Secure By Design
Effective date: Apr 4, 2025
Fortuna Cysec, as a global leader in the field of cybersecurity, proudly endorsed the CISA's "Secure by Design" pledge earlier this year.
CISA’s "Secure by Design" pledge is a transformative initiative aimed at fostering resilience across the digital ecosystem. It emphasizes the necessity of integrating security as a fundamental component in every stage of a product's development lifecycle. By embedding robust security measures into the design process, organizations can proactively safeguard users from potential vulnerabilities and cyber threats.
At Fortuna Cysec, we view the "Secure by Design" principles as a natural extension of our core values. Cyber threats are evolving at an unprecedented pace, and the only way to stay ahead is by building trust and security into the very foundation of our offerings. Adopting this pledge is our way of taking accountability and standing firm in our promise to deliver resilient solutions that protect our users and their data.
At Fortuna Cysec, we believe that secure, resilient products are not a luxury but a necessity in today’s interconnected world. By embedding these principles into our DNA, we are building not just products, but a future that users can rely on.
Discover more about the actions we're taking to honor this commitment.
Multi-factor authentication (MFA)
Goal
“Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.”
Recent breaches underscore the critical necessity of implementing multi-factor authentication (MFA) to safeguard against cyber threats. In 2024, over 1 billion records were compromised across various sectors, including healthcare and telecommunications. A significant number of these incidents were facilitated by the exploitation of weak or stolen credentials, emphasizing the vulnerability of single-factor authentication. MFA provides an essential additional layer of security by requiring multiple verification factors, significantly reducing the risk of unauthorized access, even in the event of credential compromise.
Fortuna Cysec’s thefense cybersecurity platform enforces MFA by default to all users in the platform. This security feature cannot be turned off for the users.
Pledge
We pledge to adopt more secure, phishing-resistant MFA methods and single sign-on (SSO) allowing customers to configure with their own identity provider that supports MFA in the next 12 months. Adopting more secure MFA & SSO represents a prudent and proactive approach to mitigating the escalating threat posed by cyberattacks.
Default passwords
Goal
Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
Default passwords, which CISA defines as universally-shared passwords that are present by default across a product, continue to enable damaging cyberattacks. This item seeks to reduce the percent of exploitable default passwords in the wild in order to drive down attacks, with a particular focus towards internet-facing products.
Our thefense cybersecurity platform does not provide default passwords for users. In addition we use password expiry policies requiring the users to update their passwords.
Pledge
We pledge to integrate enhanced authentication methods into our thefense platform within the next 12 months. This includes the adoption of passkeys—cryptographic keys securely stored on trusted devices—that provide a passwordless login experience and are highly resistant to phishing and other cyber threats.
Reducing entire classes of vulnerability
Goal
Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
According to CISA, the vast majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale. Examples include SQL injection, cross-site scripting, and memory safety vulnerabilities, as detailed below. An effective way that software manufacturers can reduce risk for their customers is by working to reduce classes of vulnerabilities at scale across their products.
Fortuna Cysec adheres to the principles outlined in CISA's Secure-by-Design framework throughout its software development lifecycle. With a dedicated team that embodies a security-first mindset, we strive to reduce entire classes of vulnerabilities, including cross-site scripting (XSS), SQL injection and memory safety issues.
Our thefense platform is not developed using any memory unsafe languages
Pledge
We pledge our ongoing commitment to developing our thefense platform using memory-safe languages and secure coding practices, we aim to substantially reduce the occurrence of exploitable vulnerabilities, thereby strengthening the security and reliability of our platform.
Security patches
Goal
Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
According to CISA, iIn line with the first Secure by Design principle, software manufacturers should take ownership of security outcomes of their customers – even after products are shipped. In addition to rooting out entire classes of vulnerabilities at the source, as detailed above, software manufacturers have the ability to make it easier for customers to install security patches – such as by offering support for security patches on a widespread basis to users and enabling functionality for automatic updates.
Fortuna Cysec’s thefense platform customers receive automated security updates without the need for any additional action on their part.
Pledge
We remain committed to delivering timely security patches to ensure continued support for our platform. By performing prompt deployment of these updates, we strive to provide a seamless security experience for our customers, fostering enhanced protection and trust in our platform.
Vulnerability disclosure policy
Goal
Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP)
By implementing a vulnerability disclosure policy, we aim to establish constructive collaboration with the security community, thereby fortifying our platform's resilience to cyber threats.
Our policy incorporates safe harbor provisions to safeguard researchers who adhere to our Vulnerability Disclosure Policy (VDP) in good faith, enabling them to collaborate with us without facing legal repercussions.
Pledge
We are committed to proving easier ways to report any vulnerabilities discovered in thefense platform. By end of 2025, we pledge to publish a machine-readable description of the vulnerability disclosure policy (e.g., a security.txt file) to better enable discovery by researchers.
CVEs
Goal
Within one year of signing the pledge, demonstrate transparency in vulnerability reporting
Including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record significantly improves the use of the vulnerability reports as it helps categorize the type of vulnerabilities and the affected software.
Pledge
We pledge to issue Common Vulnerabilities and Exposures (CVE) in a timely manner once they are discovered.
Evidence of intrusions
Goal
Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
It is essential that organizations have the ability to detect cybersecurity incidents that have occurred and understand what has happened. Software manufacturers can enable their customers to do so by providing artifacts and capabilities to gather evidence of intrusions, such as a customer’s audit logs.
Fortuna Cysec’s thefense platform offers customers access to detailed activity logs, which can also be exported as needed. These logs are retained within the platform for a duration of three months, provided at no additional cost to the customer.
Pledge
In the next 12 months we pledge to monitor thefense platform 24x7 using our Security Information and Event Management (SIEM) platform and provide integration capabilities to our customers to monitor audit logs using their in-house SIEM solutions if needed.
Make cybersecurity a part of your enterprise's DNA.
At Fortuna Cysec we are committed to building our platform secure from the ground up. We are committed to bringing a safe and secure platform for our customers. We are proud to sign the pledge and secure-by-design framework in our organization.
