Fortra’s GoAnywhere Security Practices

Fortra’s Vulnerability Disclosure Policy Statement

For Fortra’s GoAnywhere, the following data protection and security controls are in place to help an organization comply with regulations such as HIPAA, SOX, and PCI DSS:

Certifications & Audits

Fortra's GoAnywhere MFT software is tested for interoperability with enterprise-level operating systems and web browsers. Regular testing also helps to ensure the software meets commercial and federal compliance regulations.

As a result of producing robust business-centric applications and working within the hardware and software communities, the GoAnywhere file transfer solution has received and regularly maintain the following certifications:

• Common Criteria
• SOC2 Type 2
• Drummond

GoAnywhere can be integrated into a comprehensive cybersecurity solution to help satisfy HIPAA, SOX, PCI DSS, and other regulatory data protection requirements.

For more information, please visit our certifications and partnerships page.

GoAnywhere Vulnerability and Notification Policy

Fortra scans GoAnywhere regularly with various security tools throughout the development lifecycle. This verifies that third-party libraries and application code, both newly added and existing, are free of known issues when each release of GoAnywhere is made available.

Software Development Lifecycle

Fortra engineers secure file transfer solutions with security top-of-mind. We continuously identify, assess, and mitigate risks by:

• Using static code analysis to identify areas of the source code that may be vulnerable to attack
• Conducting software composition analysis to identify security risks and vulnerabilities with third-party libraries
• Utilizing penetration testing regularly with a comprehensive incident response team and process in place to acknowledge, analyze, mitigate, and remediate incoming potential threats
• Applying DAST (Dynamic Application Security Testing) to analyze software for vulnerabilities through simulated attacks
• Incorporating SAMM (Software Assurance Maturity Model) to analyze and improve our secure development life cycle
• Conducting mandatory Secure Software Development training for all developers
• Securing communications protocols and the entire build process

We also encourage our customers to share with us the results of their own penetration testing, so that we can review and respond to any concerns found by users of our MFT software.

Our dedicated Security Champions evaluate and triage security risks. High-risk items are remediated immediately and are made available in the next major product release or security update, whichever comes sooner. A subversion or patch may also be issued.

Security Training

Fortra developer teams are trained extensively on security matters end-to-end. This on-going training helps Fortra maintain its stringent SOC 2 compliance status, providing users with more confidence in its security stance.

Penetration Testing

Our internal security test team conducts regular vulnerability assessments of GoAnywhere MFT. This includes automated scans of the application, as well as manual audits of communication paths, libraries, permissions, credential handling, and session management.

Hardening Guide

We maintain a hardening guide for our Secure File Transfer product, which outlines recommended security best practices. And we offer services to customers where we can implement any recommendations from this hardening guide. This service is part of the GoAnywhere Health Check, where we review settings and processes to ensure customers have deployed the software with the strongest security configuration for their environment.

Product Strategy

Our mission is to provide the most secure MFT solution available. Every new release of our file transfer software improves the product’s security posture.

We believe our customers’ data is their most valuable asset. Product additions always start by addressing risks first, followed by security focused enhancements. Our commitment is to be proactive with security, not reactive.

Data Security

At Fortra, MFT goes beyond traditional secure file transfer by providing direct integration with other Fortra data security technologies:

• Threat Protection – Collaborate safely without malware entering your organization. Files received can be configured to automatically inspect for threats.
• Data Loss Prevention – Prevent files with PII or other sensitive data from being transferred either accidentally, or with malice. Organizations can control and protect sensitive data no matter where it's stored or how it is shared.
• Secure Collaboration– Determine who can access files by setting pre-determined rights and authorization. Revoke file access at any time with a perpetual “undo” option.

Read more about how GoAnywhere goes beyond traditional MFT security with a zero trust file transfer approach.   

Please report any concerns, pen test results, or other security findings by contacting us here.