CORPORATE CYBERSECURITY
An insider's guide showing companies how to spot and remedy vulnerabilities in their security programs
A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. Corporate Cybersecurity gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs.
This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. Corporate Cybersecurity provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book:
* Contains a much-needed guide aimed at cyber and application security engineers
* Presents a unique defensive guide for understanding and resolving security vulnerabilities
* Encourages research, configuring, and managing programs from the corporate perspective
* Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA
Written for professionals working in the application and cyber security arena, Corporate Cybersecurity offers a comprehensive resource for building and maintaining an effective bug bounty program.
Autorentext
John Jackson is a Cyber Security Professional, Hacker, and the founder of the Hacking Group: Sakura Samurai. He is skilled in the art of configuring, managing, and utilizing Application Security Tools and programs, and an effective leader in the Cyber Security space. His unique perspective as both an Engineer and a Security Researcher provides hands-on experience towards configuring programs in a way that both organizations and researchers can benefit.
Klappentext
An insider's guide showing companies how to spot and remedy vulnerabilities in their security programs
A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. Corporate Cybersecurity gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs.
This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. Corporate Cybersecurity provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book:
* Contains a much-needed guide aimed at cyber and application security engineers
* Presents a unique defensive guide for understanding and resolving security vulnerabilities
* Encourages research, configuring, and managing programs from the corporate perspective
* Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA
Written for professionals working in the application and cyber security arena, Corporate Cybersecurity offers a comprehensive resource for building and maintaining an effective bug bounty program.
Zusammenfassung
CORPORATE CYBERSECURITY
An insider's guide showing companies how to spot and remedy vulnerabilities in their security programs
A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. Corporate Cybersecurity gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs.
This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. Corporate Cybersecurity provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book:
- Contains a much-needed guide aimed at cyber and application security engineers
- Presents a unique defensive guide for understanding and resolving security vulnerabilities
- Encourages research, configuring, and managing programs from the corporate perspective
- Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA
Written for professionals working in the application and cyber security arena, Corporate Cybersecurity offers a comprehensive resource for building and maintaining an effective bug bounty program.
Inhalt
Foreword xiii
Acknowledgments xv
Part 1 Bug Bounty Overview 1
1 The Evolution of Bug Bounty Programs 3
1.1 Making History 3
1.2 Conservative Blockers 4
1.3 Increased Threat Actor Activity 4
1.4 Security Researcher Scams 5
1.5 Applications Are a Small Consideration 5
1.6 Enormous Budgetary Requirements 5
1.7 Other Security Tooling as a Priority 6
1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs 6
1.8.1 Vulnerability Disclosure Programs 6
1.8.2 Bug Bounty Programs 7
1.9 Program Managers 7
1.10 The Law 7
1.11 Redefining Security Research 8
1.12 Taking Action 8
1.12.1 Get to Know Security Researchers 9
1.12.2 Fair and Just Resolution 9
1.12.3 Managing Disclosure 9
1.12.4 Corrections 9
1.12.5 Specific Community Involvement 9
Part 2 Evaluating Programs 11
2 Assessing Current Vulnerability Management Processes 13
2.1 Who Runs a Bug Bounty Program? 13
2.2 Determining Security Posture 13
2.3 Management 14
2.3.1 Software Engineering Teams 14
2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response) 14
2.3.3 Infrastructure Teams 14
2.3.4 Legal Department 14
2.3.5 Communications Team 14
2.4 Important Questions 15
2.5 Software Engineering 15
2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with V…