Muutke küpsiste eelistusi

E-raamat: Corporate Cybersecurity: Identifying Risks and the Bug Bounty Program

3.67/5 (3 hinnangut Goodreads-ist)
(Hacking Group: Sakura Samurai)
  • Formaat: EPUB+DRM
  • Sari: IEEE Press
  • Ilmumisaeg: 20-Oct-2021
  • Kirjastus: Wiley-IEEE Press
  • Keel: eng
  • ISBN-13: 9781119782544
Teised raamatud teemal:
  • Formaat - EPUB+DRM
  • Hind: 116,03 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
  • Raamatukogudele
Corporate Cybersecurity: Identifying Risks and the Bug Bounty ProgramSuurem pilt
  • Formaat: EPUB+DRM
  • Sari: IEEE Press
  • Ilmumisaeg: 20-Oct-2021
  • Kirjastus: Wiley-IEEE Press
  • Keel: eng
  • ISBN-13: 9781119782544
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

An insiders guide showing companies how to spot and remedy vulnerabilities in their security programs

A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. Corporate Cybersecurity gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs.

This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. Corporate Cybersecurity provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book:

  • Contains a much-needed guide aimed at cyber and application security engineers
  • Presents a unique defensive guide for understanding and resolving security vulnerabilities
  • Encourages research, configuring, and managing programs from the corporate perspective
  • Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA

    Written for professionals working in the application and cyber security arena, Corporate Cybersecurity offers a comprehensive resource for building and maintaining an effective bug bounty program.

    • Foreword xiii
    Acknowledgments xv
    Part 1 Bug Bounty Overview
    		1(10)
    1 The Evolution of Bug Bounty Programs
    		3(8)
    1.1 Making History
    		3(1)
    1.2 Conservative Blockers
    		4(1)
    1.3 Increased Threat Actor Activity
    		4(1)
    1.4 Security Researcher Scams
    		5(1)
    1.5 Applications Are a Small Consideration
    		5(1)
    1.6 Enormous Budgetary Requirements
    		5(1)
    1.7 Other Security Tooling as a Priority
    		6(1)
    1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs
    		6(1)
    1.8.1 Vulnerability Disclosure Programs
    		6(1)
    1.8.2 Bug Bounty Programs
    		7(1)
    1.9 Program Managers
    		7(1)
    1.10 The Law
    		7(1)
    1.11 Redefining Security Research
    		7(1)
    1.12 Taking Action
    		8(3)
    1.12.1 Get to Know Security Researchers
    		9(1)
    1.12.2 Fair and Just Resolution
    		9(1)
    1.12.3 Managing Disclosure
    		9(1)
    1.12.4 Corrections
    		9(1)
    1.12.5 Specific Community Involvement
    		9(2)
    Part 2 Evaluating Programs
    		11(20)
    2 Assessing Current Vulnerability Management Processes
    		13(8)
    2.1 Who Runs a Bug Bounty Program?
    		13(1)
    2.2 Determining Security Posture
    		13(1)
    2.3 Management
    		14(1)
    2.3.1 Software Engineering Teams
    		14(1)
    2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response)
    		14(1)
    2.3.3 Infrastructure Teams
    		14(1)
    2.3.4 Legal Department
    		14(1)
    2.3.5 Communications Team
    		14(1)
    2.4 Important Questions
    		15(1)
    2.5 Software Engineering
    		15(1)
    2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code?
    		15(1)
    2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention?
    		15(1)
    2.5.3 Is the Breadth of Our Enterprise's Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle?
    		16(1)
    2.6 Security Departments
    		16(1)
    2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place?
    		16(1)
    2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities?
    		16(1)
    2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance?
    		17(1)
    2.6.4 What Edge Tooling Is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device?
    		17(1)
    2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure?
    		17(1)
    2.7 Infrastructure Teams
    		17(1)
    2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application Is Exploited, or During a Subdomain Takeover Vulnerability?
    		17(1)
    2.7.2 Is There Effective Communication between Infrastructure, Vulnerability Management, Security Operations, and Endpoint Detection and Response?
    		18(1)
    2.8 Legal Department
    		18(1)
    2.8.1 How Well Refined is the Relationship between the Application Security Team and the Legal Department?
    		18(1)
    2.8.2 What Criteria Are/Will Be Set Out for the Escalation of Issues?
    		18(1)
    2.8.3 Does the Legal Department Understand the Necessity of Bug Bounty Program Management?
    		18(1)
    2.9 Communications Team
    		18(1)
    2.9.1 Has the Communications Team Dealt with Security Researchers Before? Is the Importance Understood?
    		18(1)
    2.9.2 Was the Communications Team Informed of Bug Bounty Program Expectations?
    		19(1)
    2.10 Engineers
    		19(1)
    2.11 Program Readiness
    		19(2)
    3 Evaluating Program Operations
    		21(10)
    3.1 One Size Does Not Fit All
    		21(1)
    3.2 Realistic Program Scenarios
    		21(1)
    3.3 Ad Hoc Program
    		22(2)
    3.4 Note
    		24(1)
    3.5 Applied Knowledge
    		24(3)
    3.5.1 Applied Knowledge #1
    		24(1)
    3.5.1.1 Private Programs
    		25(1)
    3.5.2 Applied Knowledge #2
    		25(1)
    3.5.2.1 Public Programs
    		25(1)
    3.5.3 Applied Knowledge #3
    		26(1)
    3.5.3.1 Hybrid Models
    		26(1)
    3.6 Crowdsourced Platforms
    		27(1)
    3.7 Platform Pricing and Services
    		28(1)
    3.8 Managed Services
    		28(1)
    3.9 Opting Out of Managed Services
    		29(1)
    3.10 On-demand Penetration Tests
    		29(2)
    Part 3 Program Setup
    		31(80)
    4 Defining Program Scope and Bounties
    		33(16)
    4.1 What Is a Bounty?
    		33(1)
    4.2 Understanding Scope
    		33(1)
    4.3 How to Create Scope
    		34(1)
    4.3.1 Models
    		34(1)
    4.4 Understanding Wildcards
    		34(2)
    4.4.1 Subdomain
    		35(1)
    4.4.2 Domain
    		35(1)
    4.4.3 Specific Domain Path or Specific Subdomain Path
    		35(1)
    4.5 Determining Asset Allocation
    		36(1)
    4.6 Asset Risk
    		37(1)
    4.7 Understanding Out of Scope
    		37(1)
    4.8 Vulnerability Types
    		38(1)
    4.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks
    		38(1)
    4.8.2 Social Engineering Attacks
    		38(1)
    4.8.3 Brute Force or Rate Limiting
    		38(1)
    4.8.4 Account and Email Enumeration
    		38(1)
    4.8.5 Self-XSS
    		39(1)
    4.8.6 Clickjacking
    		39(1)
    4.8.7 Miscellaneous
    		39(1)
    4.9 When Is an Asset Really Out of Scope?
    		39(1)
    4.10 The House Wins - Or Does It?
    		40(2)
    4.11 Fair Judgment on Bounties
    		42(1)
    4.12 Post-mortem
    		43(1)
    4.13 Awareness and Reputational Damage
    		43(1)
    4.14 Putting It All Together
    		44(1)
    4.15 Bug Bounty Payments
    		44(5)
    4.15.1 Determining Payments
    		45(1)
    4.15.2 Bonus Payments
    		46(1)
    4.15.3 Nonmonetary Rewards
    		46(3)
    5 Understanding Safe Harbor and Service Level Agreements
    		49(6)
    5.1 What Is "Safe Harbor"?
    		49(2)
    5.1.1 The Reality of Safe Harbor
    		49(1)
    5.1.2 Fear and Reluctance
    		49(1)
    5.1.3 Writing Safe Harbor Agreements
    		50(1)
    5.1.4 Example Safe Harbor Agreement
    		50(1)
    5.2 Retaliation against a Rogue Researcher (Cybercriminal or Threat/Bad Actor)
    		51(1)
    5.3 Service Level Agreements (SLAs)
    		52(3)
    5.3.1 Resolution Times
    		53(1)
    5.3.2 Triage Times
    		53(2)
    6 Program Configuration
    		55(56)
    6.1 Understanding Options
    		55(1)
    6.2 Bugcrowd
    		55(29)
    6.2.1 Creating the Program
    		55(6)
    6.2.2 Program Overview
    		61(1)
    6.2.2.1 The Program Dashboard
    		61(2)
    6.2.2.2 The Crowd Control Navbar
    		63(1)
    Summary
    		63(1)
    Submissions
    		63(1)
    Researchers
    		64(1)
    Rewards
    		65(1)
    Insights Dashboard
    		65(1)
    Reports
    		66(1)
    6.2.3 Advanced Program Configuration and Modification
    		66(1)
    6.2.3.1 Program Brief
    		66(1)
    6.2.3.2 Scope and Rewards
    		67(5)
    6.2.3.3 Integrations
    		72(1)
    6.2.3.4 Announcements
    		73(1)
    6.2.3.5 Manage Team
    		74(1)
    6.2.3.6 Submissions
    		75(1)
    6.2.4 Profile Settings
    		76(2)
    6.2.4.1 The Profile and Account
    		78(1)
    6.2.4.2 Security
    		78(1)
    6.2.4.3 Notification Settings
    		79(1)
    6.2.4.4 API Credentials
    		80(1)
    6.2.5 Enterprise "Profile" Settings
    		81(1)
    6.2.5.1 Management and Configuration
    		81(1)
    6.2.5.2 Organization Details
    		81(1)
    6.2.5.3 Team Members
    		81(1)
    6.2.5.4 Targets
    		81(1)
    6.2.5.5 Authentication
    		81(1)
    6.2.5.6 Domains
    		82(1)
    6.2.5.7 Accounting
    		83(1)
    6.3 HackerOne
    		84(26)
    6.3.1 Program Settings
    		85(1)
    6.3.1.1 General
    		85(1)
    6.3.1.2 Information
    		86(1)
    6.3.1.3 Product Edition
    		86(1)
    6.3.1.4 Authentication
    		87(1)
    6.3.1.5 Verified Domains
    		88(1)
    6.3.1.6 Credential Management
    		89(1)
    6.3.1.7 Group Management
    		89(1)
    6.3.1.8 User Management
    		90(1)
    6.3.1.9 Audit Log
    		91(1)
    6.3.2 Billing
    		92(1)
    6.3.2.1 Overview
    		92(1)
    6.3.2.2 Credit Card
    		92(1)
    6.3.2.3 Prepayment
    		92(1)
    6.3.3 Program
    		93(1)
    6.3.3.1 Policy
    		93(1)
    6.3.3.2 Scope
    		93(2)
    6.3.3.3 Submit Report Form
    		95(1)
    6.3.3.4 Response Targets
    		96(1)
    6.3.3.5 Metrics Display
    		97(1)
    6.3.3.6 Email Notifications
    		97(1)
    6.3.3.7 Inbox Views
    		98(1)
    6.3.3.8 Disclosure
    		98(1)
    6.3.3.9 Custom Fields
    		98(1)
    6.3.3.10 Invitations
    		99(1)
    6.3.3.11 Submission
    		100(1)
    6.3.3.12 Message Hackers
    		101(1)
    6.3.3.13 Email Forwarding
    		102(1)
    6.3.3.14 Embedded Submission Form
    		102(1)
    6.3.3.15 Bounties
    		103(1)
    6.3.3.16 Swag
    		103(1)
    6.3.3.17 Common Responses
    		104(2)
    6.3.3.18 Triggers
    		106(1)
    6.3.3.19 Integrations
    		107(1)
    6.3.3.20 API
    		107(1)
    6.3.3.21 Hackbot
    		107(1)
    6.3.3.22 Export Reports
    		108(1)
    6.3.3.23 Profile Settings
    		108(1)
    6.3.4 Inbox
    		108(1)
    6.3.4.1 Report Details
    		109(1)
    6.3.4.2 Timeline
    		109(1)
    6.4 Summary
    		110(1)
    Part 4 Vulnerability Reports and Disclosure
    		111(22)
    7 Triage and Bug Management
    		113(10)
    7.1 Understanding Triage
    		113(3)
    7.1.1 Validation
    		113(2)
    7.1.2 Lessons Learned
    		115(1)
    7.1.3 Vulnerability Mishaps
    		115(1)
    7.1.4 Managed Services
    		115(1)
    7.1.5 Self-service
    		116(1)
    7.2 Bug Management
    		116(2)
    7.2.1 Vulnerability Priority
    		116(1)
    7.2.2 Vulnerability Examples
    		117(1)
    7.2.2.1 Reflected XSS on a login portal
    		117(1)
    Report and Triage
    		117(1)
    Validation
    		117(1)
    7.2.2.2 Open redirect vulnerability
    		117(1)
    Report and Triage
    		117(1)
    Validation
    		118(1)
    7.2.2.3 Leaked internal Structured Query Language (SQL) server credentials
    		118(1)
    Report and Triage
    		118(1)
    Validation
    		118(1)
    7.3 Answers
    		118(1)
    7.3.1 Vulnerability Rating-test Summary
    		118(1)
    7.3.1.1 Reflected XSS in a login portal
    		118(1)
    7.3.1.2 Open redirect vulnerability
    		118(1)
    7.3.1.3 Leaked internal SQL server credentials
    		118(1)
    7.3.2 Complexity vs Rating
    		119(1)
    7.3.3 Projected Ratings
    		120(1)
    7.3.4 Ticketing and Internal SLA
    		120(1)
    7.3.4.1 Creating Tickets
    		120(3)
    8 Vulnerability Disclosure Information
    		123(10)
    8.1 Understanding Public Disclosure
    		123(3)
    8.1.1 Making the Decision
    		123(1)
    8.1.1.1 Private Programs
    		123(1)
    The Bottom Line
    		124(1)
    8.1.1.2 Public Programs
    		125(1)
    The Bottom Line
    		126(1)
    8.2 CVE Responsibility
    		126(4)
    8.2.1 What are CVEs?
    		126(1)
    8.2.2 Program Manager Responsibilities
    		126(1)
    8.2.3 Hardware CVEs
    		126(2)
    8.2.4 Software and Product CVEs
    		128(1)
    8.2.5 Third-party CVEs
    		128(2)
    8.3 Submission Options
    		130(3)
    8.3.1 In-house Submissions
    		130(1)
    8.3.2 Program Managed Submissions and Hands-off Submissions
    		130(1)
    8.3.2.1 Program Managed Submissions
    		130(1)
    8.3.2.2 Hands-off Submissions
    		131(2)
    Part 5 Internal and External Communication
    		133(32)
    9 Development and Application Security Collaboration
    		135(8)
    9.1 Key Role Differences
    		135(1)
    9.1.1 Application Security Engineer
    		135(1)
    9.1.2 Development
    		135(1)
    9.2 Facing a Ticking Clock
    		136(1)
    9.3 Meaningful Vulnerability Reporting
    		136(1)
    9.4 Communicating Expectations
    		137(1)
    9.5 Pushback, Escalations, and Exceptions
    		138(3)
    9.5.1 Internal steps
    		138(1)
    9.5.2 External steps
    		139(1)
    9.5.2 Escalations
    		139(1)
    9.5.3 Summary
    		140(1)
    9.6 Continuous Accountability
    		141(2)
    9.6.1 Tracking
    		141(1)
    9.6.2 Missed Deadlines
    		141(2)
    10 Hacker and Program Interaction Essentials
    		143(1)
    10.1 Understanding the Hacker
    		143(1)
    10.1.1 Money, Ethics, or Both?
    		143(2)
    10.1.2 Case Study Analysis
    		145(1)
    10.2 Invalidating False Positives
    		145(2)
    10.2.1 Intake Process and Breaking the News
    		145(2)
    10.2.2 Dealing with a Toxic Hacker
    		147(1)
    10.3 Managed Program Considerations
    		147(1)
    10.4 In-house Programs
    		148(3)
    10.5 Blackmail or Possible Threat Actor
    		151(1)
    10.6 Public Threats or Disclosure
    		151(2)
    10.7 Program Warning Messages
    		153(1)
    10.8 Threat Actor or Security Researcher?
    		153(2)
    10.9 Messaging Researchers
    		155(9)
    10.9.1 Security Researcher Interviews
    		155(4)
    10.9.2 Bug Bounty Program Manager Interviews
    		159(5)
    10.10 Summary
    		164(1)
    Part 6 Assessments and Expansions
    		165(24)
    11 Internal Assessments
    		167(14)
    11.1 Introduction to Internal Assessments
    		167(1)
    11.2 Proactive Vs Reactive Testing
    		167(1)
    11.3 Passive Assessments
    		168(5)
    11.3.1 Shodan
    		168(1)
    11.3.1.1 Using Shodan
    		168(3)
    11.3.2 Amass/crt.sh
    		171(1)
    11.3.2.1 Amass
    		172(1)
    11.3.2.2 Crt.sh
    		173(1)
    11.4 Active Assessments
    		173(7)
    11.4.1 Nmapautomator.sh
    		173(2)
    11.4.2 Sniper
    		175(1)
    11.4.3 OwaspZap
    		175(2)
    11.4.4 Dalfox
    		177(2)
    11.4.5 Dirsearch
    		179(1)
    11.5 Passive/Active Summary
    		180(1)
    11.6 Additional Considerations: Professional Testing and Third-Party Risk
    		180(1)
    12 Expanding Scope
    		181(4)
    12.1 Communicating with the Team
    		181(1)
    12.2 Costs of Expansion
    		182(1)
    12.3 When to Expand Scope
    		182(1)
    12.4 Alternatives to Scope Expansion
    		183(1)
    12.5 Managing Expansion
    		183(2)
    13 Public Release
    		185(4)
    13.1 Understanding the Public Program
    		185(1)
    13.2 The "Right" Time
    		185(1)
    13.3 Recommended Release
    		186(1)
    13.3.1 Requirements
    		186(1)
    13.4 Rolling Backwards
    		186(1)
    13.5 Summary
    		187(2)
    Index 189
    John Jackson is a Cyber Security Professional, Hacker, and the founder of the Hacking Group: Sakura Samurai. He is skilled in the art of configuring, managing, and utilizing Application Security Tools and programs, and an effective leader in the Cyber Security space. His unique perspective as both an Engineer and a Security Researcher provides hands-on experience towards configuring programs in a way that both organizations and researchers can benefit.
    Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
    Püsilink: https://www.kriso.ee/db/97811197825446e.html
    Märksõnad: