ection id="u54b5e506-c142-5a8e-87b1-239f62704b80">
Corporate Cybersecurity
Identifying Risks and the Bug Bounty Program
John Jackson
This edition first published 2022
© 2022 John Wiley & Sons, Ltd.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
The right of John Jackson to be identified as the author of this work has been asserted in accordance with law.
Registered Office(s)
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK
Editorial Office
The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK
For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.
Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Library of Congress Cataloging-in-Publication Data
Names: Jackson, John (Cybersecurity professional), author.
Title: Corporate cybersecurity : identifying risks and the bug bounty program / John Jackson.
Description: Hoboken, NJ : John Wiley & Sons, 2021. | Includes bibliographical references and index.
Identifiers: LCCN 2021020794 (print) | LCCN 2021020795 (ebook) | ISBN 9781119782520 (hardback) | ISBN 9781119782568 (ebook) | ISBN 9781119782537 (pdf) | ISBN 9781119782544 (epub)
Subjects: LCSH: Business enterprises--Computer networks--Security measures. | Penetration testing (Computer security) | Cyberspace--Security measures.
Classification: LCC HD30.38 .J34 2021 (print) | LCC HD30.38 (ebook) | DDC 658.4/78--dc23
LC record available at https://lccn.loc.gov/2021020794 LC ebook record available at https://lccn.loc.gov/2021020795
Cover image: © WhataWin/Shutterstock
Cover design by Wiley
Set in 9.5/12pt STIX Two Text by Integra Software Services Pvt. Ltd, Pondicherry, India
Contents
1 Cover
4 Foreword
6 Part 1 Bug Bounty Overview1 The Evolution of Bug Bounty Programs1.1 Making History1.2 Conservative Blockers1.3 Increased Threat Actor Activity1.4 Security Researcher Scams1.5 Applications Are a Small Consideration1.6 Enormous Budgetary Requirements1.7 Other Security Tooling as a Priority1.8 Vulnerability Disclosure Programs vs Bug Bounty Programs1.8.1 Vulnerability Disclosure Programs1.8.2 Bug Bounty Programs1.9 Program Managers1.10 The Law1.11 Redefining Security Research1.12 Taking Action1.12.1 Get to Know Security Researchers1.12.2 Fair and Just Resolution1.12.3 Managing Disclosure1.12.4 Corrections1.12.5 Specific Community Involvement
7 Part 2 Evaluating Programs2 Assessing Current Vulnerability Management Processes2.1 Who Runs a Bug Bounty Program?2.2 Determining Security Posture2.3 Management2.3.1 Software Engineering Teams2.3.2 Security Departments (Security Operations, Fraud Prevention, Governance/ Risk/Compliance, Edge Controls, Vulnerability Management, Endpoint Detection, and Response)2.3.3 Infrastructure Teams2.3.4 Legal Department2.3.5 Communications Team2.4 Important Questions2.5 Software Engineering2.5.1 Which Processes Are in Place for Secure Coding? Do the Software Engineers Understand the Importance of Mitigating the Risks Associated with Vulnerable Code?2.5.2 How Effective Are Current Communication Processes? Will Vulnerabilities Be Quickly Resolved If Brought to Their Attention?2.5.3 Is the Breadth of Our Enterprise’s Web and Mobile Applications Immense? Which Processes Are Engineers Using for Development in the Software Development Lifecycle?2.6 Security Departments2.6.1 How Does Security Operations Manage Incidents? Will Employee Assistance Be Provided from the Security Operations Team If a Threat Actor Manages to Exploit an Application Vulnerability? Which Tools Do They Have in Place?2.6.2 What Does the Fraud Prevention Team Do to Prevent Malicious Activities? How Many Occurrences Do They See of Issues such as Account Takeover, and Could They Potentially Create Application Vulnerabilities?2.6.3 Are There Any Compliance Practices in Place and, If So, How Do They Affect the Vulnerability Management Process? What Does the Application Security Team Have to Do to Assist in Enterprise Compliance?2.6.4 What Edge Tooling Is in Place to Prevent Attacks? Are Any of the Enterprise Applications at Risk of Being Exploited due to an IoT (Internet of Things) Device?2.6.5 How Often Does Our Vulnerability Management Team Push for Updates? How Does the Vulnerability Management Team Ensure Servers in which Enterprise Applications Reside Are Secure?2.7 Infrastructure Teams2.7.1 What Are Infrastructure Teams Doing to Ensure Best Security Practices Are Enabled? How Long Will It Take the Infrastructure Team to Resolve a Serious Issue When a Server-side Web Application Is Exploited, or During a Subdomain Takeover Vulnerability?2.7.2