Читать книгу Corporate Cybersecurity - John Jackson - Страница 4
Contents
Оглавление1 Cover
4 Foreword
6 Part 1 Bug Bounty Overview1 The Evolution of Bug Bounty Programs1.1 Making History1.2 Conservative Blockers1.3 Increased Threat Actor Activity1.4 Security Researcher Scams1.5 Applications Are a Small Consideration1.6 Enormous Budgetary Requirements1.7 Other Security Tooling as a Priority1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs1.8.1 Vulnerability Disclosure Programs1.8.2 Bug Bounty Programs1.9 Program Managers1.10 The Law1.11 Redefining Security Research1.12 Taking Action1.12.1 Get to Know Security Researchers1.12.2 Fair and Just Resolution1.12.3 Managing Disclosure1.12.4 Corrections1.12.5 Specific Community Involvement
7 Part 2 Evaluating Programs2 Assessing Current Vulnerability Management Processes2.1 Who Runs a Bug Bounty Program?2.2 Determining Security Posture2.3 Management2.3.1 Software Engineering Teams2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/ Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response)2.3.3 Infrastructure Teams2.3.4 Legal Department2.3.5 Communications Team2.4 Important Questions2.5 Software Engineering2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code?2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention?2.5.3 Is the Breadth of Our Enterprise’s Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle?2.6 Security Departments2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place?2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities?2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance?2.6.4 What Edge Tooling Is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device?2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure?2.7 Infrastructure Teams2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application Is Exploited, or During a Subdomain Takeover Vulnerability?2.7.2 Is There Effective Communication between Infrastructure, Vulnerability Management, Security Operations, and Endpoint Detection and Response?2.8 Legal Department2.8.1 How Well Refined is the Relationship between the Application Security Team and the Legal Department?2.8.2 What Criteria Are/Will Be Set Out for the Escalation of Issues?2.8.3 Does the Legal Department Understand the Necessity of Bug Bounty Program Management?2.9 Communications Team2.9.1 Has the Communications Team Dealt with Security Researchers Before? Is the Importance Understood?2.9.2 Was the Communications Team Informed of Bug Bounty Program Expectations?2.10 Engineers2.11 Program Readiness3 Evaluating Program Operations3.1 One Size Does Not Fit All3.2 Realistic Program Scenarios3.3 Ad Hoc Program3.4 Note3.5 Applied Knowledge3.5.1 Applied Knowledge #13.5.1.1 Private Programs3.5.2 Applied Knowledge #23.5.2.1 Public Programs3.5.3 Applied Knowledge #33.5.3.1 Hybrid Models3.6 Crowdsourced Platforms3.7 Platform Pricing and Services3.8 Managed Services3.9 Opting Out of Managed Services3.10 On-demand Penetration Tests
8 Part 3 Program Setup4 Defining Program Scope and Bounties4.1 What Is a Bounty?4.2 Understanding Scope4.3 How to Create Scope4.3.1 Models4.4 Understanding Wildcards4.4.1 Subdomain4.4.2 Domain4.4.3 Specific Domain Path or Specific Subdomain Path4.5 Determining Asset Allocation4.6 Asset Risk4.7 Understanding Out of Scope4.8 Vulnerability Types4.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks4.8.2 Social Engineering Attacks4.8.3 Brute Force or Rate Limiting4.8.4 Account and Email Enumeration4.8.5 Self-XSS4.8.6 Clickjacking4.8.7 Miscellaneous4.9 When Is an Asset Really Out of Scope?4.10 The House Wins – Or Does It?4.11 Fair Judgment on Bounties4.12 Post-mortem4.13 Awareness and Reputational Damage4.14 Putting It All Together4.15 Bug Bounty Payments4.15.1 Determining Payments4.15.2 Bonus Payments4.15.3 Nonmonetary Rewards5 Understanding Safe Harbor and Service Level Agreements5.1 What Is “Safe Harbor”?5.1.1 The Reality of Safe Harbor5.1.2 Fear and Reluctance5.1.3 Writing Safe Harbor Agreements5.1.4 Example Safe Harbor Agreement5.2 Retaliation against a Rogue Researcher (Cybercriminal or Threat/Bad Actor)5.3 Service Level Agreements (SLAs)5.3.1 Resolution Times5.3.2 Triage Times6 Program Configuration6.1 Understanding Options6.2 Bugcrowd6.2.1 Creating the Program6.2.2 Program Overview6.2.2.1 The Program Dashboard6.2.2.2 The Crowd Control NavbarSummarySubmissionsResearchersRewardsInsights DashboardReports6.2.3 Advanced Program Configuration and Modification6.2.3.1 Program Brief6.2.3.2 Scope and Rewards6.2.3.3 Integrations6.2.3.4 Announcements6.2.3.5 Manage Team6.2.3.6 Submissions6.2.4 Profile Settings6.2.4.1 The Profile and Account6.2.4.2 Security6.2.4.3 Notification Settings6.2.4.4 API Credentials6.2.5 Enterprise “Profile” Settings6.2.5.1 Management and Configuration6.2.5.2 Organization Details6.2.5.3 Team Members6.2.5.4 Targets6.2.5.5 Authentication6.2.5.6 Domains6.2.5.7 Accounting6.3 HackerOne6.3.1 Program Settings6.3.1.1 General6.3.1.2 Information6.3.1.3 Product Edition6.3.1.4 Authentication6.3.1.5 Verified Domains6.3.1.6 Credential Management6.3.1.7 Group Management6.3.1.8 User Management6.3.1.9 Audit Log6.3.2 Billing6.3.2.1 Overview6.3.2.2 Credit Card6.3.2.3 Prepayment6.3.3 Program6.3.3.1 Policy6.3.3.2 Scope6.3.3.3 Submit Report Form6.3.3.4 Response Targets6.3.3.5 Metrics Display6.3.3.6 Email Notifications6.3.3.7 Inbox Views6.3.3.8 Disclosure6.3.3.9 Custom Fields6.3.3.10 Invitations6.3.3.11 Submission6.3.3.12 Message Hackers6.3.3.13 Email Forwarding6.3.3.14 Embedded Submission Form6.3.3.15 Bounties6.3.3.16 Swag6.3.3.17 Common Responses6.3.3.18 Triggers6.3.3.19 Integrations6.3.3.20 API6.3.3.21 Hackbot6.3.3.22 Export Reports6.3.3.23 Profile Settings6.3.4 Inbox6.3.4.1 Report Details6.3.4.2 Timeline6.4 Summary
9 Part 4 Vulnerability Reports and Disclosure7 Triage and Bug Management7.1 Understanding Triage7.1.1 Validation7.1.2 Lessons Learned7.1.3 Vulnerability Mishaps7.1.4 Managed Services7.1.5 Self-service7.2 Bug Management7.2.1 Vulnerability Priority7.2.2 Vulnerability Examples7.2.2.1 Reflected XSS on a login portalReport and TriageValidation7.2.2.2 Open redirect vulnerabilityReport and TriageValidation7.2.2.3 Leaked internal Structured Query Language (SQL) server credentialsReport and TriageValidation7.3 Answers7.3.1 Vulnerability Rating-test Summary7.3.1.1 Reflected XSS in a login portal7.3.1.2 Open redirect vulnerability7.3.1.3 Leaked internal SQL server credentials7.3.2 Complexity vs Rating7.3.3 Projected Ratings7.3.4 Ticketing and Internal SLA7.3.4.1 Creating Tickets8 Vulnerability Disclosure Information8.1 Understanding Public Disclosure8.1.1 Making the Decision8.1.1.1 Private ProgramsThe Bottom Line8.1.1.2 Public ProgramsThe Bottom Line8.2 CVE Responsibility8.2.1 What are CVEs?8.2.2 Program Manager Responsibilities8.2.3 Hardware CVEs8.2.4 Software and Product CVEs8.2.5 Third-party CVEs8.3 Submission Options8.3.1 In-house Submissions8.3.2 Program Managed Submissions and Hands-off Submissions8.3.2.1 Program Managed Submissions8.3.2.2 Hands-off Submissions
10 Part 5 Internal and External Communication9 Development and Application Security Collaboration9.1 Key Role Differences9.1.1 Application Security Engineer9.1.2 Development9.2 Facing a Ticking Clock9.3 Meaningful Vulnerability Reporting9.4 Communicating Expectations9.5 Pushback, Escalations, and Exceptions9.5.1 Internal steps9.5.2 External steps9.5.2 Escalations9.5.3 Summary9.6 Continuous Accountability9.6.1 Tracking9.6.2 Missed Deadlines10 Hacker and Program Interaction Essentials10.1 Understanding the Hacker10.1.1 Money, Ethics, or Both?10.1.2 Case Study Analysis10.2 Invalidating False Positives10.2.1 Intake Process and Breaking the News10.2.2 Dealing with a Toxic Hacker10.3 Managed Program Considerations10.4 In-house Programs10.5 Blackmail or Possible Threat Actor10.6 Public Threats or Disclosure10.7 Program Warning Messages10.8 Threat Actor or Security Researcher?10.9 Messaging Researchers10.9.1 Security Researcher Interviews10.9.2 Bug Bounty Program Manager Interviews10.10 Summary
11 Part 6 Assessments and Expansions11 Internal Assessments11.1 Introduction to Internal Assessments11.2 Proactive Vs Reactive Testing11.3 Passive Assessments11.3.1 Shodan11.3.1.1 Using Shodan11.3.2 Amass/crt.sh11.3.2.1 Amass11.3.2.2 crt.sh11.4 Active Assessments11.4.1 nmapAutomator.sh11.4.2 Sn1per11.4.3 Owasp Zap11.4.4 Dalfox11.4.5 Dirsearch11.5 Passive/Active Summary11.6 Additional Considerations: Professional Testing and Third-Party Risk12 Expanding Scope12.1 Communicating with the Team12.2 Costs of Expansion12.3 When to Expand Scope12.4 Alternatives to Scope Expansion12.5 Managing Expansion13 Public Release13.1 Understanding the Public Program13.2 The “Right” Time13.3 Recommended Release13.3.1 Requirements13.4 Rolling Backwards13.5 Summary
12 Index
