Download to read offline
Uploaded byAnchises Moraes
Segurança além do Pentest
The document discusses various aspects of cybersecurity, particularly focusing on vulnerability assessment and penetration testing methodologies. It references multiple sources, including articles on bug bounty programs and the collaboration between red and blue security teams. Key terms include vulnerability disclosure, security tests, and resources from established security standards and platforms.
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
Segurança além do Pentest
- 2.
- 4.
- 7.
- 10.
- 12.
- 13.
- 14.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 24.
- 25. • • • VRP Vulnerabilidades encontradas pelo melhor pesquisadorinterno Vulnerabilidades encontradas pelo programa de Bug Bounty Chrome 263 371 Firefox 48 148 https://mfinifter.github.io/papers/vrps-usenix2013.pdf
- 27.
- 28.
- 29.
- 30.
Editor's Notes
- #2 "Indo além do Pentest" Muito se fala hoje em dia do Pentest, que já se tornou uma prática comum quando as empresas precisam testar a segurança de um site ou aplicação. A quantidade frequente de ataques bem sucedidos, resultando em fraudes e vazamentos de dados, mostram entretando que as empresas estão falhando em manter a segurança de seus sites, aplicações e bases de dados. Embora o "pentest" seja uma técnica muito comum de testar a segurança de um site, hoje temos a disposição um conjunto de ações que podem e devem ser adotadas de forma complementar para testar e corrigir aplicações desde a sua concepção até a produção. Vamos conversar um pouco sobre as diferenças e vantagens de adotar práticas de testes de segurança, scan de vulnerabilidades, pentest, políticas de vulnerability disclosure e programas de bug bounty.
- #3 https://breachlevelindex.com
- #4 https://g1.globo.com/economia/tecnologia/noticia/2018/11/30/vazamento-de-dados-dos-hoteis-marriott-pode-ter-afetado-500-milhoes-de-clientes-diz-a-rede.ghtml
- #5 https://www.reddit.com/r/programming/comments/a1gbqw/ebay_japan_source_leak_as_git_folder_deployed_to/?st=JP338IWS&sh=7ed38358
- #7 https://ww2.bugcrowd.com/rs/453-IJC-858/images/why-crowdsourced-security-bugcrowd-032118.pdf
- #8 https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700
- #11 https://www.news18.com/news/buzz/yelp-tried-to-remove-bugs-on-app-artificial-intelligence-deleted-everything-2003957.html
- #14 https://www.isixsigma.com/industries/software-it/defect-prevention-reducing-costs-and-enhancing-quality/
- #17 https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700
- #19 https://kirkpatrickprice.com/blog/new-pci-requirement-11-3-4-1-new-penetration-testing-requirements/ https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
- #24 https://giphy.com/gifs/fire-guns-how-to-MhenSeT9i5Mnm Flexa https://giphy.com/gifs/animated-rambo-gifmania-2c8lcLAcJAPHq
- #25 Fonte: Bugcrowd
- #26 If we consider that an average North American developer on a browser security team (i.e., that of Chrome or Firefox) would cost the vendor around $500 per day (assuming a $100,000 salary with a 50% over- head), we see that the cost of either of these VRPs is comparable to the cost of just one member of the browser security team. On the other hand, the benefit of a VRP far outweighs that of a single security researcher because each of these VRPs finds many more vulnerabilities than any one researcher is likely to be able to find. For bugs affecting stable releases, the Chrome VRP has paid 371 bounties, and the most prolific internal security researcher has found 263 vulnerabilities. For Firefox, these numbers are 148 and 48, respectively. Based on this simple cost/benefit analysis, we hypothesize that: A VRP can be a cost-effective mechanism for finding security vulnerabilities. https://mfinifter.github.io/papers/vrps-usenix2013.pdf
- #28 https://pt-br.facebook.com/whitehat https://pt-br.facebook.com/BugBounty/
- #29 https://www.google.com/about/appsecurity/reward-program/
- #30 In the first 3 months of their public VDP being listed on HackerOne, Goldman Sachs resolved 20 vulnerabilities and thanked 9 hackers. 27.5% of bugs affecting Chrome releases originate from VRP contributions (371 of 1347), and 24.1% of bugs affecting Firefox releases (148 of 613) result from VRP contributions. https://mfinifter.github.io/papers/vrps-usenix2013.pdf