Secure by Design Pledge
Fortra has signed CISA's Secure by Design Pledge because we believe that software should be safe to use on day one. That is why we are committed to developing software that is built securely, with secure components, and comes with secure defaults. This process is both forward looking for new development and backward facing, improving code and default configurations in the software our customers have used and trusted for years.
Focus Areas and Goals
The Secure by Design Pledge has seven focus areas and target goals:
Multi-Factor Authentication (MFA)
What it is: To protect against password-based attacks, implementing phishing-resistant controls is the greatest defense. Using MFA is the most common approach to this problem and applications should allow for or enforce this control, especially when dealing with sensitive data or elevated privileges.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
How we are addressing it: Fortra offers or requires MFA in several of our products, including all our SaaS-based offerings such as Fortra’s platform, Fortra’s GoAnywhere MFT, Fortra’s Digital Guardian, and Fortra’s Secure Collaboration as well as many of our on-premises products. Our goal is to ensure we implement phishing-resistant access in each product where it provides the most protection.
Default Passwords
What it is: When software is shipped with known, shared default passwords, that provides an easy attack vector for attackers to exploit. Eliminating this practice and replacing it with safer setup options increases the security for application and more so when combined with MFA.
Secure by Design goal: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
How we are addressing it: Many Fortra products do not ship with or use default passwords. However, we are working to eliminate the use of default passwords entirely, and any new products will use safe methods of setup and installation to avoid this type of weakness.
Reducing Entire Class of Vulnerability
What it is: Following known good patterns and frameworks can reduce or eliminate entire classes of vulnerabilities such as SQL injection and cross-site scripting. To address this challenge, it is key to analyze software for common weaknesses and develop strategies to address them at scale through standardization.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
How we are addressing it: With Fortra’s large and diverse product offerings, taking on vulnerabilities is a significant endeavor – and we have chosen to meet it head on. At each stage of development, from writing code to running in the cloud or building on-premises software, Fortra is creating safe patterns and reusable frameworks to tackle common security problems and improve developer efficiency.
Security Patches
What it is: Software requires continuous improvement and beyond new features and bug fixes, security patches are a fact of life. Security fixes don’t help customers if they aren’t applied, however, and that can sometimes be harder than it needs to be. Finding ways to make it quicker, easier, and safer to keep products up to date is an important step in improving the security posture of those products.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
How we are addressing it: At Fortra, we are continuously patching and improving our cloud and SaaS-based products, so our customers don’t have to worry about being on the latest and best versions of our software. For products that are customer-hosted, we are committed to delivering regular updates and addressing security issues as they are discovered. Stay current by subscribing to product updates and be sure to follow our quarterly Release Day announcements.
Vulnerability Disclosure Policy
What it is: Both internal test teams and external researchers find security vulnerabilities on a regular basis. To ensure a clear and standard path for reporting and communicating vulnerabilities, it is important to have a vulnerability disclosure policy. This policy helps external reporters understand the process and expectations when reporting issues found in their research.
Secure by Design goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).
How we are addressing it: In December 2023, Fortra became a CVE Numbering Authority (CNA) and published its vulnerability disclosure policy on fortra.com. Fortra is committed to providing the information customers need to manage their software risk and stay ahead of product vulnerabilities.
Common Vulnerabilities and Exposures (CVEs)
What it is: Common Vulnerabilities and Exposures (CVE) are an industry standard way to communicate product vulnerabilities to customers. By publishing CVEs, companies demonstrate transparency when they find vulnerabilities and the corresponding corrective action that customers can take to mitigate or remediate vulnerabilities.
Secure by Design goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting.
How we are addressing it: As a CNA, Fortra publishes CVEs for vulnerabilities we find in our products, along with advisories in the Fortra Security & Trust Center. There are several communication channels to follow Fortra CVEs, so be sure to watch and subscribe to keep up with the latest information.
Evidence of Intrusions
What it is: Visibility is key when a security event is happening. Software can provide good detective controls by including robust audit logging and anomaly alerting. Highlighting changes to configurations or settings and providing easy access to logs enhances an organization’s ability to quickly respond to potential security events.
Secure by Design goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
How we are addressing it: At Fortra, we not only integrate audit logging and visibility mechanisms into our software, but we also create tools to monitor real-time changes to critical assets and software. Fortra’s Tripwire Enterprise provides continuous file integrity management and the Event Fusion Center in Fortra’s platform are ways to bring critical information to the forefront. Fortra continues to look for ways to enhance logging and visibility across our product suite, so customers are able to see and respond to events as quickly as possible.
Quarterly Report
In Q4 of 2024 Fortra focused on three focus areas most easily addressable across its portfolio: MFA, the use of default passwords, and evidence of intrusion. A survey of all products across the portfolio was conducted to determine which products were already implementing secure-by-design principles and which had opportunities to improve their out-of-the-box posture. The results will guide development efforts and improvements throughout 2025.
At a Glance
Goal Area | Fortra's Updates at a Glance | Status |
| Multi-Factor Authentication (MFA) | Conducted an audit in Q4 2024 to identify products missing MFA. | Survey Complete Remediation Planning |
| Default Passwords | Conducted an audit in Q4 2024 to identify products with default passwords. | Survey Complete Remediation Planning |
| Evidence of Intrusions | Conducted an audit in Q4 2024 to find software missing desired logging. | Survey Complete Remediation Planning |
| Reducing Entire Class of Vulnerability | Defining heatmap and prioritization. | In Progress |
| Security Patches | Conducting telemetry audit and developing plan of attack. | In Progress |
| Vulnerability Disclosure Policy | Policy was published December 2023. | Complete |
| Common Vulnerabilities and Exposures (CVE) | Fortra published 14 CVEs in 2024. | Maintain |
In a survey of our products, we found 28% use MFA, 32% do not and for 40% MFA is not applicable. Our next step is to determine whether MFA will provide additional security value for those products missing the feature. For our cloud products and those with administrative console interfaces, MFA is a priority and has already been implemented. For instance, all users accessing the Fortra platform are required to use MFA or SSO with their own organization’s identity provider. MFA is a part of a large number of Fortra’s products and even enables MFA on the IBM i with Powertech Multi-Factor Authentication.
Default Passwords
For default passwords, we found the usage rare in Fortra products, only 18% are currently under review while 72% did not have default passwords as part of the software. We will work throughout 2025 to address the use of default passwords by eliminating them altogether or developing mitigating controls to improve their security posture.
Evidence of Intrusions
Like default passwords, most of Fortra’s products provide logging to help defenders detect evidence of intrusion affecting the software. 70% of products provided evidence of intrusion while only 12% did not. We will assess the logging gaps in those products and determine how we can provide customers with the information they need to respond quickly to incidents in their environments.
Reducing Entire Class of Vulnerability
To eliminate significant risk of vulnerabilities, Fortra is scanning its various offerings to discover patterns of risk that can be eliminated through the use of frameworks, common secure code, and other practices. This goal will be a focus area for Fortra in H1 2025 to gain an even greater view into areas of risk reduction for our products.
For customers in our cloud-hosted and SaaS environments such as Fortra Platform, Fortra VM, and Tripwire ExpertOps customers never have to worry about being on the latest version. Fortra deploys updates as soon as we are able to deploy them. The Platform even allows for real-time updates of the Fortra Agent.
With customers in air-gapped and isolated on-premises environments, ensuring they have the latest software can be a challenge. Fortra is committed to providing timely communication to our on-premises customers when updates are available and we are working to determine which products have the highest barriers to upgrades.
In December of 2023, Fortra became a CVE Numbering Authority (CNA) and as part of that effort published its vulnerability disclosure policy on Fortra.com. Fortra welcomes external researchers to contact us with any security issues they find in our products and our research teams are committed to responsible disclosure to better safeguard our digital world.
As a CNA, Fortra now publishes their own CVEs when discovered. In Q3, Fortra published 3 CVEs for its own products and two for an external vendor. Fortra-published CVEs can be found in the Security Advisories area on Fortra.com.