This voluntary industry pledge complements and builds on existing Fortinet software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry partners.
Building on the company’s long-standing commitment to responsible radical transparency, Fortinet has signed the Secure by Design pledge developed by the Cybersecurity and Infrastructure Security Agency (CISA). The pledge outlines seven goals, including responsible vulnerability disclosure policies, which are already an integral part of Fortinet’s product security development.
Jim Richberg, Head of Cyber Policy and Global Field CISO, Fortinet shared, “As part of this dedication, Fortinet has proactively aligned itself to international and industry best practices and upholds the highest security standards in every aspect of our business. We applaud CISA’s continued call to the industry to follow suit and appreciate CISA’s willingness to collaborate with Fortinet on the development of these important goals. We strongly encourage others in the technology community to join this effort to keep organizations secure.”
CISA’s latest initiative strongly aligns to Fortinet’s existing product development processes already based on Secure by Design and Secure by Default principles. Fortinet is committed to adhering to robust product security scrutiny at all stages of the product development lifecycle, helping to ensure that security is designed into each product from inception all the way through to end of life.
“In our sector, transparency includes searching for, mitigating, and disclosing vulnerabilities in an open, responsible manner. Fortinet has already taken steps to embrace such responsible transparency, creating a clear set of principles for handling vulnerability communication and analysis. The company’s leadership in this area is a strong example of how cybersecurity vendors should be communicating with customers and the broader public,” said Michael Daniels, President and CEO of the Cyber Threat Alliance (CTA)
“The dedication to a secure-by-design approach to product development is foundational to strong security. We see vendors like Fortinet leading the way in following and applying these principles globally, principles which are also outlined in Australia’s Essential Eight framework, as a significant step forward in enhancing our collective security,” shared Peter Jennings, Director, Strategic Analysis Australia and member of Fortinet’s Strategic Advisory Council.
Fortinet aligns its processes in accordance with leading standards, including NIST 800-53, NIST 800-161, NIST 800-218, US EO 14028, and UK Telecom Security Act. It leverages tools and techniques such as static application security testing (SAST) and software composition analysis built into its build processes, dynamic application security testing (DAST), vulnerability scanning, and fuzzing prior to each release, as well as penetration testing and manual code audits.
The Fortinet Information Security Program is based on and aligned with industry-leading security standards and frameworks including ISO 27001/2, ISO 27017 and 27018, and NIST 800-53, as well as data privacy regulations such as GDPR and CCPA. Also, Fortinet products are regularly certified to standard and validated through third-party product quality standards, including NIST FIPS 140-2 and NIAP Common Criteria NDcPP / EAL4+.
