The Cybersecurity and Infrastructure Security Agency (CISA) introduced its Secure by Design Pledge earlier this year, which outlines seven goals for secure software development and deployment. This effort aligns with Fortinet's long-standing product development processes based on secure-by-design and secure-by-default principles, and we were pleased to be early signers and supporters of the pledge.

Upon introducing the pledge, CISA senior technical advisors Bob Lord and Jack Cable created an informative video to illustrate the need for technology manufacturers to take a data-driven approach to improving software design and development. The video showcases several real-world examples, comparing this CISA Secure by Design Pledge and related efforts to the long-standing initiatives underway in the automotive and aviation industries.

For example, the National Highway Traffic Safety Administration collected data on motor vehicle fatalities in the United States over nearly 100 years. The compilation and sharing of this detailed data allowed industry regulators to recognize the growth in the number of motor vehicle fatalities increasing in parallel with the total number of hours cars were being driven and make recommendations to improve the observed negative outcomes based on the data analysis.

In the late 1960s, the National Traffic and Motor Vehicle Safety Act was introduced to counter the increase in fatalities. This act helped to save countless future American lives by making it mandatory for all vehicles except buses to be outfitted with seat belts. The result was a sharp decline in fatalities, even as car usage increased.

Similar measurable decreases can be attributed to introducing other technological safety features, such as crumple zones and anti-lock braking.

Measuring Progress in Cybersecurity: Customer Installation of Fortinet-Issued Patches

The examples shared by CISA inspired our team early on to actively measure and report on our progress in enhancing Fortinet's secure-by-design efforts, furthering our goal of serving as a role model for ethical and responsible product development and vulnerability disclosure. We're working to improve the uptake of Fortinet-issued security patches, which aligns with one of the goals set forth by CISA in the Secure by Design Pledge. This effort presented an ideal opportunity to measure progress and determine if the changes we had been making were tangibly improving our customers' respective security postures.

First, we set out to understand why some customers weren't upgrading their devices when we issued updates. We heard two reasons cited most often:

• Concerns about destabilizing a functioning network
• A lack of time and resources

I elaborate further on these challenges in the following sections.

Following these conversations, we worked to address both concerns, making it easier for customers to apply patches despite their unique challenges. Below is an overview of the steps we took to address each concern and a look at the data we collected to help us determine whether our efforts were successful.

Customer Challenge#1: Concerns about Destabilizing a Functioning Network

"If it ain't broke, don't fix it." - Thomas Bertram Lance

While we understand it can be inconvenient to disrupt a functioning network for any reason, it's vital that IT and security teams apply patches as soon as possible to mitigate the potential for attackers to exploit a vulnerability. We always recommend that customers make an immediate risk-based analysis of the issue and upgrade quickly. At the same time, as a CISO, I understand not wanting to disrupt the network. IT and security administrators are constantly treading a fine line between enhancing security measures and potentially disturbing normal operations.

How Fortinet addressed this challenge

To simplify customers' decision-making process regarding when and how to apply a Fortinet-issued patch, we introduced feature and maturity markings for firmware releases. As a result, administrators can quickly ascertain whether firmware contains only bug fixes or if the release contains broader features. Making this additional information quickly and easily available to network administrators gives them data to feed their assessments and greater confidence in their decisions regarding how and when to implement an upgrade.

To date, we've received feedback from customers that this makes it much simpler to make risk-based decisions about whether to adopt a release in their environments based on the criticality of their business and the need for specific new features.

Customer Challenge#2: A Lack of Time and Resources

"Time is the scarcest resource, and unless it is managed, nothing else can be managed." - Peter Drucker

Fortinet works with a range of customers of all sizes and across all industries. One thing that nearly every organization has in common is feeling the impacts of the ongoing cybersecurity skills shortage. This is clear based on the following graphs, which show a relatively slow uptake of patching across customers (about 40,000 upgrades per month) despite the presence of a high-severity fix included in release 7.2.5.

The rate of upgrade doubled from 7.2.5 to 7.2.6, represented in the graph below, with an increasingly steep gradient of the graph, which is common with later releases, as customers become less concerned about the "newness" of releases, and which is similar to the previously referenced challenge. Fortinet's 2024 Global Cybersecurity Skills Gap Report found that 70% of organizations indicated that the cybersecurity skills shortage creates additional risks for their organizations. But despite a real or perceived scarcity of resources at an organization, updates must occur at a faster rate.

Figure 1: Rate of upgrade across Fortinet customers from FortiOS version 7.2.5 to 7.2.6

How Fortinet addressed this challenge

To help increase the uptake of patches, we chose to employ a similar method to what the mobile phone industry uses to auto-update devices. In the initial trial phase, low-end small office/home office and small and midsize business devices were set to auto-update in the following situations:

• The auto-update feature is enabled by default on low-end devices (100F and lower). This can also be enabled by the administrator on other devices.
• The device is not centrally managed by FortiManager.
• The upgrade will only move to the next, more stable release within the same branch:
  • We will upgrade from 7.2.8 (mature) to 7.2.9 (mature).
  • We will not upgrade from 7.2.8 (mature) to 7.4.4 (feature).
• Customers can turn off this feature at any time should they wish.

This FortiOS auto-update feature was enabled in release version 7.2.6. It was first triggered in the release of version 7.2.7, and the results are immediately obvious, as shown below:

Figure 2: Rate of upgrade across Fortinet customers after deployment of the auto-update feature

Version 7.2.7 was implemented on almost 200,000 devices in just a few days, reducing the potential for threat actors to exploit any vulnerabilities patched in the release.

This feature will be rolled out to other models in coming releases.

Simplifying the Path to a Stronger Security Posture

Over time, these initiatives will continue to enhance the security of our customers and prevent threat actors from abusing known vulnerabilities. Measuring our progress against the seven goals outlined in the CISA Secure by Design Pledge provides insights into our efforts and their success and offers us the opportunity to find ways to simplify security even further for our customers.

This is another step forward in our journey to deliver on the commitment we made, and we look forward to sharing more of our progress.