Name: Product Security Hub
Brand: Product Security Hub
Price: Contact for pricing USD
Availability: OnlineOnly
Rating: 5 (1 reviews)

Before You Begin

You have created a product in Product Security Hub
You have a basic understanding of your product's components (hardware, software, external interfaces)

🔑 Key Concept: Components Drive Everything

In Product Security Hub, when you add components to your architecture, the system automatically identifies relevant threats from our catalog and suggests applicable security requirements. The more accurately you define your architecture, the more relevant your threat model and requirements will be.

Create a New Diagram

From your product page, click on the Diagrams tab in the navigation. This takes you to the Diagram Workspace where you can create and manage architecture diagrams.

Click the + New Diagram button. A modal will appear asking you to name your diagram. Enter a descriptive name (e.g., "Global System View", "Multi-Patient Harm View", "Security Use Case View", "Updateability/Patchability View") and click Create.

Diagram naming tips:

• Use FDA-recommended view names: "Global System View", "Multi-Patient Harm View", "Security Use Case View", "Updateability/Patchability View"
• Allowed characters: letters, numbers, spaces, dashes, underscores
• You can create multiple diagrams for different views of your product

After clicking Create, the diagram will be saved. Your new diagram will appear in the diagram list on the left side of the page.

⚠️ Note: Save Behavior

After creating a new diagram, you may need to navigate away from the Diagrams page and back for the diagram to fully save. This is a known behavior we're investigating.

Open the Diagram Editor

Click on your diagram name in the list to open the full diagramming editor. Product Security Hub uses an embedded draw.io editor—if you've used draw.io before, you'll feel right at home.

💡 About the Editor

The editor provides a full-featured diagramming experience with:

• Shape libraries (General, Flowchart, UML, Entity Relation, and more)
• Drag-and-drop components onto the canvas
• Arrows and connectors for data flows
• View options (Grid, Page View, Background)
• Save, Save & Exit, or Exit buttons to manage your work

Draw Your Components

Start by adding the main components of your product to the canvas. Use the shape library on the left side to drag components onto your diagram. Think about:

Hardware Components

• Main processor / microcontroller
• Sensors and actuators
• Display / user interface
• Storage (flash, EEPROM)
• Communication modules (WiFi, BLE, cellular)

Software Components

• Operating system / RTOS
• Application software
• Web server / API
• Database
• Third-party libraries

External Interfaces

• Cloud services / backend
• Mobile app
• Other devices
• External APIs

Users / Actors

• End users / patients
• Administrators
• Service technicians
• External systems

To add a component, use the shape library in draw.io. You can use standard shapes (rectangles, cylinders for databases, etc.) to represent your system components.

💡 Tip: Start simple

Don't try to capture every detail in your first diagram. Start with the major components and expand as needed. You can always add more detail later.

Add Component Types (Important!)

This is the key step that enables automatic threat and requirement generation. For each component in your diagram, you need to assign a Component Type:

How to add Component Types:

Right-click on a component shape in your diagram
Select Edit Data from the context menu
In the "Enter Property Name" field, enter the component type identifier
Click Add Property
Click Apply to save

📋 Where to find Component Types

Visit the Components page in Product Security Hub to see the full list of supported component types and their corresponding data names. Use these exact identifiers when adding properties to your diagram shapes.

Repeat this process for each component in your diagram. The Component Type tells Product Security Hub what kind of element it is, which determines the applicable threats and requirements.

Define Data Flows

Connect your components with arrows to show how data flows between them. For each data flow, consider:

What data is being transferred? (credentials, patient data, commands, firmware updates)
What protocol is used? (HTTPS, MQTT, BLE, serial, etc.)
Is the data sensitive? (PII, PHI, credentials, cryptographic keys)

Label your data flows clearly. This information helps Product Security Hub identify relevant threats—for example, an unencrypted data flow carrying sensitive information will trigger different threats than an encrypted internal bus.

Mark Trust Boundaries

Trust boundaries separate areas with different security levels. Common trust boundaries include:

• Device boundary — between the device and external world
• Network boundary — between internal network and internet
• Process boundary — between privileged and unprivileged processes
• User boundary — between different user privilege levels

In draw.io, you can use dashed rectangles or colored regions to indicate trust boundaries. Data flows that cross trust boundaries are particularly important for security analysis.

Import Components from Diagram

Once you've added Component Types to your diagram shapes, you can automatically import them into the Components page:

Click the + Add Components from Diagram button at the top of the diagram editor
Product Security Hub scans your diagram and identifies all shapes with Component Type properties
A review screen appears showing the detected components
Review the list and click Submit to save them

When components are added to the Components page, Product Security Hub automatically:

Generates Threats

Relevant threats from our catalog are automatically associated with your components and data flows.

Suggests Requirements

Security requirements that address the identified threats are automatically suggested for your review.

Navigate to the Threats and Requirements tabs of your product to review what Product Security Hub has generated. You can accept, modify, or dismiss these suggestions based on your product's specific context.

🚀 This is the power of Product Security Hub

By adding components to your diagram with the proper Component Types, you go from a blank canvas to a complete threat model and requirement checklist in minutes—not weeks.

Example: Medical Device Architecture

Here's an example of what a typical medical device architecture might include:

Components:

• ARM Cortex-M4 Microcontroller
• FreeRTOS Operating System
• Web Configuration Interface
• SQLite Local Database
• WiFi Module (ESP32)
• Cloud Backend (AWS)
• Mobile App (iOS/Android)

Data Flows:

• Device ↔ Cloud (MQTT over TLS)
• Device ↔ Mobile App (BLE)
• User ↔ Web Interface (HTTPS)
• Firmware Updates (HTTPS)
• Sensor Data → Database

Best Practices

Keep it updated

Your architecture should evolve with your product. When you add features or change components, update the diagram.

Be specific about protocols

Instead of just "network connection," specify "HTTPS" or "MQTT over TLS." This helps generate more relevant threats.

Include external dependencies

Cloud services, third-party APIs, and external systems are important parts of your security boundary.

Consider all user types

End users, administrators, and service technicians may have different access paths. Include them all.

What's Next?

Now that you've created your architecture, you're ready to work with the generated threat model and requirements:

1
Run Your Threat Model
Review threats and assess their applicability to your architecture
2
Manage Security Requirements
Define and track security requirements tied to your architecture
3
Import Your SBOM
Add software components for vulnerability scanning

Build Your Architecture View