Fortinet announced that based on the company’s long-standing commitment to responsible and total transparency is one of the first to sign the Secure by Design commitment, developed by the Infrastructure Security and Cybersecurity Agency (CISA). This voluntary industry commitment complements and builds on existing Fortinet software security best practices, including those developed by CISA, NIST, other federal agencies and international and industry partners. The commitment outlines seven goals, including responsible vulnerability disclosure policies, which are already an integral part of Fortinet’s security product development.
“At Fortinet, we have a long-standing commitment to being a role model in ethical and responsible product development and vulnerability disclosure. As part of this dedication, Fortinet has proactively aligned with international and industry best practices and maintains the highest security standards in every aspect of our business. We applaud CISA’s continued call to industry to follow suit and appreciate CISA’s willingness to collaborate with Fortinet in developing these important goals. We strongly encourage other members of the technology community to join this initiative to keep organizations safe,” said Jim Richberg, head of Cyber Policy and Field Global CISO at Fortinet.
The latest CISA initiative is firmly aligned with existing product development processes at Fortinet, already based on the principles of Secure by Design and Secure by Default. Fortinet is committed to adhering to strong product safety scrutiny at all stages of the product development lifecycle, helping to ensure that safety is planned on every product from start to end of life, in the following ways:
- Product Development Safe Lifecycle (SPDLC): Fortinet aligns its processes according to leading standards, including NIST 800-53, NIST 800-161, NIST 800-218, US EO 14028 and the UK Telecommunications Security Act.
- Robust Security Product Testing: Fortinet leverages tools and techniques such as static application security testing (SAST) and software composition analysis built into its creation processes, dynamic application security testing (DAST), vulnerability scanning and fuzzing before each release, as well as penetration testing and manual code audits.
- Trusted Supplier Program: To ensure rigorous selection and qualification of its major manufacturing partners, Fortinet adheres to NIST 800-161: Cybersecurity practices for supply chain risk management in systems and organizations. Fortinet’s commitment to data privacy and security is embedded in every part of the company’s business and in every phase of product development, manufacturing and delivery processes.
- Information Security Program: Fortinet’s information security program is based and aligned with industry-leading security standards and frameworks, including ISO 27001/2, ISO 27017 and 27018, and NIST 800-53, as well as data privacy regulations such as GDPR and CCPA.
- Third-party certifications: Fortinet products are regularly certified to the standard and validated through third-party product quality standards, including NIST FIPS 140-2 and NIAP Common Criteria NDcPP/EAL4+.
In addition, Fortinet’s Product Security Incident Response (PSIRT) team is responsible for maintaining security standards for Fortinet products and operates one of the industry’s strongest PSIRT programs, including proactive and transparent disclosure of vulnerabilities. Almost 80% of Fortinet vulnerabilities discovered in 2023 were identified internally through the company’s rigorous audit process. This proactive approach allows you to develop and implement fixes before a malicious security vulnerability can occur. Fortinet works with its customers, independent security researchers, consultants, industry organizations and other suppliers to fulfill the company’s PSIRT mission.
To further promote its dedication to a culture of responsible and total transparency, Fortinet has a long-standing commitment to public and private partnerships that align with its mission, including:
- As a founding member of the Network Resilience Coalition, Fortinet helps deliver real-world solutions to protect sensitive networks and data, including addressing the issue of software and hardware updates and patches that are not implemented.
- Through its membership in the Joint Cyber Defense Collaborative (JCDC), which was established by CISA in 2021, Fortinet works with public and private entities to collect, analyze and share actionable information to more proactively protect and defend against cyber threats.
- As a founding member of the Cyber Threat Alliance (CTA), Fortinet shares timely threat intelligence with other cybersecurity professionals to better protect customers against adversaries.
- Working with global leaders as a founding member of the World Economic Forum’s Cybersecurity Center (C4C), Fortinet helps foster intelligence sharing across the industry to reduce global cyberattacks and disrupt cybercrime.
“Time and again, across multiple sectors, we have learned that transparency improves outcomes for consumers and society. The cybersecurity industry is no different. In our industry, transparency includes seeking out, mitigating and disclosing vulnerabilities in an open and responsible manner. Fortinet has already taken steps to adopt this responsible transparency, creating a clear set of principles for managing communication and vulnerability analysis. The company’s leadership in this area is a solid example of how cybersecurity providers should communicate with customers and the general public,” said Michael Daniels, president and CEO of the Cyber Threat Alliance (CTA).
