Fortinet reaffirms its commitment to secure product development and responsible disclosure processes

Fortinet made the statement on May 8 while announcing it is building on the company’s longstanding commitment to responsible radical transparency as an early signer of the Secure by Design pledge developed by the Cybersecurity and Infrastructure Security Agency (CISA). This voluntary industry pledge complements and builds on existing Fortinet software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry partners. The pledge outlines seven goals, including responsible vulnerability disclosure policies, which are already an integral part of Fortinet’s product security development.

Jim Richberg, head of Cyber Policy and Global Field CISO at Fortinet, said, “At Fortinet, we have a longstanding commitment to being a role model in ethical and responsible product development and vulnerability disclosure. As part of this dedication, Fortinet has proactively aligned to international and industry best practices and upholds the highest security standards in every aspect of our business. We applaud CISA’s continued call to the industry to follow suit and appreciate CISA’s willingness to collaborate with Fortinet on the development of these important goals. We strongly encourage others in the technology community to join this effort to keep organisations secure.”

CISA’s latest initiative strongly aligns with Fortinet’s existing product development processes, which are already based on secure-by-design and secure-by-default principles. Fortinet is committed to adhering to robust product security scrutiny at all stages of the product development lifecycle, helping to ensure that security is designed into each product from inception all the way through to end of life.

Regarding Secure Product Development Lifecycle (SPDLC), Fortinet aligns its processes in accordance with leading standards, including NIST 800-53, NIST 800-161, NIST 800-218, US EO 14028, and the UK Telecom Security Act.

In terms of testing, Fortinet leverages tools and techniques such as static application security testing and software composition analysis built into its build processes, dynamic application security testing, vulnerability scanning, and fuzzing prior to each release, as well as penetration testing and manual code audits.

Another aspect is its trusted supplier programme. To ensure rigorous selection and qualification of its major manufacturing partners, Fortinet adheres to NIST 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organisations. Fortinet’s commitment to data privacy and security is embedded in every part of the company’s business and in every phase of the product development, manufacturing, and delivery processes.

Concerning information security, the Fortinet's strategy is based on and aligned with industry-leading security standards and frameworks including ISO 27001/2, ISO 27017 and 27018 and NIST 800-53, as well as data privacy regulations such as GDPR and CCPA.

When it comes to third-party certifications, Fortinet products are regularly certified to standard and validated through third-party product quality standards, including NIST FIPS 140-2 and NIAP Common Criteria NDcPP / EAL4+.

Additionally, the Fortinet Product Security Incident Response Team (PSIRT) is responsible for maintaining security standards for Fortinet products and operates one of the industry’s most robust PSIRT programmes, including proactively and transparently disclosing vulnerabilities. Nearly 80 per cent of Fortinet vulnerabilities discovered in 2023 were identified internally through the company’s rigorous auditing process. This proactive approach enables fixes to be developed and implemented before malicious exploitation can occur. Fortinet works with its customers, independent security researchers, consultants, industry organisations, and other vendors to accomplish the company’s PSIRT mission.

To further advance its dedication to a culture of responsible radical transparency, Fortinet has a longstanding commitment to public and private partnerships that align with its mission. As a founding member of the Network Resilience Coalition, Fortinet is helping deliver real-world solutions to protect networks and sensitive data, including addressing the issue of software and hardware updates and patches not being implemented.

Through its membership with the Joint Cyber Defense Collaborative, which was established by CISA in 2021, Fortinet works with public and private entities to gather, analyse, and share actionable information to more proactively protect and defend against cyberthreats.

As a founding member of the Cyber Threat Alliance, Fortinet shares timely threat intelligence with other cybersecurity practitioners to better protect customers against adversaries.

Working with global leaders as a founding member of the World Economic Forum’s Centre for Cybersecurity, Fortinet is helping to encourage intelligence sharing across the industry to reduce global cyberattacks and disrupt cybercrime.

Fortinet shares ransomware prevention best practices Data is often the most valuable asset of a company and without proper protection against ransomware, employees and businesses alike are at risk of losing access to critical information. Therefore, it is essential to implement a ransomware protection strategy that includes cyber hygiene best practices.

Fortinet expands its global SASE Points-of-Presence with Google Cloud Fortinet, the global cybersecurity leader driving the convergence of networking and security, on October 16 announced the expansion of its SASE Points-of-Presence (POPs) to new locations through a partnership with Google Cloud.

Fortinet and Samsung Heavy Industries sign MoU on maritime cybersecurity On March 27, Fortinet, the global cybersecurity leader driving the convergence of networking and security, and Samsung Heavy Industries, a global leader in maritime shipbuilding, announced the signing of an MoU for cooperation in the maritime cybersecurity of ships.