企业网络安全：识别风险和漏洞 Corporate Cybersecurity - Identifying Risks And The Bug Bounty Program

基本信息

Format:Hardback 224 pages

Publisher:John Wiley & Sons Inc

Imprint:Wiley-IEEE Press

ISBN:9781119782520

Published:18 Nov 2021

Weight:539g

Dimensions:244 x 170 (mm)

页面参数仅供参考，具体以实物为准

书籍简介

企业网络安全

内部指南，向公司展示如何发现和修复其安全程序中的漏洞

组织提供漏洞赏金计划，让人们因报告漏洞（尤其是与安全漏洞和漏洞有关的漏洞）而获得认可和补偿。《企业网络安全》为网络和应用程序安全工程师（他们可能对赏金计划几乎没有经验）提供了创建或管理有效漏洞赏金计划的实践指南。本书由网络安全专家撰写，充满了信息、指南和工具，工程师可以采用这些信息、指南和工具来提高他们的技能，并在研究、配置和管理漏洞赏金计划方面变得知识渊博。

本书介绍了工具和管理漏洞赏金计划的技术方面，并讨论了工程师每天可能遇到的常见问题。作者提供了有关有效管理中经常被忽视的沟通和后续方法的信息。《企业网络安全》提供了有关公司如何识别和解决其安全计划中的弱点的急需资源。这本重要的书：

包含一本针对网络和应用安全工程师的急需指南

提供独特的防御指南，帮助理解和解决安全漏洞

鼓励从企业角度研究、配置和管理程序

涵盖的主题包括漏洞赏金概述；程序设置；漏洞报告和披露；开发和应用安全协作；理解安全港和 SLA

《企业网络安全》专为在应用和网络安全领域工作的专业人士编写，为构建和维护有效的漏洞赏金计划提供了全面的资源。

CORPORATE CYBERSECURITY

An insider’s guide showing companies how to spot and remedy vulnerabilities in their security programs

A bug bounty program is offered by organizations for people to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. Corporate Cybersecurity gives cyber and application security engineers (who may have little or no experience with a bounty program) a hands-on guide for creating or managing an effective bug bounty program. Written by a cyber security expert, the book is filled with the information, guidelines, and tools that engineers can adopt to sharpen their skills and become knowledgeable in researching, configuring, and managing bug bounty programs.

This book addresses the technical aspect of tooling and managing a bug bounty program and discusses common issues that engineers may run into on a daily basis. The author includes information on the often-overlooked communication and follow-through approaches of effective management. Corporate Cybersecurity provides a much-needed resource on how companies identify and solve weaknesses in their security program. This important book:

Contains a much-needed guide aimed at cyber and application security engineers

Presents a unique defensive guide for understanding and resolving security vulnerabilities

Encourages research, configuring, and managing programs from the corporate perspective

Topics covered include bug bounty overview; program set-up; vulnerability reports and disclosure; development and application Security Collaboration; understanding safe harbor and SLA

Written for professionals working in the application and cyber security arena, Corporate Cybersecurity offers a comprehensive resource for building and maintaining an effective bug bounty program.

作者简介

John Jackson 是一名网络安全专家、黑客，也是黑客组织 Sakura Samurai 的创始人。他精通配置、管理和使用应用程序安全工具和程序，是网络安全领域的一位有效领导。他作为工程师和安全研究员的独特视角为组织和研究人员提供了配置程序的实践经验，使他们受益匪浅。

John Jackson is a Cyber Security Professional, Hacker, and the founder of the Hacking Group: Sakura Samurai. He is skilled in the art of configuring, managing, and utilizing Application Security Tools and programs, and an effective leader in the Cyber Security space. His unique perspective as both an Engineer and a Security Researcher provides hands-on experience towards configuring programs in a way that both organizations and researchers can benefit.

部分目录，仅供参考

Foreword xiii

Acknowledgments xv

Part 1 Bug Bounty Overview 1

1 The Evolution of Bug Bounty Programs 3

1.1 Making History 3

1.2 Conservative Blockers 4

1.3 Increased Threat Actor Activity 4

1.4 Security Researcher Scams 5

1.5 Applications Are a Small Consideration 5

1.6 Enormous Budgetary Requirements 5

1.7 Other Security Tooling as a Priority 6

1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs 6

1.8.1 Vulnerability Disclosure Programs 6

1.8.2 Bug Bounty Programs 7

1.9 Program Managers 7

1.10 The Law 7

1.11 Redefining Security Research 8

1.12 Taking Action 8

1.12.1 Get to Know Security Researchers 9

1.12.2 Fair and Just Resolution 9

1.12.3 Managing Disclosure 9

1.12.4 Corrections 9

1.12.5 Specific Community Involvement 9

Part 2 Evaluating Programs 11

2 Assessing Current Vulnerability Management Processes 13

2.1 Who Runs a Bug Bounty Program? 13

2.2 Determining Security Posture 13

2.3 Management 14

2.3.1 Software Engineering Teams 14

2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response) 14

2.3.3 Infrastructure Teams 14

2.3.4 Legal Department 14

2.3.5 Communications Team 14

2.4 Important Questions 15

2.5 Software Engineering 15

2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code? 15

2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention? 15

2.5.3 Is the Breadth of Our Enterprise’s Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle? 16

2.6 Security Departments 16

2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place? 16

2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities? 16

2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance? 17

2.6.4 What Edge Tooling is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device? 17

2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure? 17

2.7 Infrastructure Teams 17