Redazione RHC : 19 November 2025 10:03
By Carl Windsor, Chief Information Security Officer at Fortinet
Secure-by-design practices represent a fundamental shift in software development: security is no longer considered an afterthought, but is integrated from the ground up, into the very DNA of the product. This philosophy is widely recognized as a best practice in the industry, but it is not yet mandatory, nor is it uniformly applied, nor is it fully understood by customers. However, adopting a secure-by-design approach is increasingly crucial, as digital infrastructures face an unprecedented speed and volume of sophisticated threats. Cybercriminals, both inexperienced and highly skilled, are leveraging new resources—from purchasing exploit kits on the dark web to using automated tools—to target vulnerabilities on a large scale.
At the RSA Conference 2024, the Cybersecurity and Infrastructure Security Agency (CISA) unveiled its Secure by Design Pledge , an initiative aimed at raising the bar for cybersecurity across the technology industry by embedding secure practices into product development and reducing systemic risk in the digital ecosystem. Fortinet is proud to have been an early signatory of this pledge, and our own Jim Richberg played a key role in shaping it.
While Fortinet has long been at the forefront of adopting and promoting cybersecurity best practices, the Secure by Design Pledge represents a significant step forward in defining and promoting policies that hold all software vendors to more rigorous standards. The Pledge identifies seven key objectives, focused on integrating security throughout the entire product development lifecycle, offering software vendors concrete guidelines for progressing toward these goals.
Fortinet has embraced many of these principles for decades and has repeatedly outlined its progress in implementing and refining these standards. The following is an overview of the actions Fortinet has taken to address the Pledge’s objectives:
Objective #1: Demonstrate actions to measurably increase the use of multi-factor authentication (MFA) in the manufacturer’s products.
Fortinet Result: Fortinet enabled MFA for customer cloud accounts, with 95% of customers actually using this security measure.
Objective #2: Demonstrate measurable progress in reducing default passwords in manufacturer products.
Fortinet Result: Default passwords have been eliminated in the Fortinet Secure Development Lifecycle Policy and removed from all products, requiring users to create unique credentials during installation.
Objective #3: Demonstrate actions to significantly and measurably reduce the presence of one or more classes of vulnerability in the manufacturer’s products.
Fortinet Result: Fortinet has begun removing SQL injection and buffer overflow vulnerabilities. This is an ongoing process that will continue in future releases.
Objective #4: Demonstrate customer actions taken to measurably increase security patch deployment.
Fortinet Result: Fortinet has made significant progress in this area with the introduction of its auto-update feature, which has updated over a million devices since its implementation, significantly improving customer security.
Goal #5: Publish a Vulnerability Disclosure Policy (VDP).
Fortinet Outcome: Fortinet is a member of the Forum of Incident Response and Security Teams (FIRST) , which enables its more than 600 members in over 100 countries to share goals, ideas, and information related to managing security incidents and developing response programs. Fortinet applies the knowledge gained through FIRST to ensure ongoing communication with its customers. Additionally, Fortinet publishes its VDP on the Product Security Incident Response Team (PSIRT) page and via a Security.txt file.
Goal #6: Demonstrate transparency in vulnerability reporting.
Fortinet Outcome: Fortinet has long implemented a radical transparency program in the publication and disclosure of Common Vulnerabilities and Exposures (CVEs) , already including the Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in each CVE. Additionally, Fortinet is committed to proactively and transparently disclosing vulnerabilities through its robust PSIRT program.
Objective #7: Demonstrate a measurable increase in customers’ ability to gather evidence of cyber intrusions involving the manufacturer’s products.
Fortinet Findings: Starting with FortiOS version 7.4.4, new file system integrity checking capabilities have been introduced to detect and log unauthorized file changes or additions. Fortinet will continue to add new features as future FortiOS versions are released.
Fortinet takes additional measures that go beyond those required by the CISA Secure by Design Pledge, including:
Fortinet continues to work on initiatives to encourage customers to implement patches and updates, while also monitoring the impact of these security improvements. We recognize the importance of widespread adoption of secure-by-design principles to build a more resilient digital ecosystem—a goal that requires strong commitment and collaboration between the public and private sectors.
Fortinet will continue to support the efforts of organizations like CISA and MITRE by introducing and adhering to robust standards that strengthen cyber resilience for the benefit of all.
For more detailed information on our commitment to secure-by-design principles, visit:
Redazione