Fortinet’s Progress on its Secure by Design Pledge Commitments

At a time when businesses are embracing digital transformation and our lives are increasingly conducted online, it's more critical than ever to ensure that the software we rely on every day is secure. From personal data and intellectual property to national security, threat actors continue enhancing their tactics, posing a greater risk to every individual and organization.

As a driving force in the evolution of cybersecurity, Fortinet has long been at the forefront of the industry in embracing and advocating for cybersecurity best practices. We are committed to being a role model regarding ethical product development and vulnerability disclosure, which includes embracing responsible radical transparency, holding ourselves to robust disclosure practices, and adhering to international and industry-recognized standards.

While these efforts have been part of Fortinet's DNA for at least two decades, these best practices are mere suggestions-not requirements-across the broader software industry. Until recently, there's been a notable gap in coordination among the cybersecurity and broader software vendor industry and government agencies in setting and driving policies that hold software manufacturers to more rigorous standards.

Fortinet an Early Signer of the CISA Secure by Design Pledge

At the annual RSA Conference in May, I was immensely proud that Fortinet joined 67 other leading software and cybersecurity vendors in signing the Secure by Design Pledge, developed by the Cybersecurity and Infrastructure Security Agency (CISA). Leading up to the public introduction of the pledge, Fortinet has been collaborating with CISA, international agencies, and other industry leaders to contribute to the effort, with our Head of Cyber Policy and Global Field CISO Jim Richberg helping to draft the pledge.

Just as other industries regularly make data-driven decisions on how to improve safety in their respective sectors, CISA introduced this pledge to further rally industry stakeholders-including technology companies, software developers, and cybersecurity professionals-to prioritize cybersecurity throughout the product development life cycle and use data-driven intelligence to deliver measurable improvements that strengthen our nation's cybersecurity.

In signing the pledge, participants commit to taking actionable and measurable steps across seven key areas to make their product development processes and the resulting technologies more secure.

Embracing Secure by Design Principles from Day One

Fortinet has employed rigorous secure-by-design principles in our product development processes since the company's inception. These include:

• Rigorous internal code testing and analysis: Fortinet has a robust internal code testing and analysis process across all our products. As a result of this rigor, almost 80% of Fortinet vulnerabilities discovered in 2023 were identified internally. In addition to our internal efforts, we regularly work with external threat researchers, consultants, third-party vendors, and our customers to identify and quickly disclose discovered vulnerabilities. This proactive approach to searching for and finding potential vulnerabilities allows us to develop and share fixes before exploitation happens.
• Active threat hunting: The FortiGuard Labs team, established in 2005, actively hunts for vulnerabilities across the digital landscape. Our threat researchers consistently discover and report zero-day threats in third-party software and hardware and have responsibly disclosed more than 1,020 zero-days to over 100 vendors to date.
• Proactive and timely communication about vulnerabilities: Our Product Security Incident Response Team (PSIRT) provides organizations with the vital information they need to make risk-based decisions. The team manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services. As part of Fortinet's PSIRT policies and processes, which align with principles outlined by U.S. and international government agencies, our PSIRT efforts diligently balance our commitment to the security of our customers and our culture of researcher collaboration and proactive, responsible transparency. Our PSIRT process and related communications include direct correspondence with customers; a monthly PSIRT advisory that details available recommended workarounds, mitigations, or next steps; and expanded analysis via Fortinet blog posts as needed.
• Incorporation of industry-recognized best practices: At Fortinet, we have a long-standing dedication to proactively incorporating and adhering to best practices aligned with government entities like CISA in every aspect of our product development life cycle. For example, our Secure Product Development Lifecycle Policy (SPDLC), which is based on secure-by-design and secure-by-default principles, helps ensure that security is built into each product from inception, covering every stage of the product life cycle all the way through to the end of life. This includes aligning with secure product development best practices, such as NIST SP 800-53, 800-161, and 800-218; EO 14028; and the UK Telecom Security Act.

Further Progress on Our Pledge Commitments

Fortinet continues to collaborate with the industry to develop and implement stronger standards for the benefit of all our customers. In addition to the secure-by-design principles we've been embracing for decades, Fortinet is making significant progress on the specific goals outlined in the CISA Secure by Design Pledge. These recent efforts include:

• Eliminating default passwords and forcing users to create strong passwords at the start of the installation process
• Implementing automatic update capabilities by default for low-end devices to automatically remediate security issues
• Demonstrating transparency through the use of Common Weakness Enumeration (CWE) in published Common Vulnerabilities and Exposures (CVE)
• Publishing a machine-readable security policy, such as security.txt

This is just the start. There are many other initiatives underway that we'll share soon that will further meet the expectations set out in the pledge. These include:

• Support to aid customers in the transition to newer, supported versions
• Tracking the impact these valuable changes are making on the uptake of new versions

All Software Manufacturers Must Embrace Secure by Design

The Secure by Design Pledge is an important step forward in driving the development of industrywide best practices that will enhance security for all. As part of our commitment to embracing responsible radical transparency, we'll continue reporting on our progress, highlighting the enhancements we've made and publishing data on how these changes benefit our customers.

We will continue leading the way, proactively modeling leadership, and promoting a code of ethics for responsible vulnerability disclosure. We encourage our industry peers to do the same for the whole industry's betterment.

In the battle against our collective cyber adversaries, proactive measures like the CISA Secure by Design Pledge are powerful weapons, empowering organizations to contribute to a resilient and trustworthy digital ecosystem.

Public link

Please use the above public link if you want to share this noodl on another website.