralsUserInterface	The physical means (buttons and switches without a display) by which users interact with a system or device
PeripheralsUserInterfacewithdisplayortouchscreenincludingkeyboardmousebarcodereaders	A physical device or feature (touchscreen, display, keyboard, mouse, barcode reader) by which users interact with a system or device

PortsEthernetPort	A wired computer networking technology commonly used in local area networks (LAN) and wide area networks (WAN) that implement IEEE 802.3
PortsUSBPort	A physical port to implement the Universal Serial Bus (USB) specification - for cables, connectors and protocols for connection, communication and power supply between computers, peripherals and other computers
PortsVideoPort	Also called a graphics port, a video port is used to connect a display to a device

ServicesActiveDirectory	A directory service developed by Microsoft for Windows domain networks that is primarily used to perform authentication and authorization for users, computers, permissions, file servers, and software applications
ServicesCodeSigningInfrastructure	Infrastructure (systems, tools, and processes) that support the process of using public key encryption to affix distributable files with digital signatures in order to prove to consumers that they are consuming the software in the state the publisher intended it to be consumed and has not been corrupted and tampered with after it was signed by the publisher
ServicesContainerRegistry	A repository to build, store, and manage container images and artifacts as well as provide connectivity and support for container orchestration platforms
ServicesMultifactorAuthenticationservice	An internal or external service provider for Multi-factor authentication - an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism
ServicesNetworkService	Network-based application service that enables access to a specific set of functionality and data. Network services are enabled on network ports and are often set by the operating system and some network facing applications

Add Components to Your Product