Librería Portfolio Librería Portfolio

Búsqueda avanzada

TIENE EN SU CESTA DE LA COMPRA

0 productos

en total 0,00 €

CORPORATE CYBERSECURITY: IDENTIFYING RISKS AND THE BUG BOUNTY PROGRAM
Título:
CORPORATE CYBERSECURITY: IDENTIFYING RISKS AND THE BUG BOUNTY PROGRAM
Subtítulo:
Autor:
JACKSON, J
Editorial:
JOHN WILEY
Año de edición:
2021
Materia
SEGURIDAD Y CRIPTOGRAFIA
ISBN:
978-1-119-78252-0
Páginas:
224
119,00 €

 

Sinopsis

CORPORATE CYBERSECURITY

An insider's guide showing companies how to spot and remedy vulnerabilities in their security programs

A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. Corporate Cybersecurity gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs.

This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. Corporate Cybersecurity provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book:

Contains a much-needed guide aimed at cyber and application security engineers
Presents a unique defensive guide for understanding and resolving security vulnerabilities
Encourages research, configuring, and managing programs from the corporate perspective
Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA

Written for professionals working in the application and cyber security arena, Corporate Cybersecurity offers a comprehensive resource for building and maintaining an effective bug bounty program.




Table of contents

Foreword xiii

Acknowledgments xv

Part 1 Bug Bounty Overview 1

1 The Evolution of Bug Bounty Programs 3

1.1 Making History 3

1.2 Conservative Blockers 4

1.3 Increased Threat Actor Activity 4

1.4 Security Researcher Scams 5

1.5 Applications Are a Small Consideration 5

1.6 Enormous Budgetary Requirements 5

1.7 Other Security Tooling as a Priority 6

1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs 6

1.8.1 Vulnerability Disclosure Programs 6

1.8.2 Bug Bounty Programs 7

1.9 Program Managers 7

1.10 The Law 7

1.11 Redefining Security Research 8

1.12 Taking Action 8

1.12.1 Get to Know Security Researchers 9

1.12.2 Fair and Just Resolution 9

1.12.3 Managing Disclosure 9

1.12.4 Corrections 9

1.12.5 Specific Community Involvement 9

Part 2 Evaluating Programs 11

2 Assessing Current Vulnerability Management Processes 13

2.1 Who Runs a Bug Bounty Program? 13

2.2 Determining Security Posture 13

2.3 Management 14

2.3.1 Software Engineering Teams 14

2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response) 14

2.3.3 Infrastructure Teams 14

2.3.4 Legal Department 14

2.3.5 Communications Team 14

2.4 Important Questions 15

2.5 Software Engineering 15

2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code? 15

2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention? 15

2.5.3 Is the Breadth of Our Enterprise's Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle? 16

2.6 Security Departments 16

2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place? 16

2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities? 16

2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance? 17

2.6.4 What Edge Tooling is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device? 17

2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure? 17

2.7 Infrastructure Teams 17

2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application is Exploited, or During a Subdomain Takeover Vulnerability? 17

2.7.2 Is There Effective Communication between Infrastructure, Vulnerability Management, Security Operations, and Endpoint Detection and Response? 18

2.8 Legal Department 18

2.8.1 How Well Refined is the Relationship between the Application Security Team and the Legal Department? 18

2.8.2 What Criteria Are/Will Be Set Out for the Escalation of Issues? 18

2.8.3 Does the Legal Department Understand the Necessity of Bug Bounty Program Management? 18

2.9 Communications Team 18

2.9.1 Has the Communications Team Dealt with Security Researchers Before? is the Importance Understood? 18

2.9.2 Was the Communications Team Informed of Bug Bounty Program Expectations? 19

2.10 Engineers 19

2.11 Program Readiness 19

3 Evaluating Program Operations 21

3.1 One Size Does Not Fit All 21

3.2 Realistic Program Scenarios 21

3.3 Ad Hoc Program 22

3.4 Note 24

3.5 Applied Knowledge 24

3.5.1 Applied Knowledge #1 24

3.5.1.1 Private Programs 25

3.5.2 Applied Knowledge #2 25

3.5.2.1 Public Programs 25

3.5.3 Applied Knowledge #3 26

3.5.3.1 Hybrid Models 26

3.6 Crowdsourced Platforms 27

3.7 Platform Pricing and Services 28

3.8 Managed Services 28

3.9 Opting Out of Managed Services 29

3.10 On-demand Penetration Tests 29

Part 3 Program Setup 31

4 Defining Program Scope and Bounties 33

4.1 What is a Bounty? 33

4.2 Understanding Scope 33

4.3 How to Create Scope 34

4.3.1 Models 34

4.4 Understanding Wildcards 34

4.4.1 Subdomain 35

4.4.2 Domain 35

4.4.3 Specific Domain Path or Specific Subdomain Path 35

4.5 Determining Asset Allocation 36

4.6 Asset Risk 37

4.7 Understanding Out of Scope 37

4.8 Vulnerability Types 38

4.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks 38

4.8.2 Social Engineering Attacks 38

4.8.3 Brute Force or Rate Limiting 38

4.8.4 Ac