Transparency, disclosure, and partner opportunities 


Sean Campbell, Director Canadian Channels, Fortinet

Fortinet, a global cybersecurity leader in the convergence of networking and security, recently announced it would be an early signatory to the Secure by Design pledge developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The voluntary industry pledge builds on the company’s long-standing commitment to responsible transparency and vulnerability disclosure.

Vulnerability disclosure is necessary to ensure customers’ safety, especially given the ever-changing threat landscape and cybercriminals’ increasing sophistication. Responsible vulnerability disclosure is already integral to Fortinet’s product development process, making the pledge a natural evolution for the security solutions provider.

As disclosure requirements become more ingrained in the industry, channel partners can ensure they are ahead of the curve by aligning with solutions and services that promote responsible and radical disclosure.

Growing risk drives transparency  

In FortiGuard Lab’s 2H 2023 Threat Report, researchers observed substantial activity among advanced persistent threat (APT) groups, often the most sophisticated players. Dark web intelligence conducted for the report also indicated that in the last six months of 2023, cybercriminals shared more than 20 significant zero-day vulnerabilities. Compounding the threat is the speed of cyber attacks, as adversaries exploited new vulnerabilities 43 per cent faster than at the start of 2023, according to the report.

While new threats continue to emerge, cyber adversaries continue to reuse “old” attacks, including some that are 15 years old, according to FortiGuard Labs’ report. For example, bad actors targeted Zyxel Networks firewalls throughout the second half of the year when attackers rediscovered and exploited a vulnerability originally published in 2017.

This trend underscores the importance of security practitioners’ vigilance in ensuring that software is updated regularly and that patch management processes are robust. However, this puts the onus of security solely on customers. Vendors can do their part by adopting robust security testing at every stage of product development.

Starting with secure by design 

“Secure by design” refers to a software engineering approach where security considerations begin at product conception. It aims to remove reliance on patches and updates by prioritizing security processes and practices throughout the software development life cycle (SDLC) to identify and remediate risks before they reach the end customer.

As a leader in security and networking, Fortinet invests in ensuring that every stage in its product development process aligns with the secure-by-design ethos. Drawing from key international and industry best practices, Fortinet undergoes robust reviews to ensure product security before delivery.

This review includes testing using static application and dynamic security testing, vulnerability scanning, penetration testing and manual code audits. Fortinet also aligns with leading standards and data privacy regulations and regularly certifies its products under third-party quality standards.

Radical & responsible transparency 

While channel partners would do well to focus on vendors that embrace the secure-by-design approach, vendor transparency should also be on the radar. Once risk is identified and assessed, what is the vendor’s next move? Transparent vulnerability disclosure is critical to ensuring customers are informed of risk quickly and efficiently.

Enhanced transparency is vital to making every organization more secure in today’s dynamic threat environment, Fortinet is at the forefront of embracing radical transparency by leaning into information sharing as it searches for, mitigates, and discloses vulnerabilities openly and responsibly. Through its responsible transparency and communications principles, Fortinet provides an example of how cybersecurity vendors can better communicate with customers about identified vulnerabilities and the threat information they uncover.

To this end, Fortinet contributes to international threat intelligence through FortiGuard Labs and by participating in public-private organizations. It is a founding member of the Network Resilience Coalition, which addresses the need for software and hardware updates and patches, and a member of the Joint Cyber Defense Collaborative (JCDC) and Cyber Threat Alliance (CTA), which helps public and private organizations collect, analyze, and share information about new and emerging cyber threats. Working with the World Economic Forum’s Centre for Cybersecurity (C4C), Fortinet also helps encourage intelligence sharing to reduce global cyberattacks and disrupt cybercrime.

Enabling responsible, radical transparency 

Disrupting cybercrime requires a culture of collaboration, transparency, and accountability on a larger scale. While much of the heavy lifting will fall to cybersecurity vendors, customers and channel partners also have a crucial role to play.

Channel partners can find new opportunities by offering customers access to trusted vendors that embrace the secure-by-design approach and manage identified vulnerabilities using responsible, radical transparency. Beyond choosing vendors that support best practices in transparency, partners can also grow their business by helping customers manage security updates and patch processes to mitigate their vulnerability risk.

For vendors looking to align their offerings with transparency, Fortinet remains at the forefront with its long-standing commitment to ethical and responsible product development and vulnerability disclosure. By aligning with international and industry best practices and joining CISA’s Secure by Design pledge, Fortinet sets the example for the technology community and provides partners with more ways to protect customers from the emerging threat landscape.