Details

Corporate Cybersecurity


Corporate Cybersecurity

Identifying Risks and the Bug Bounty Program
1. Aufl.

von: John Jackson

95,99 €

Verlag: Wiley
Format: PDF
Veröffentl.: 22.10.2021
ISBN/EAN: 9781119782537
Sprache: englisch
Anzahl Seiten: 224

DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

<b>CORPORATE CYBERSECURITY</b> <p><b>An insider’s guide showing companies how to spot and remedy vulnerabilities in their security programs</b> <p>A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. <i>Corporate Cybersecurity</i> gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs. <p>This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. <i>Corporate Cybersecurity</i> provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book: <ul><li>Contains a much-needed guide aimed at cyber and application security engineers </li> <li>Presents a unique defensive guide for understanding and resolving security vulnerabilities </li> <li>Encourages research, configuring, and managing programs from the corporate perspective </li> <li>Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA</li></ul> <p>Written for professionals working in the application and cyber security arena, <i>Corporate Cybersecurity</i> offers a comprehensive resource for building and maintaining an effective bug bounty program.
<p>Foreword xiii</p> <p>Acknowledgments xv</p> <p><b>Part 1 Bug Bounty Overview 1</b></p> <p><b>1 The Evolution of Bug Bounty Programs </b><b>3</b></p> <p>1.1 Making History 3</p> <p>1.2 Conservative Blockers 4</p> <p>1.3 Increased Threat Actor Activity 4</p> <p>1.4 Security Researcher Scams 5</p> <p>1.5 Applications Are a Small Consideration 5</p> <p>1.6 Enormous Budgetary Requirements 5</p> <p>1.7 Other Security Tooling as a Priority 6</p> <p>1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs 6</p> <p>1.8.1 Vulnerability Disclosure Programs 6</p> <p>1.8.2 Bug Bounty Programs 7</p> <p>1.9 Program Managers 7</p> <p>1.10 The Law 7</p> <p>1.11 Redefining Security Research 8</p> <p>1.12 Taking Action 8</p> <p>1.12.1 Get to Know Security Researchers 9</p> <p>1.12.2 Fair and Just Resolution 9</p> <p>1.12.3 Managing Disclosure 9</p> <p>1.12.4 Corrections 9</p> <p>1.12.5 Specific Community Involvement 9</p> <p><b>Part 2 Evaluating Programs 11</b></p> <p><b>2 Assessing Current Vulnerability Management Processes </b><b>13</b></p> <p>2.1 Who Runs a Bug Bounty Program? 13</p> <p>2.2 Determining Security Posture 13</p> <p>2.3 Management 14</p> <p>2.3.1 Software Engineering Teams 14</p> <p>2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response) 14</p> <p>2.3.3 Infrastructure Teams 14</p> <p>2.3.4 Legal Department 14</p> <p>2.3.5 Communications Team 14</p> <p>2.4 Important Questions 15</p> <p>2.5 Software Engineering 15</p> <p>2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code? 15</p> <p>2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention? 15</p> <p>2.5.3 Is the Breadth of Our Enterprise’s Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle? 16</p> <p>2.6 Security Departments 16</p> <p>2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place? 16</p> <p>2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities? 16</p> <p>2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance? 17</p> <p>2.6.4 What Edge Tooling is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device? 17</p> <p>2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure? 17</p> <p>2.7 Infrastructure Teams 17</p> <p>2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application is Exploited, or During a Subdomain Takeover Vulnerability? 17</p> <p>2.7.2 Is There Effective Communication between Infrastructure, Vulnerability Management, Security Operations, and Endpoint Detection and Response? 18</p> <p>2.8 Legal Department 18</p> <p>2.8.1 How Well Refined is the Relationship between the Application Security Team and the Legal Department? 18</p> <p>2.8.2 What Criteria Are/Will Be Set Out for the Escalation of Issues? 18</p> <p>2.8.3 Does the Legal Department Understand the Necessity of Bug Bounty Program Management? 18</p> <p>2.9 Communications Team 18</p> <p>2.9.1 Has the Communications Team Dealt with Security Researchers Before? is the Importance Understood? 18</p> <p>2.9.2 Was the Communications Team Informed of Bug Bounty Program Expectations? 19</p> <p>2.10 Engineers 19</p> <p>2.11 Program Readiness 19</p> <p><b>3 Evaluating Program Operations </b><b>21</b></p> <p>3.1 One Size Does Not Fit All 21</p> <p>3.2 Realistic Program Scenarios 21</p> <p>3.3 Ad Hoc Program 22</p> <p>3.4 Note 24</p> <p>3.5 Applied Knowledge 24</p> <p>3.5.1 Applied Knowledge #1 24</p> <p>3.5.1.1 Private Programs 25</p> <p>3.5.2 Applied Knowledge #2 25</p> <p>3.5.2.1 Public Programs 25</p> <p>3.5.3 Applied Knowledge #3 26</p> <p>3.5.3.1 Hybrid Models 26</p> <p>3.6 Crowdsourced Platforms 27</p> <p>3.7 Platform Pricing and Services 28</p> <p>3.8 Managed Services 28</p> <p>3.9 Opting Out of Managed Services 29</p> <p>3.10 On-demand Penetration Tests 29</p> <p><b>Part 3 Program Setup 31</b></p> <p><b>4 Defining Program Scope and Bounties </b><b>33</b></p> <p>4.1 What is a Bounty? 33</p> <p>4.2 Understanding Scope 33</p> <p>4.3 How to Create Scope 34</p> <p>4.3.1 Models 34</p> <p>4.4 Understanding Wildcards 34</p> <p>4.4.1 Subdomain 35</p> <p>4.4.2 Domain 35</p> <p>4.4.3 Specific Domain Path or Specific Subdomain Path 35</p> <p>4.5 Determining Asset Allocation 36</p> <p>4.6 Asset Risk 37</p> <p>4.7 Understanding Out of Scope 37</p> <p>4.8 Vulnerability Types 38</p> <p>4.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks 38</p> <p>4.8.2 Social Engineering Attacks 38</p> <p>4.8.3 Brute Force or Rate Limiting 38</p> <p>4.8.4 Account and Email Enumeration 38</p> <p>4.8.5 Self-XSS 39</p> <p>4.8.6 Clickjacking 39</p> <p>4.8.7 Miscellaneous 39</p> <p>4.9 When is an Asset Really Out of Scope? 39</p> <p>4.10 The House Wins – Or Does It? 40</p> <p>4.11 Fair Judgment on Bounties 42</p> <p>4.12 Post-mortem 43</p> <p>4.13 Awareness and Reputational Damage 43</p> <p>4.14 Putting It All Together 44</p> <p>4.15 Bug Bounty Payments 44</p> <p>4.15.1 Determining Payments 45</p> <p>4.15.2 Bonus Payments 46</p> <p>4.15.3 Nonmonetary Rewards 46</p> <p><b>5 Understanding Safe Harbor and Service Level Agreements </b><b>49</b></p> <p>5.1 What is “Safe Harbor”? 49</p> <p>5.1.1 The Reality of Safe Harbor 49</p> <p>5.1.2 Fear and Reluctance 49</p> <p>5.1.3 Writing Safe Harbor Agreements 50</p> <p>5.1.4 Example Safe Harbor Agreement 50</p> <p>5.2 Retaliation against a Rogue Researcher (Cybercriminal or Threat/Bad Actor) 51</p> <p>5.3 Service Level Agreements (SLAs) 52</p> <p>5.3.1 Resolution Times 53</p> <p>5.3.2 Triage Times 53</p> <p><b>6 Program Configuration </b><b>55</b></p> <p>6.1 Understanding Options 55</p> <p>6.2 Bugcrowd 55</p> <p>6.2.1 Creating the Program 55</p> <p>6.2.2 Program Overview 61</p> <p>6.2.2.1 The Program Dashboard 61</p> <p>6.2.2.2 The Crowd Control Navbar 63</p> <p>Summary 63</p> <p>Submissions 63</p> <p>Researchers 64</p> <p>Rewards 65</p> <p>Insights Dashboard 65</p> <p>Reports 66</p> <p>6.2.3 Advanced Program Configuration and Modification 66</p> <p>6.2.3.1 Program Brief 66</p> <p>6.2.3.2 Scope and Rewards 67</p> <p>6.2.3.3 Integrations 72</p> <p>6.2.3.4 Announcements 73</p> <p>6.2.3.5 Manage Team 74</p> <p>6.2.3.6 Submissions 75</p> <p>6.2.4 Profile Settings 76</p> <p>6.2.4.1 The Profile and Account 78</p> <p>6.2.4.2 Security 78</p> <p>6.2.4.3 Notification Settings 79</p> <p>6.2.4.4 API Credentials 80</p> <p>6.2.5 Enterprise “Profile” Settings 81</p> <p>6.2.5.1 Management and Configuration 81</p> <p>6.2.5.2 Organization Details 81</p> <p>6.2.5.3 Team Members 81</p> <p>6.2.5.4 Targets 81</p> <p>6.2.5.5 Authentication 81</p> <p>6.2.5.6 Domains 82</p> <p>6.2.5.7 Accounting 83</p> <p>6.3 HackerOne 84</p> <p>6.3.1 Program Settings 85</p> <p>6.3.1.1 General 85</p> <p>6.3.1.2 Information 86</p> <p>6.3.1.3 Product Edition 86</p> <p>6.3.1.4 Authentication 87</p> <p>6.3.1.5 Verified Domains 88</p> <p>6.3.1.6 Credential Management 89</p> <p>6.3.1.7 Group Management 89</p> <p>6.3.1.8 User Management 90</p> <p>6.3.1.9 Audit Log 91</p> <p>6.3.2 Billing 92</p> <p>6.3.2.1 Overview 92</p> <p>6.3.2.2 Credit Card 92</p> <p>6.3.2.3 Prepayment 92</p> <p>6.3.3 Program 93</p> <p>6.3.3.1 Policy 93</p> <p>6.3.3.2 Scope 93</p> <p>6.3.3.3 Submit Report Form 95</p> <p>6.3.3.4 Response Targets 96</p> <p>6.3.3.5 Metrics Display 97</p> <p>6.3.3.6 Email Notifications 97</p> <p>6.3.3.7 Inbox Views 98</p> <p>6.3.3.8 Disclosure 98</p> <p>6.3.3.9 Custom Fields 98</p> <p>6.3.3.10 Invitations 99</p> <p>6.3.3.11 Submission 100</p> <p>6.3.3.12 Message Hackers 101</p> <p>6.3.3.13 Email Forwarding 102</p> <p>6.3.3.14 Embedded Submission Form 102</p> <p>6.3.3.15 Bounties 103</p> <p>6.3.3.16 Swag 103</p> <p>6.3.3.17 Common Responses 104</p> <p>6.3.3.18 Triggers 106</p> <p>6.3.3.19 Integrations 107</p> <p>6.3.3.20 API 107</p> <p>6.3.3.21 Hackbot 107</p> <p>6.3.3.22 Export Reports 108</p> <p>6.3.3.23 Profile Settings 108</p> <p>6.3.4 Inbox 108</p> <p>6.3.4.1 Report Details 109</p> <p>6.3.4.2 Timeline 109</p> <p>6.4 Summary 110</p> <p><b>Part 4 Vulnerability Reports and Disclosure 111</b></p> <p><b>7 Triage and Bug Management </b><b>113</b></p> <p>7.1 Understanding Triage 113</p> <p>7.1.1 Validation 113</p> <p>7.1.2 Lessons Learned 115</p> <p>7.1.3 Vulnerability Mishaps 115</p> <p>7.1.4 Managed Services 115</p> <p>7.1.5 Self-service 116</p> <p>7.2 Bug Management 116</p> <p>7.2.1 Vulnerability Priority 116</p> <p>7.2.2 Vulnerability Examples 117</p> <p>7.2.2.1 Reflected XSS on a login portal 117</p> <p>Report and Triage 117</p> <p>Validation 117</p> <p>7.2.2.2 Open redirect vulnerability 117</p> <p>Report and Triage 117</p> <p>Validation 118</p> <p>7.2.2.3 Leaked internal Structured Query Language (SQL) server credentials 118</p> <p>Report and Triage 118</p> <p>Validation 118</p> <p>7.3 Answers 118</p> <p>7.3.1 Vulnerability Rating-test Summary 119</p> <p>7.3.1.1 Reflected XSS in a login portal 118</p> <p>7.3.1.2 Open redirect vulnerability 118</p> <p>7.3.1.3 Leaked internal SQL server credentials 118</p> <p>7.3.2 Complexity vs Rating 119</p> <p>7.3.3 Projected Ratings 120</p> <p>7.3.4 Ticketing and Internal SLA 120</p> <p>7.3.4.1 Creating Tickets 120</p> <p><b>8 Vulnerability Disclosure Information </b><b>123</b></p> <p>8.1 Understanding Public Disclosure 123</p> <p>8.1.1 Making the Decision 123</p> <p>8.1.1.1 Private Programs 123</p> <p>The Bottom Line 124</p> <p>8.1.1.2 Public Programs 125</p> <p>The Bottom Line 126</p> <p>8.2 CVE Responsibility 126</p> <p>8.2.1 What are CVEs? 126</p> <p>8.2.2 Program Manager Responsibilities 126</p> <p>8.2.3 Hardware CVEs 126</p> <p>8.2.4 Software and Product CVEs 128</p> <p>8.2.5 Third-party CVEs 128</p> <p>8.3 Submission Options 130</p> <p>8.3.1 In-house Submissions 130</p> <p>8.3.2 Program Managed Submissions and Hands-off Submissions 130</p> <p>8.3.2.1 Program Managed Submissions 130</p> <p>8.3.2.2 Hands-off Submissions 131</p> <p><b>Part 5 Internal and External Communication 133</b></p> <p><b>9 Development and Application Security Collaboration </b><b>135</b></p> <p>9.1 Key Role Differences 135</p> <p>9.1.1 Application Security Engineer 135</p> <p>9.1.2 Development 135</p> <p>9.2 Facing a Ticking Clock 136</p> <p>9.3 Meaningful Vulnerability Reporting 136</p> <p>9.4 Communicating Expectations 137</p> <p>9.5 Pushback, Escalations, and Exceptions 138</p> <p>9.5.1 Internal steps 138</p> <p>9.5.2 External steps 139</p> <p>9.5.2 Escalations 139</p> <p>9.5.3 Summary 140</p> <p>9.6 Continuous Accountability 141</p> <p>9.6.1 Tracking 141</p> <p>9.6.2 Missed Deadlines 141</p> <p><b>10 Hacker and Program Interaction Essentials </b><b>143</b></p> <p>10.1 Understanding the Hacker 143</p> <p>10.1.1 Money, Ethics, or Both? 143</p> <p>10.1.2 Case Study Analysis 145</p> <p>10.2 Invalidating False Positives 145</p> <p>10.2.1 Intake Process and Breaking the News 145</p> <p>10.2.2 Dealing with a Toxic Hacker 147</p> <p>10.3 Managed Program Considerations 147</p> <p>10.4 In-house Programs 148</p> <p>10.5 Blackmail or Possible Threat Actor 151</p> <p>10.6 Public Threats or Disclosure 151</p> <p>10.7 Program Warning Messages 153</p> <p>10.8 Threat Actor or Security Researcher? 153</p> <p>10.9 Messaging Researchers 155</p> <p>10.9.1 Security Researcher Interviews 155</p> <p>10.9.2 Bug Bounty Program Manager Interviews 159</p> <p>10.10 Summary 164</p> <p><b>Part 6 Assessments and Expansions 165</b></p> <p><b>11 Internal Assessments </b><b>167</b></p> <p>11.1 Introduction to Internal Assessments 167</p> <p>11.2 Proactive Vs Reactive Testing 167</p> <p>11.3 Passive Assessments 168</p> <p>11.3.1 Shodan 168</p> <p>11.3.1.1 Using Shodan 168</p> <p>11.3.2 Amass/crt.sh 171</p> <p>11.3.2.1 Amass 172</p> <p>11.3.2.2 crt.sh 173</p> <p>11.4 Active Assessments 173</p> <p>11.4.1 nmapAutomator.sh 173</p> <p>11.4.2 Sn1per 175</p> <p>11.4.3 Owasp Zap 175</p> <p>11.4.4 Dalfox 177</p> <p>11.4.5 Dirsearch 179</p> <p>11.5 Passive/Active Summary 180</p> <p>11.6 Additional Considerations: Professional Testing and Third-Party Risk 180</p> <p><b>12 Expanding Scope </b><b>181</b></p> <p>12.1 Communicating with the Team 181</p> <p>12.2 Costs of Expansion 182</p> <p>12.3 When to Expand Scope 182</p> <p>12.4 Alternatives to Scope Expansion 183</p> <p>12.5 Managing Expansion 183</p> <p><b>13 Public Release </b><b>185</b></p> <p>13.1 Understanding the Public Program 185</p> <p>13.2 The “Right” Time 185</p> <p>13.3 Recommended Release 186</p> <p>13.3.1 Requirements 186</p> <p>13.4 Rolling Backwards 186</p> <p>13.5 Summary 187</p> <p>Index 189</p>
<p><b>John Jackson</b> is a Cyber Security Professional, Hacker, and the founder of the Hacking Group: Sakura Samurai. He is skilled in the art of configuring, managing, and utilizing Application Security Tools and programs, and an effective leader in the Cyber Security space. His unique perspective as both an Engineer and a Security Researcher provides hands-on experience towards configuring programs in a way that both organizations and researchers can benefit.</p>
<p><b>An insider’s guide showing companies how to spot and remedy vulnerabilities in their security programs</b></p> <p>A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. <i>Corporate Cybersecurity</i> gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs. <p>This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. <i>Corporate Cybersecurity</i> provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book: <ul><li>Contains a much-needed guide aimed at cyber and application security engineers </li> <li>Presents a unique defensive guide for understanding and resolving security vulnerabilities </li> <li>Encourages research, configuring, and managing programs from the corporate perspective </li> <li>Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA</li></ul> <p>Written for professionals working in the application and cyber security arena, <i>Corporate Cybersecurity</i> offers a comprehensive resource for building and maintaining an effective bug bounty program.

Diese Produkte könnten Sie auch interessieren:

MDX Solutions
MDX Solutions
von: George Spofford, Sivakumar Harinath, Christopher Webb, Dylan Hai Huang, Francesco Civardi
PDF ebook
53,99 €
Concept Data Analysis
Concept Data Analysis
von: Claudio Carpineto, Giovanni Romano
PDF ebook
107,99 €
Handbook of Virtual Humans
Handbook of Virtual Humans
von: Nadia Magnenat-Thalmann, Daniel Thalmann
PDF ebook
150,99 €