Fortra® Security & Trust Center

What it is: When software is shipped with known, shared default passwords, that provides an easy attack vector for attackers to exploit. Eliminating this practice and replacing it with safer setup options increases the security for application and more so when combined with MFA. 

Secure by Design goal: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products. 

How we are addressing it: Many Fortra products do not ship with or use default passwords. However, we are working to eliminate the use of default passwords entirely, and any new products will use safe methods of setup and installation to avoid this type of weakness. 

What it is: Following known good patterns and frameworks can reduce or eliminate entire classes of vulnerabilities such as SQL injection and cross-site scripting. To address this challenge, it is key to analyze software for common weaknesses and develop strategies to address them at scale through standardization.  

Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.

How we are addressing it: With Fortra’s large and diverse product offerings, taking on vulnerabilities is a significant endeavor – and we have chosen to meet it head on. At each stage of development, from writing code to running in the cloud or building on-premises software, Fortra is creating safe patterns and reusable frameworks to tackle common security problems and improve developer efficiency.  

What it is: Software requires continuous improvement and beyond new features and bug fixes, security patches are a fact of life. Security fixes don’t help customers if they aren’t applied, however, and that can sometimes be harder than it needs to be. Finding ways to make it quicker, easier, and safer to keep products up to date is an important step in improving the security posture of those products. 

Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.

How we are addressing it: At Fortra, we are continuously patching and improving our cloud and SaaS-based products, so our customers don’t have to worry about being on the latest and best versions of our software. For products that are customer-hosted, we are committed to delivering regular updates and addressing security issues as they are discovered. Stay current by subscribing to product updates and be sure to follow our quarterly Release Day announcements. 

What it is: Both internal test teams and external researchers find security vulnerabilities on a regular basis. To ensure a clear and standard path for reporting and communicating vulnerabilities, it is important to have a vulnerability disclosure policy. This policy helps external reporters understand the process and expectations when reporting issues found in their research. 

Secure by Design goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).

How we are addressing it: In December 2023, Fortra became a CVE Numbering Authority (CNA) and published its vulnerability disclosure policy on fortra.com. Fortra is committed to providing the information customers need to manage their software risk and stay ahead of product vulnerabilities. 

What it is: Common Vulnerabilities and Exposures (CVE) are an industry standard way to communicate product vulnerabilities to customers. By publishing CVEs, companies demonstrate transparency when they find vulnerabilities and the corresponding corrective action that customers can take to mitigate or remediate vulnerabilities. 

Secure by Design goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting.

How we are addressing it: As a CNA, Fortra publishes CVEs for vulnerabilities we find in our products, along with advisories in the Fortra Security & Trust Center. There are several communication channels to follow Fortra CVEs, so be sure to watch and subscribe to keep up with the latest information.   

What it is: Visibility is key when a security event is happening. Software can provide good detective controls by including robust audit logging and anomaly alerting. Highlighting changes to configurations or settings and providing easy access to logs enhances an organization’s ability to quickly respond to potential security events. 

Secure by Design goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

How we are addressing it: At Fortra, we not only integrate audit logging and visibility mechanisms into our software, but we also create tools to monitor real-time changes to critical assets and software. Fortra’s Tripwire Enterprise provides continuous file integrity management and the Event Fusion Center in Fortra’s platform are ways to bring critical information to the forefront. Fortra continues to look for ways to enhance logging and visibility across our product suite, so customers are able to see and respond to events as quickly as possible.