Corporate Cybersecurity. John Jackson
Чтение книги онлайн.
Читать онлайн книгу Corporate Cybersecurity - John Jackson страница 2
8 Part 3 Program Setup4 Defining Program Scope and Bounties4.1 What Is a Bounty?4.2 Understanding Scope4.3 How to Create Scope4.3.1 Models4.4 Understanding Wildcards4.4.1 Subdomain4.4.2 Domain4.4.3 Specific Domain Path or Specific Subdomain Path4.5 Determining Asset Allocation4.6 Asset Risk4.7 Understanding Out of Scope4.8 Vulnerability Types4.8.1 Denial of Service (DOS) or Distributed Denial of Service (DDoS) Attacks4.8.2 Social Engineering Attacks4.8.3 Brute Force or Rate Limiting4.8.4 Account and Email Enumeration4.8.5 Self-XSS4.8.6 Clickjacking4.8.7 Miscellaneous4.9 When Is an Asset Really Out of Scope?4.10 The House Wins – Or Does It?4.11 Fair Judgment on Bounties4.12 Post-mortem4.13 Awareness and Reputational Damage4.14 Putting It All Together4.15 Bug Bounty Payments4.15.1 Determining Payments4.15.2 Bonus Payments4.15.3 Nonmonetary Rewards5 Understanding Safe Harbor and Service Level Agreements5.1 What Is “Safe Harbor”?5.1.1 The Reality of Safe Harbor5.1.2 Fear and Reluctance5.1.3 Writing Safe Harbor Agreements5.1.4 Example Safe Harbor Agreement5.2 Retaliation against a Rogue Researcher (Cybercriminal or Threat/Bad Actor)5.3 Service Level Agreements (SLAs)5.3.1 Resolution Times5.3.2 Triage Times6 Program Configuration6.1 Understanding Options6.2 Bugcrowd6.2.1 Creating the Program6.2.2 Program Overview6.2.2.1 The Program Dashboard6.2.2.2 The Crowd Control NavbarSummarySubmissionsResearchersRewardsInsights DashboardReports6.2.3 Advanced Program Configuration and Modification6.2.3.1 Program Brief6.2.3.2 Scope and Rewards6.2.3.3 Integrations6.2.3.4 Announcements6.2.3.5 Manage Team6.2.3.6 Submissions6.2.4 Profile Settings6.2.4.1 The Profile and Account6.2.4.2 Security6.2.4.3 Notification Settings6.2.4.4 API Credentials6.2.5 Enterprise “Profile” Settings6.2.5.1 Management and Configuration6.2.5.2 Organization Details6.2.5.3 Team Members6.2.5.4 Targets6.2.5.5 Authentication6.2.5.6 Domains6.2.5.7 Accounting6.3 HackerOne6.3.1 Program Settings6.3.1.1 General6.3.1.2 Information6.3.1.3 Product Edition6.3.1.4 Authentication6.3.1.5 Verified Domains6.3.1.6 Credential Management6.3.1.7 Group Management6.3.1.8 User Management6.3.1.9 Audit Log6.3.2 Billing6.3.2.1 Overview6.3.2.2 Credit Card6.3.2.3 Prepayment6.3.3 Program6.3.3.1 Policy6.3.3.2 Scope6.3.3.3 Submit Report Form6.3.3.4 Response Targets6.3.3.5 Metrics Display6.3.3.6 Email Notifications6.3.3.7 Inbox Views6.3.3.8 Disclosure6.3.3.9 Custom Fields6.3.3.10 Invitations6.3.3.11 Submission6.3.3.12 Message Hackers6.3.3.13 Email Forwarding6.3.3.14 Embedded Submission Form6.3.3.15 Bounties6.3.3.16 Swag6.3.3.17 Common Responses6.3.3.18 Triggers6.3.3.19 Integrations6.3.3.20 API6.3.3.21 Hackbot6.3.3.22 Export Reports6.3.3.23 Profile Settings6.3.4 Inbox6.3.4.1 Report Details6.3.4.2 Timeline6.4 Summary
9 Part 4 Vulnerability Reports and Disclosure7 Triage and Bug Management7.1 Understanding Triage7.1.1 Validation7.1.2 Lessons Learned7.1.3 Vulnerability Mishaps7.1.4 Managed Services7.1.5 Self-service7.2 Bug Management7.2.1 Vulnerability Priority7.2.2 Vulnerability Examples7.2.2.1 Reflected XSS on a login portalReport and TriageValidation7.2.2.2 Open redirect vulnerabilityReport and TriageValidation7.2.2.3 Leaked internal Structured Query Language (SQL) server credentialsReport and TriageValidation7.3 Answers7.3.1 Vulnerability Rating-test Summary7.3.1.1 Reflected XSS in a login portal7.3.1.2 Open redirect vulnerability7.3.1.3 Leaked internal SQL server credentials7.3.2 Complexity vs Rating7.3.3 Projected Ratings7.3.4 Ticketing and Internal SLA7.3.4.1 Creating Tickets8 Vulnerability Disclosure Information8.1 Understanding Public Disclosure8.1.1 Making the Decision8.1.1.1 Private ProgramsThe Bottom Line8.1.1.2 Public ProgramsThe Bottom Line8.2 CVE Responsibility8.2.1 What are CVEs?8.2.2 Program Manager Responsibilities8.2.3 Hardware CVEs8.2.4 Software and Product CVEs8.2.5 Third-party CVEs8.3 Submission Options8.3.1 In-house Submissions8.3.2 Program Managed Submissions and Hands-off Submissions8.3.2.1 Program Managed Submissions8.3.2.2 Hands-off Submissions
10 Part 5 Internal and External Communication9 Development and Application Security Collaboration9.1 Key Role Differences9.1.1 Application Security Engineer9.1.2 Development9.2 Facing a Ticking Clock9.3 Meaningful Vulnerability Reporting9.4 Communicating Expectations9.5 Pushback, Escalations, and Exceptions9.5.1 Internal steps9.5.2 External steps9.5.2 Escalations9.5.3 Summary9.6 Continuous Accountability9.6.1 Tracking9.6.2 Missed Deadlines10 Hacker and Program Interaction Essentials10.1 Understanding the Hacker10.1.1 Money, Ethics, or Both?10.1.2 Case Study Analysis10.2 Invalidating False Positives10.2.1 Intake Process and Breaking the News10.2.2 Dealing with a Toxic Hacker10.3 Managed Program Considerations10.4 In-house Programs10.5 Blackmail or Possible Threat Actor10.6 Public Threats or Disclosure10.7 Program Warning Messages10.8 Threat Actor or Security Researcher?10.9 Messaging Researchers10.9.1 Security Researcher Interviews10.9.2 Bug Bounty Program Manager Interviews10.10 Summary
11 Part 6 Assessments and Expansions11 Internal Assessments11.1 Introduction to Internal Assessments11.2 Proactive Vs Reactive Testing11.3 Passive Assessments11.3.1 Shodan11.3.1.1 Using Shodan11.3.2 Amass/crt.sh11.3.2.1 Amass11.3.2.2 crt.sh11.4 Active Assessments11.4.1 nmapAutomator.sh11.4.2 Sn1per11.4.3 Owasp Zap11.4.4 Dalfox11.4.5 Dirsearch11.5 Passive/Active Summary11.6 Additional Considerations: Professional Testing and Third-Party Risk12 Expanding Scope12.1 Communicating with the Team12.2 Costs of Expansion12.3 When to Expand Scope12.4 Alternatives to Scope Expansion12.5 Managing Expansion13 Public Release13.1 Understanding the Public Program13.2 The “Right” Time13.3 Recommended Release13.3.1 Requirements13.4 Rolling Backwards13.5 Summary
12 Index
List