Secure by Design Pledge
Fortra has signed CISA's Secure by Design Pledge because we believe that software should be safe to use on day one. That is why we are committed to developing software that is built securely, with secure components, and comes with secure defaults. This process is both forward looking for new development and backward facing, improving code and default configurations in the software our customers have used and trusted for years.
Focus Areas and Goals
The Secure by Design Pledge has seven focus areas and target goals:
Multi-Factor Authentication (MFA)
What it is: To protect against password-based attacks, implementing phishing-resistant controls is the greatest defense. Using MFA is the most common approach to this problem and applications should allow for or enforce this control, especially when dealing with sensitive data or elevated privileges.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
How we are addressing it: Fortra offers or requires MFA in several of our products, including all our SaaS-based offerings such as Fortra’s platform, Fortra’s GoAnywhere MFT, Fortra’s Digital Guardian, and Fortra’s Secure Collaboration as well as many of our on-premises products. Our goal is to ensure we implement phishing-resistant access in each product where it provides the most protection.
Default Passwords
What it is: When software is shipped with known, shared default passwords, that provides an easy attack vector for attackers to exploit. Eliminating this practice and replacing it with safer setup options increases the security for application and more so when combined with MFA.
Secure by Design goal: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
How we are addressing it: Many Fortra products do not ship with or use default passwords. However, we are working to eliminate the use of default passwords entirely, and any new products will use safe methods of setup and installation to avoid this type of weakness.
Reducing Entire Class of Vulnerability
What it is: Following known good patterns and frameworks can reduce or eliminate entire classes of vulnerabilities such as SQL injection and cross-site scripting. To address this challenge, it is key to analyze software for common weaknesses and develop strategies to address them at scale through standardization.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
How we are addressing it: With Fortra’s large and diverse product offerings, taking on vulnerabilities is a significant endeavor – and we have chosen to meet it head on. At each stage of development, from writing code to running in the cloud or building on-premises software, Fortra is creating safe patterns and reusable frameworks to tackle common security problems and improve developer efficiency.
Security Patches
What it is: Software requires continuous improvement and beyond new features and bug fixes, security patches are a fact of life. Security fixes don’t help customers if they aren’t applied, however, and that can sometimes be harder than it needs to be. Finding ways to make it quicker, easier, and safer to keep products up to date is an important step in improving the security posture of those products.
Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
How we are addressing it: At Fortra, we are continuously patching and improving our cloud and SaaS-based products, so our customers don’t have to worry about being on the latest and best versions of our software. For products that are customer-hosted, we are committed to delivering regular updates and addressing security issues as they are discovered. Stay current by subscribing to product updates and be sure to follow our quarterly Release Day announcements.
Vulnerability Disclosure Policy
What it is: Both internal test teams and external researchers find security vulnerabilities on a regular basis. To ensure a clear and standard path for reporting and communicating vulnerabilities, it is important to have a vulnerability disclosure policy. This policy helps external reporters understand the process and expectations when reporting issues found in their research.
Secure by Design goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).
How we are addressing it: In December 2023, Fortra became a CVE Numbering Authority (CNA) and published its vulnerability disclosure policy on fortra.com. Fortra is committed to providing the information customers need to manage their software risk and stay ahead of product vulnerabilities.
Common Vulnerabilities and Exposures (CVEs)
What it is: Common Vulnerabilities and Exposures (CVE) are an industry standard way to communicate product vulnerabilities to customers. By publishing CVEs, companies demonstrate transparency when they find vulnerabilities and the corresponding corrective action that customers can take to mitigate or remediate vulnerabilities.
Secure by Design goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting.
How we are addressing it: As a CNA, Fortra publishes CVEs for vulnerabilities we find in our products, along with advisories in the Fortra Security & Trust Center. There are several communication channels to follow Fortra CVEs, so be sure to watch and subscribe to keep up with the latest information.
Evidence of Intrusions
What it is: Visibility is key when a security event is happening. Software can provide good detective controls by including robust audit logging and anomaly alerting. Highlighting changes to configurations or settings and providing easy access to logs enhances an organization’s ability to quickly respond to potential security events.
Secure by Design goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
How we are addressing it: At Fortra, we not only integrate audit logging and visibility mechanisms into our software, but we also create tools to monitor real-time changes to critical assets and software. Fortra’s Tripwire Enterprise provides continuous file integrity management and the Event Fusion Center in Fortra’s platform are ways to bring critical information to the forefront. Fortra continues to look for ways to enhance logging and visibility across our product suite, so customers are able to see and respond to events as quickly as possible.
Quarterly Report
For Q2 of 2025, Fortra will be seeking to close the gaps found during our Q4 survey and Q1 follow up activities to validate our Pledge Focus survey results. We discovered good coverage for the MFA focus and those products lacking MFA have other mitigating controls in place. Some may benefit from improvements to integrations with customer identity providers and those are being investigated. For the purposes of the Secure by Design Pledge, we are moving this goal area into “Maintain” status
That leaves us to focus on eliminating default passwords and ensuring that we include logging and other mechanisms to provide evidence of intrusions. There were fewer instances of these weaknesses in the products surveyed, so in Q2 we will focus on getting remediations into the backlogs and future releases.
At a Glance
Goal Area | Fortra's Updates at a Glance | Status |
| Multi-Factor Authentication (MFA) | Conducted an audit in Q4 2024 to identify products missing MFA. | Maintain |
| Default Passwords | Conducted an audit in Q4 2024 to identify products with default passwords. | Remediation Planning |
| Evidence of Intrusions | Conducted an audit in Q4 2024 to find software missing desired logging. | Remediation Planning |
| Reducing Entire Class of Vulnerability | Defining heatmap and prioritization. | In Progress |
| Security Patches | Conducting telemetry audit and developing plan of attack. | In Progress |
| Vulnerability Disclosure Policy | Policy was published December 2023. | Complete |
| Common Vulnerabilities and Exposures (CVE) | Fortra published 14 CVEs in 2024. | Maintain |
When we reviewed our survey answers with teams, we found a slight increase in products that used it (+2%), a modest decrease in those that don’t (-10%) and a modest increase where MFA was “N/A” (+10%), meaning we had respondents conservatively answering “False” when MFA was not applicable for their products (e.g., no interactive logins). For the remaining 22% of products that are not using MFA, there is not a strong use case for this control based on the context of the access. For instance, products running on IBM i may defer this control to the OS or integrate with Powertech Multi-Factor Authentication. We are considering this control in Maintenance status now.
Default Passwords
The use of default passwords in Fortra products is rare base on our survey, however, we did find instances where the practice was used (18% use default passwords). Several of those products now have backlog items to mitigate or remediate the weakness which will find their way into a future release. Throughout Q2 we will track the teams’ progress in replacing default passwords with safer options and ensure this pattern is not used in new development.
Evidence of Intrusions
Like default passwords, most of Fortra’s products provide logging to help defenders detect evidence of intrusion affecting the software. 70% of products provided evidence of intrusion while only 12% did not. We will assess the logging gaps in those products and determine how we can provide customers with the information they need to respond quickly to incidents in their environments. Logging strategies and configurations are being evaluated and updates are planned to close the gap.
Reducing Entire Class of Vulnerability
The current approach to this goal is to leverage existing patterns and frameworks that have built in mitigations against attacks such as XSS, and SQLi. Fortra also has an inner-source project underway to standard approaches to common problems and centralize good security hygiene. Benchmarking this goal is a challenge and we are testing ways we can scan or discover vulnerability hot-spots that could benefit from targeted approaches.
For customers in our cloud-hosted and SaaS environments such as Fortra Platform, Fortra VM, and Tripwire ExpertOps customers never have to worry about being on the latest version. Fortra deploys updates as soon as we are able to deploy them. The Platform even allows for real-time updates of the Fortra Agent.
With customers in air-gapped and isolated on-premises environments, ensuring they have the latest software can be a challenge. Fortra is committed to providing timely communication to our on-premises customers when updates are available and we are working to determine which products have the highest barriers to upgrades.
In December of 2023, Fortra became a CVE Numbering Authority (CNA) and as part of that effort published its vulnerability disclosure policy on Fortra.com. Fortra welcomes external researchers to contact us with any security issues they find in our products and our research teams are committed to responsible disclosure to better safeguard our digital world.
As a CNA, Fortra now publishes their own CVEs when discovered. In 2024 Fortra published 14 CVEs for its own products and two for an external vendor. Fortra-published CVEs can be found in the Security Advisories area on Fortra.com. We will continue to provide transparency and fixes so our customers can effectively manage their risk posture.