Connect with us

News

Fortinet Doubles Down on Secure Development and Transparent Vulnerability Disclosure

Published

on

Fortinet has announced it is building on the company’s long-standing commitment to responsible radical transparency as an early signer of the Secure by Design pledge developed by the Cybersecurity and Infrastructure Security Agency (CISA). This voluntary industry pledge complements and builds on existing Fortinet software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry partners. The pledge outlines seven goals, including responsible vulnerability disclosure policies, which are already an integral part of Fortinet’s product security development.

Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet, said, “At Fortinet, we have a long-standing commitment to being a role model in ethical and responsible product development and vulnerability disclosure. As part of this dedication, Fortinet has proactively aligned to international and industry best practices and upholds the highest security standards in every aspect of our business. We applaud CISA’s continued call to the industry to follow suit and appreciate CISA’s willingness to collaborate with Fortinet on the development of these important goals. We strongly encourage others in the technology community to join this effort to keep organizations secure.”

CISA’s latest initiative strongly aligns to Fortinet’s existing product development processes already based on Secure by Design and Secure by Default principles. Fortinet is committed to adhering to robust product security scrutiny at all stages of the product development lifecycle, helping to ensure that security is designed into each product from inception all the way through to the end of life, in the following ways:

  1. Secure Product Development Lifecycle (SPDLC): Fortinet aligns its processes in accordance with leading standards, including NIST 800-53, NIST 800-161, NIST 800-218, US EO 14028, and UK Telecom Security Act.
  2. Robust Security Product Testing: Fortinet leverages tools and techniques such as static application security testing (SAST) and software composition analysis built into its build processes, dynamic application security testing (DAST), vulnerability scanning, and fuzzing prior to each release, as well as penetration testing and manual code audits.
  3. Trusted Supplier Program: To ensure rigorous selection and qualification of its major manufacturing partners, Fortinet adheres to NIST 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. Fortinet’s commitment to data privacy and security is embedded in every part of the company’s business and in every phase of the product development, manufacturing, and delivery processes.
  4. Information Security Program: The Fortinet Information Security Program is based on and aligned with industry-leading security standards and frameworks including ISO 27001/2, ISO 27017 and 27018, and NIST 800-53, as well as data privacy regulations such as GDPR and CCPA.
  5. Third-Party Certifications: Fortinet products are regularly certified to standard and validated through third-party product quality standards, including NIST FIPS 140-2 and NIAP Common Criteria NDcPP / EAL4+.

Additionally, the Fortinet Product Security Incident Response Team (PSIRT) is responsible for maintaining security standards for Fortinet products and operates one of the industry’s most robust PSIRT programs, including proactively and transparently disclosing vulnerabilities. Nearly 80% of Fortinet vulnerabilities discovered in 2023 were identified internally through the company’s rigorous auditing process. This proactive approach enables fixes to be developed and implemented before malicious exploitation can occur. Fortinet works with its customers, independent security researchers, consultants, industry organizations, and other vendors to accomplish the company’s PSIRT mission.

To further advance its dedication to a culture of responsible radical transparency, Fortinet has a long-standing commitment to public and private partnerships that align to its mission, including:

  • As a founding member of the Network Resilience Coalition, Fortinet is helping deliver real-world solutions to protect networks and sensitive data, including addressing the issue of software and hardware updates and patches not being implemented.
  • Through its membership with the Joint Cyber Defense Collaborative (JCDC), which was established by CISA in 2021, Fortinet works with public and private entities to gather, analyze, and share actionable information to more proactively protect and defend against cyberthreats.
  • As a founding member of the Cyber Threat Alliance (CTA), Fortinet shares timely threat intelligence with other cybersecurity practitioners to better protect customers against adversaries.
  • Working with global leaders as a founding member of the World Economic Forum’s Centre for Cybersecurity (C4C), Fortinet is helping to encourage intelligence sharing across the industry to reduce global cyberattacks and disrupt cybercrime.

News

Tenable to Acquire Eureka Security

Published

on

Tenable Holdings has announced that it has signed a definitive agreement to acquire Eureka Security, a provider of data security posture management (DSPM) for cloud environments. Eureka Security helps security teams gain a holistic view into an organization’s cloud data security footprint, fight policy drift and misconfigurations that put data at risk, and continuously improve their security posture over time. The acquisition is expected to close this month.

By adding DSPM capabilities to its CNAPP solution, Tenable will help customers identify key evidence related to cloud data risk, including where sensitive data resides in the cloud, who has access to that data and the severity of the risk posed by potential data compromise. This type of visibility is central to an organization’s ability to accurately assess its cloud security compliance. In the 2024 Tenable Cloud Security Outlook study, 95% of organizations polled had experienced cloud-related breaches in the previous 18 months. Among those, 92% reported exposure to sensitive data, and a majority acknowledged being harmed by the data exposure.

“Eureka Security’s technology will enable Tenable to provide even better prioritization of cloud risks and identify toxic combinations beyond vulnerabilities, misconfigurations and over-privileged access to include data at risk as well,” said Shai Morag, senior vice president and general manager of Cloud Security, Tenable. “This is another example of how we’re pushing the envelope in cloud security innovation for customers and leading the market forward by developing best-in-class capabilities.”

“Eureka Security’s data-centric approach provides the visibility, control and automation needed to navigate the dynamic cloud landscape while ensuring the highest level of security and compliance,” said Liat Hayun, co-founder and CEO, Eureka Security. “We’re excited to join Tenable. Integrating our capabilities into Tenable’s CNAPP offering creates a compelling capability for customers. Tenable also brings an expansive customer base and strong go-to-market capabilities. We couldn’t have found a better match to help us expand our mission to reduce cloud data risk globally.”

The integration of DSPM will round out the current Tenable Cloud Security solution that already includes such key capabilities as unified CNAPP, iron-clad CSPM protection, cloud workload protection and industry-leading CIEM, among others, which will give security teams the context and prioritization guidance to make efficient and accurate remediation decisions. The Eureka Security DSPM capabilities are expected to be natively integrated into Tenable Cloud Security and its leading CNAPP solution later this year.

Continue Reading

Expert Speak

Hidden Champions: Behind These Popular Applications Are Hard Drives

Published

on

Written by Rainer W. Kaese, Senior Manager of Business Development Storage Products at Toshiba Electronics Europe
(more…)

Continue Reading

Cyber Security

Netskope Joins Google Workspace Security Alliance

Published

on

Netskope has joined the Google Workspace Security Alliance to extend security and data protection for Workspace users. The Netskope One Platform provides a number of advanced security capabilities that protect data, defend against threats, and ensure users have fast and secure access to Google Workspace productivity and collaboration tools, including Gemini for Workspace.

As organizations increasingly adopt cloud technologies to drive innovation and efficiency, they are also challenged to secure sensitive data from a range of cyber risks, including:

  • Ongoing increases in the number of users uploading sensitive data to personal instances of cloud applications
  • New and evolving threat techniques such as abuse of certain applications for critical data access, back doors, and financial gain; compromise of credentials to access critical business data; insider threats; and more
  • Data exposure from the insecure use of both managed and unmanaged AI-based productivity tools

Netskope and Google Workspace empower organizations to embrace modern collaboration and productivity by enabling the secure use of AI-based productivity tools. Netskope provides advanced data loss prevention (DLP) techniques, delivering real-time visibility and control over users, data, and corporate vs. personal cloud instances. In addition, Netskope’s comprehensive threat protection through both API and inline controls detects threats in Google applications and monitors data movement and threat propagation between Google Workspace apps and third-party ecosystem applications.

“Netskope is proud to expand its partnership with Google Workspace by joining the Workspace Security Alliance. There are already thousands of customers using Netskope to safeguard their Google Workspace applications, and this new partnership further enhances the secure usage capabilities for application specific data protection policies,” said Andy Horwitz, VP, Global Partner Ecosystems, Netskope. “Together, Netskope and Google Workspace can help customers modernize their productivity stack. We look forward to helping customers safely optimize their employees’ daily productivity.”

The Netskope and Google Workspace partnership enables organizations to embrace collaboration and productivity while safeguarding critical data. Joint customers can now more effectively:

  1. Support best practice use of Gemini for Google Workspace: Leverage real-time user coaching to help enforce best practices in application usage. Organizations can gain visibility into data movement to minimize sensitive information sharing while achieving data compliance objectives.
  2. Protect sensitive data: Detect and manage access to sensitive data within Google Workspace applications, enforcing policies to prevent unauthorized data movement across platforms, including third-party services like Microsoft OneDrive, Box and Dropbox.
  3. Stop insider threats like data exfiltration: Prevent the download of sensitive data from Google Workspace business instances and then the upload to personal instances, which is one of today’s top reasons for data loss. Additionally, apply this control to unmanaged devices: allow unmanaged or personal device access to a specific cloud app for collaboration, however, do not allow downloading of sensitive data.
  4. Detect and stop elusive threats and malware: Protect against malware and phishing delivered from the cloud. Netskope’s multi-layered advanced threat protection (ATP) enhances security within Google Workspace and across cloud applications.
  5. Maintain compliance in Google Workspace: Ensure that organizations can adhere to regulations and meet compliance needs by enforcing security policies within Google Workspace.

“By partnering with Netskope, a leading SASE vendor, customers can confidently expand their Google Workspace adoption leveraging their existing IT infrastructure investments,” said Nikhil Sinha, Group Product Manager, Google Workspace. “Netskope instance awareness enables fine grained data governance policy differences to both corporate and personal Google Workspace accounts. We are excited to partner with Netskope to provide these advanced security capabilities to our customers.”

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.