At the RSA 2024 Annual Conference on Cyber ​​Security, Security Technology, and Data Protection recently held in the US, Fortinet reaffirmed its commitment to becoming a transparent and responsible security unit, by pioneering the signing of a commitment to comply with the Security by Design regulations developed by the US Cybersecurity and Infrastructure Security Agency (CISA).

This voluntary commitment to the security industry builds on Fortinet’s existing software security best practices, along with those developed by CISA, the National Institute of Standards and Technology (NIST), other U.S. federal agencies, and industry and international partners. The commitment outlines goals, including responsible vulnerability disclosure policies, that are already an integral part of Fortinet’s product security development process.

CISA’s latest initiative aligns with Fortinet’s existing product development processes based on security by design and security by default principles. Fortinet is committed to rigorous product security oversight at all stages of the product development lifecycle, helping to ensure security is designed into each product from start to finish, in the following ways.

Secure Product Development Lifecycle (SPDLC): Fortinet aligns its processes with leading standards, including NIST 800-53, NIST 800-161, NIST 800-218, US EO 14028, and the UK Telecommunications Security Act.

Rigorous security product testing: Fortinet leverages tools and techniques such as static application security testing (SAST) and software composition analysis integrated into the build process, dynamic application security testing (DAST), vulnerability scanning and fuzzing before each release, as well as penetration testing and manual code review.

Trusted Suppliers: To ensure rigorous selection and accurate qualification of key manufacturing partners, Fortinet adheres to NIST 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. Fortinet’s commitment to data privacy and security is evident in every aspect of the company’s business operations and at every stage of product development, manufacturing, and distribution.

Information Security Program: Fortinet's information security program is developed and complies with industry-leading security standards and frameworks, including ISO 27001/2, ISO 27017 and 27018, and NIST 800-53, as well as data privacy regulations such as GDPR and CCPA.

Third-Party Certifications: Fortinet products are routinely certified and validated through third-party product quality standards, including NIST FIPS 140-2 and NIAP Common Criteria NDcPP / EAL4+.

Additionally, Fortinet’s Product Security Incident Response Team (PSIRT) is responsible for maintaining security standards for Fortinet products and operates one of the most robust PSIRT programs in the industry, including proactive and transparent vulnerability disclosure. Nearly 80% of Fortinet’s vulnerabilities discovered in 2023 were identified through the company’s rigorous internal testing process. This proactive approach allows Fortinet to develop and deploy fixes before malicious exploitation can occur. Fortinet also works closely with customers, independent security researchers, consultants, industry organizations, and other vendors to ensure best-in-class security incident response capabilities.

To further enhance our commitment to a culture of radical transparency and responsible business conduct, Fortinet maintains long-term partnerships with public and private partners that align with our mission.

Phan Minh