Fortinet : Reaffirms Its Commitment to Secure Product Development Processes and Responsible Vulnerability Disclosure Policies

News Summary

Fortinet ® (NASDAQ: FTNT), the global cybersecurity leader driving the convergence of networking and security, today announced it is building on the company's long-standing commitment to responsible radical transparency as an early signer of the Secure by Design pledge developed by the Cybersecurity and Infrastructure Security Agency (CISA). This voluntary industry pledge complements and builds on existing Fortinet software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry partners. The pledge outlines seven goals, including responsible vulnerability disclosure policies, which are already an integral part of Fortinet's product security development.

Advancing Fortinet's Commitment to Secure by Design Principles and Responsible Disclosure Processes

CISA's latest initiative strongly aligns to Fortinet's existing product development processes already based on Secure by Design and Secure by Default principles. Fortinet is committed to adhering to robust product security scrutiny at all stages of the product development lifecycle, helping to ensure that security is designed into each product from inception all the way through to end of life, in the following ways:

• Secure Product Development Lifecycle (SPDLC): Fortinet aligns its processes in accordance with leading standards, including NIST 800-53, NIST 800-161, NIST 800-218, US EO 14028, and UK Telecom Security Act.
• Robust Security Product Testing: Fortinet leverages tools and techniques such as static application security testing (SAST) and software composition analysis built into its build processes, dynamic application security testing (DAST), vulnerability scanning, and fuzzing prior to each release, as well as penetration testing and manual code audits.
• Trusted Supplier Program: To ensure rigorous selection and qualification of its major manufacturing partners, Fortinet adheres to NIST 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. Fortinet's commitment to data privacy and security is embedded in every part of the company's business and in every phase of the product development, manufacturing, and delivery processes.
• Information Security Program: The Fortinet Information Security Program is based on and aligned with industry-leading security standards and frameworks including ISO 27001/2, ISO 27017 and 27018, and NIST 800-53, as well as data privacy regulations such as GDPR and CCPA.
• Third-Party Certifications: Fortinet products are regularly certified to standard and validated through third-party product quality standards, including NIST FIPS 140-2 and NIAP Common Criteria NDcPP / EAL4+.

Additionally, the Fortinet Product Security Incident Response Team (PSIRT) is responsible for maintaining security standards for Fortinet products and operates one of the industry's most robust PSIRT programs, including proactively and transparently disclosing vulnerabilities. Nearly 80% of Fortinet vulnerabilities discovered in 2023 were identified internally through the company's rigorous auditing process. This proactive approach enables fixes to be developed and implemented before malicious exploitation can occur. Fortinet works with its customers, independent security researchers, consultants, industry organizations, and other vendors to accomplish the company's PSIRT mission.

To further advance its dedication to a culture of responsible radical transparency, Fortinet has a long-standing commitment to public and private partnerships that align to its mission, including:

Responsible Radical Transparency Panel at RSAC 2024

Fortinet will expand on how responsible radical transparency can help strengthen cybersecurity resiliency against cyber adversaries as part of a panel session at RSA Conference 2024 titled "No More Secrets in Cybersecurity: Implementing Radical Transparency." The session will take place Thursday, May 9, from 10:50 to 11:40 a.m. PT. in Moscone South - 156.

The panel discussion will feature esteemed industry experts, including:

• Dr. Carl Windsor, Senior Vice President of Product Technology and Solutions, Fortinet
• Michael Daniel, President and Chief Executive Officer, Cyber Threat Alliance
• Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA
• Suzanne Spaulding, Former Undersecretary, U.S. Department of Homeland Security

Anyone interested in expanding their understanding and familiarity with these critical topics can register here.