12/04/2024 | Press release | Distributed by Public on 12/04/2024 12:45
The Cybersecurity and Infrastructure Security Agency (CISA) introduced its Secure by Design Pledge earlier this year, which outlines seven goals for secure software development and deployment. This effort aligns with Fortinet's long-standing product development processes based on secure-by-design and secure-by-default principles, and we were pleased to be early signers and supporters of the pledge.
Upon introducing the pledge, CISA senior technical advisors Bob Lord and Jack Cable created an informative video to illustrate the need for technology manufacturers to take a data-driven approach to improving software design and development. The video showcased several real-world examples, comparing this CISA Secure by Design Pledge and related efforts to the long-standing initiatives underway in the automotive and aviation industries.
For example, the National Highway Traffic Safety Administration (NHTSA) collected data on motor vehicle fatalities in the United States over nearly 100 years. The compilation and sharing of this detailed data allowed industry regulators to recognize the growth in the number of motor vehicle fatalities increasing in parallel with the total number of hours cars were being driven and make recommendations to improve the observed negative outcomes based on the data analysis.
To counter the increase in fatalities, in the late 1960s, the National Traffic and Motor Vehicle Safety Act was introduced. This act helped to save countless future American lives by making it mandatory for all vehicles except buses to be outfitted with seat belts. The result was a sharp decline in fatalities, even as car usage increased.
Similar measurable decreases can be attributed to the introduction of other technological safety features, such as crumple zones and anti-lock braking.
The examples shared by CISA inspired our team early on to actively measure and report on our progress in enhancing Fortinet's secure-by-design efforts, furthering our goal of serving as a role model for ethical and responsible product development and vulnerability disclosure. We're working to improve the uptake of Fortinet-issued security patches, which aligns with one of the goals set forth by CISA in the Secure by Design Pledge. This effort presented an ideal opportunity to measure progress and determine if the changes we had been making were tangibly improving our customers' respective security postures.
First, we set out to understand why some customers weren't upgrading their devices when we issued updates. We heard two reasons cited most often:
I elaborate further on these challenges in the following sections.
Following these conversations, we worked to address both concerns, making it easier for customers to apply patches despite their unique challenges. Below is an overview of the steps we took to address each concern and a look at the data we collected to help us determine whether our efforts were successful.