Secure by Design Pledge
Fortra has signed CISA's Secure by Design Pledge because we believe that software should be safe to use on day one. That is why we are committed to developing software that is built securely, with secure components, and comes with secure defaults. This process is both forward looking for new development and backward facing, improving code and default configurations in the software our customers have used and trusted for years.
Focus Areas and Goals
The Secure by Design Pledge has seven focus areas and target goals:
Multi-Factor Authentication (MFA)
What it is: To protect against password-based attacks, implementing phishing-resistant controls is the greatest defense. Using MFA is the most common approach to this problem and applications should allow for or enforce this control, especially when dealing with sensitive data or elevated privileges.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
How we are addressing it: Fortra offers or requires MFA in several of our products, including all our SaaS-based offerings such as Fortra’s platform, Fortra’s GoAnywhere MFT, Fortra’s Digital Guardian, and Fortra’s Secure Collaboration as well as many of our on-premises products. Our goal is to ensure we implement phishing-resistant access in each product where it provides the most protection.
Default Passwords
What it is: When software is shipped with known, shared default passwords, that provides an easy attack vector for attackers to exploit. Eliminating this practice and replacing it with safer setup options increases the security for application and more so when combined with MFA.
Secure by Design goal: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
How we are addressing it: Many Fortra products do not ship with or use default passwords. However, we are working to eliminate the use of default passwords entirely, and any new products will use safe methods of setup and installation to avoid this type of weakness.
Reducing Entire Class of Vulnerability
What it is: Following known good patterns and frameworks can reduce or eliminate entire classes of vulnerabilities such as SQL injection and cross-site scripting. To address this challenge, it is key to analyze software for common weaknesses and develop strategies to address them at scale through standardization.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
How we are addressing it: With Fortra’s large and diverse product offerings, taking on vulnerabilities is a significant endeavor – and we have chosen to meet it head on. At each stage of development, from writing code to running in the cloud or building on-premises software, Fortra is creating safe patterns and reusable frameworks to tackle common security problems and improve developer efficiency.
Security Patches
What it is: Software requires continuous improvement and beyond new features and bug fixes, security patches are a fact of life. Security fixes don’t help customers if they aren’t applied, however, and that can sometimes be harder than it needs to be. Finding ways to make it quicker, easier, and safer to keep products up to date is an important step in improving the security posture of those products.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
How we are addressing it: At Fortra, we are continuously patching and improving our cloud and SaaS-based products, so our customers don’t have to worry about being on the latest and best versions of our software. For products that are customer-hosted, we are committed to delivering regular updates and addressing security issues as they are discovered. Stay current by subscribing to product updates and be sure to follow our quarterly Release Day announcements.
Vulnerability Disclosure Policy
What it is: Both internal test teams and external researchers find security vulnerabilities on a regular basis. To ensure a clear and standard path for reporting and communicating vulnerabilities, it is important to have a vulnerability disclosure policy. This policy helps external reporters understand the process and expectations when reporting issues found in their research.
Secure by Design goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).
How we are addressing it: In December 2023, Fortra became a CVE Numbering Authority (CNA) and published its vulnerability disclosure policy on fortra.com. Fortra is committed to providing the information customers need to manage their software risk and stay ahead of product vulnerabilities.
Common Vulnerabilities and Exposures (CVEs)
What it is: Common Vulnerabilities and Exposures (CVE) are an industry standard way to communicate product vulnerabilities to customers. By publishing CVEs, companies demonstrate transparency when they find vulnerabilities and the corresponding corrective action that customers can take to mitigate or remediate vulnerabilities.
Secure by Design goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting.
How we are addressing it: As a CNA, Fortra publishes CVEs for vulnerabilities we find in our products, along with advisories in the Fortra Security & Trust Center. There are several communication channels to follow Fortra CVEs, so be sure to watch and subscribe to keep up with the latest information.
Evidence of Intrusions
What it is: Visibility is key when a security event is happening. Software can provide good detective controls by including robust audit logging and anomaly alerting. Highlighting changes to configurations or settings and providing easy access to logs enhances an organization’s ability to quickly respond to potential security events.
Secure by Design goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
How we are addressing it: At Fortra, we not only integrate audit logging and visibility mechanisms into our software, but we also create tools to monitor real-time changes to critical assets and software. Fortra’s Tripwire Enterprise provides continuous file integrity management and the Event Fusion Center in Fortra’s platform are ways to bring critical information to the forefront. Fortra continues to look for ways to enhance logging and visibility across our product suite, so customers are able to see and respond to events as quickly as possible.
Quarterly Report
Fortra’s commitment to Secure by Design development includes transparency about what we are doing to enhance the security of our products. As part of our pledge, we will be publishing a quarterly report coinciding with Fortra Release Days, documenting our progress against the seven focus areas outlined above. This report will communicate our efforts along with metrics based on the pledge goals. For example, a survey of our products and our progress toward eliminating default passwords, the number of CVEs released in the previous quarter, and our efforts to eliminate entire classes of vulnerabilities.
At a Glance
Goal Area | Fortra's Updates at a Glance | Status |
| Multi-Factor Authentication (MFA) | Fortra Platform requires MFA. Conducting audit to identify products missing MFA. | In Progress |
| Default Passwords | Conducting audit to identify products with default passwords | In Progress |
| Reducing Entire Class of Vulnerability | Defining heatmap and prioritization | In Progress |
| Security Patches | Conducting telemetry audit and developing plan of attack | In Progress |
| Vulnerability Disclosure Policy | Policy was published December 2023 | Complete |
| Common Vulnerabilities and Exposures (CVE) | Fortra published 5 CVEs in Q3 | Maintain |
| Evidence of Intrusions | Conducting product audit and developing plan of attack | In Progress |
All users accessing the Fortra platform are required to use MFA or SSO with their own organization’s identity provider. MFA is a part of a large number of Fortra’s products and even enables MFA on the IBM i with Powertech Multi-Factor Authentication. In keeping with the Secure by Design Pledge, Fortra is undertaking an audit of its product suite to ensure that MFA is an option or required where it provides the most protection.
Default Passwords
Fortra is initiating an audit to determine if default passwords are in use in any of its products and to work to eliminate any instances of pattern that we find.
To eliminate significant risk of vulnerabilities, Fortra is scanning its various offerings to discover patterns of risk that can be eliminated through the use of frameworks, common secure code, and other practices.
For customers in our cloud-hosted and SaaS environments such as Fortra Platform, Fortra VM, and Tripwire ExpertOps customers never have to worry about being on the latest version. Fortra deploys updates as soon as we are able to deploy them. The Platform even allows for real-time updates of the Fortra Agent.
With customers in air-gapped and isolated on-premises environments, ensuring they have the latest software can be a challenge. Fortra is committed to providing timely communication to our on-premises customers when updates are available and we are working to determine which products have the highest barriers to upgrades.
In December of 2023, Fortra became a CVE Numbering Authority (CNA) and as part of that effort published its vulnerability disclosure policy on Fortra.com. Fortra welcomes external researchers to contact us with any security issues they find in our products and our research teams are committed to responsible disclosure to better safeguard our digital world.
As a CNA, Fortra now publishes their own CVEs when discovered. In Q3, Fortra published 3 CVEs for its own products and two for an external vendor. Fortra-published CVEs can be found in the Security Advisories area on Fortra.com.
Audit logging is an important control for all software and most, if not all, of Fortra’s products include some level of logging. To ensure that Fortra is providing the most visibility to protect the users of its products, we will be conducting an audit to determine which products provide the information and mechanisms users need to detect intrusions, which need additional work, and how best to deliver those results in our products.