Fortra® Security & Trust Center

Secure by Design Pledge

Text

Fortra has signed CISA's Secure by Design Pledge because we believe that software should be safe to use on day one. That is why we are committed to developing software that is built securely, with secure components, and comes with secure defaults. This process is both forward looking for new development and backward facing, improving code and default configurations in the software our customers have used and trusted for years. 

Focus Areas and Goals

The Secure by Design Pledge has seven focus areas and target goals: 

Multi-Factor Authentication (MFA)

What it is: To protect against password-based attacks, implementing phishing-resistant controls is the greatest defense. Using MFA is the most common approach to this problem and applications should allow for or enforce this control, especially when dealing with sensitive data or elevated privileges.

Secure by Design goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.

How we are addressing it: Fortra offers or requires MFA in several of our products, including all our SaaS-based offerings such as Fortra’s platform, Fortra’s GoAnywhere MFT, Fortra’s Digital Guardian, and Fortra’s Secure Collaboration as well as many of our on-premises products. Our goal is to ensure we implement phishing-resistant access in each product where it provides the most protection. 

Quarterly Report

Text

In Q4 of 2024 Fortra focused on three focus areas most easily addressable across its portfolio: MFA, the use of default passwords, and evidence of intrusion. A survey of all products across the portfolio was conducted to determine which products were already implementing secure-by-design principles and which had opportunities to improve their out-of-the-box posture. The results will guide development efforts and improvements throughout 2025. 

Text

At a Glance

Goal Area

Fortra's Updates at a Glance

Status

Multi-Factor Authentication (MFA) 

Conducted an audit in Q4 2024 to identify products missing MFA.

Survey Complete

Remediation Planning

Default Passwords 

Conducted an audit in Q4 2024 to identify products with default passwords.

Survey Complete

Remediation Planning

Evidence of IntrusionsConducted an audit in Q4 2024 to find software missing desired logging.

Survey Complete

Remediation Planning

Reducing Entire Class of Vulnerability 

Defining heatmap and prioritization.

In Progress
Security Patches 

Conducting telemetry audit and developing plan of attack.

In Progress
Vulnerability Disclosure Policy 

Policy was published December 2023.

Complete
Common Vulnerabilities and Exposures (CVE) 

Fortra published 14 CVEs in 2024.

Maintain

In a survey of our products, we found 28% use MFA, 32% do not and for 40% MFA is not applicable.  Our next step is to determine whether MFA will provide additional security value for those products missing the feature. For our cloud products and those with administrative console interfaces, MFA is a priority and has already been implemented. For instance, all users accessing the Fortra platform are required to use MFA or SSO with their own organization’s identity provider. MFA is a part of a large number of Fortra’s products and even enables MFA on the IBM i with Powertech Multi-Factor Authentication.

 

Default Passwords

For default passwords, we found the usage rare in Fortra products, only 18% are currently under review while 72% did not have default passwords as part of the software. We will work throughout 2025 to address the use of default passwords by eliminating them altogether or developing mitigating controls to improve their security posture.

 

Evidence of Intrusions

Like default passwords, most of Fortra’s products provide logging to help defenders detect evidence of intrusion affecting the software. 70% of products provided evidence of intrusion while only 12% did not. We will assess the logging gaps in those products and determine how we can provide customers with the information they need to respond quickly to incidents in their environments.

 

Reducing Entire Class of Vulnerability

To eliminate significant risk of vulnerabilities, Fortra is scanning its various offerings to discover patterns of risk that can be eliminated through the use of frameworks, common secure code, and other practices. This goal will be a focus area for Fortra in H1 2025 to gain an even greater view into areas of risk reduction for our products. 

 

Security Patches

For customers in our cloud-hosted and SaaS environments such as Fortra Platform, Fortra VM, and Tripwire ExpertOps customers never have to worry about being on the latest version. Fortra deploys updates as soon as we are able to deploy them. The Platform even allows for real-time updates of the Fortra Agent.

With customers in air-gapped and isolated on-premises environments, ensuring they have the latest software can be a challenge. Fortra is committed to providing timely communication to our on-premises customers when updates are available and we are working to determine which products have the highest barriers to upgrades. 

 

Vulnerability Disclosure Policy

In December of 2023, Fortra became a CVE Numbering Authority (CNA) and as part of that effort published its vulnerability disclosure policy on Fortra.com. Fortra welcomes external researchers to contact us with any security issues they find in our products and our research teams are committed to responsible disclosure to better safeguard our digital world.

 

CVEs

As a CNA, Fortra now publishes their own CVEs when discovered. In Q3, Fortra published 3 CVEs for its own products and two for an external vendor. Fortra-published CVEs can be found in the Security Advisories area on Fortra.com.