Expert Product Reviews - Security

We are pleased to share a comprehensive review of "​Spring Security - Fourth Edition", published by Packt, and written by the reviewer Erica Ayala. This review offers an in-depth exploration of the book's key themes and insights, providing readers with a thorough understanding of its value.Please find the review below:Besides testing, security and authentication is definitely my weakest point 😮‍💨, and since I'm generally bothered by not being good at things 😒, I've been actively trying lately to get better at it.One of the ways I'm trying to achieve this is by purposely working on tasks in areas that I would like to improve in. Unfortunately, the project I'm currently working on is using a different tech stack than what I'm used to 🫤, and since I'd obviously like to get better working with my own tech stack as well, I decided to dive into "Spring Security". 😊So one of the first things that the book covers that I found useful is the different authentication methods. This section helped me to prepare a Confluence document to go over with the dev team so we could make a decision on which authentication method to use for our project.Another thing I found really useful was that the book explains the pros and cons of using 'SecurityContextHolder', 'UserDetailsService', and 'AuthenticationProvider'. It explains the use cases for each one (Yay! I'm learning about use cases! 😁🥳😅), like whether you're looking for simplicity or need more advanced features like remember-me services.Technically, I'm already familiar with most of those things because I learned how to implement them when I was in bootcamp. But to be honest, the bootcamp was really in-depth up until we started learning about security, and then it was kinda just like "Here's some snippets of code. Put this in such-and-such class". 😕 So it's a good thing that the book also walks you through adding, configuring, and implementing a custom 'UserDetailsService'.I also got a deep dive into OAuth 2 which previously, I honestly knew nothing about. 🥴😅 The book shows how to set up your own OAuth 2 application and explains the architecture behind it, which was great for a complete n00b like me. 🥴🤣😂It also went into the advanced features of Spring Security, like protection against Cross-Site Request Forgery (CSRF) and other common vulnerabilities (which was great because the whole CSRF thing consistently kicks my ass every time I have to link a backend to a frontend for a full stack application 😭🤣😂💀☠️). So I was pretty grateful for this section.The book also details how to configure security headers and goes into setting up security filter chains and using JWTs for securing endpoints. This part was especially helpful since JWT is what I'm most familiar with.The section on password encoding was definitely helpful because I'm a dunce when it comes to that too. 🥴😅 Thankfully, the book guides you on how to use PasswordEncoders for different security needs.Honestly, I think this book is a great resource for anyone who struggles with understanding Spring Security and I'd definitely recommend it! 👌🏽

We are pleased to share a comprehensive review of "IT Audit Field Manual", published by Packt, and written by the reviewer Abbas Kudrati. This review offers an in-depth exploration of the book's key themes and insights, providing readers with a thorough understanding of its value.Please find the review below:Lewis Heuermann’s "IT Audit Field Manual" is an impressive guide for anyone involved in IT auditing, especially if you’re working in cybersecurity. It’s clear that Heuermann knows the field well, and he’s made it easy for both beginners and seasoned pros to gain real, applicable knowledge from this book. Let me break down why I think this book is a gem and who might get the most out of it. What Makes This Book Stand OutOne of the best things about "IT Audit Field Manual" is its no-nonsense approach. Heuermann explains complex audit concepts in a way that’s clear and practical without getting too bogged down in technical jargon. He dives into essential topics—like frameworks (COBIT, NIST, etc.) and how they play out in real-world scenarios—showing how IT audits can really boost an organization’s cybersecurity. Unlike some other audit books that feel like just checklists, these treats IT auditing as a strategic, impactful function.The case studies are especially valuable. For example, Heuermann walks you through how a financial institution avoided a potential data breach because of an IT audit. These examples aren’t just theoretical; they show the real impact of good auditing practices. For anyone new to IT auditing, these scenarios make the concepts relatable and easy to understand.Who Should Read This?Whether you’re just starting out as an IT auditor, a system administrator, or even a more experienced IT manager, there’s something here for everyone. Newcomers will appreciate the clear breakdown of audit planning, risk assessment, and resource management, all written with beginners in mind. But for those who’ve been around the block, there’s still a lot to gain—especially in areas like continuous auditing and real-time monitoring, which are becoming essential in today’s fast-paced cyber landscape.Industries with heavy regulatory needs—like finance and healthcare—would find this book particularly useful. The chapters on compliance with laws like GDPR, HIPAA, and PCI DSS give specific, actionable advice, so this book is practical if you’re in a field where compliance is critical.How This Compares to Other IT Audit BooksWhat really sets "IT Audit Field Manual" apart is its forward-thinking approach. It’s not just about making sure your organization’s systems meet today’s requirements. Heuermann encourages readers to view IT audits as strategic tools that can strengthen cybersecurity and align with big-picture goals. This angle is missing in a lot of similar books, which often focus only on the technical details.Another plus is the book’s coverage of modern audit challenges, like cloud security, endpoint auditing, and even AI. Heuermann’s tips on how to audit platforms like AWS and Microsoft Azure make this book especially relevant as cloud adoption continues to grow.A Bit of Personal PerspectiveIn my own work, I’ve seen the importance of IT audits that go beyond just checking boxes. The best audits are the ones that reveal risks impacting not just cybersecurity but also business resilience. I really connected with Heuermann’s focus on continuous monitoring—it reflects the shift in cybersecurity from occasional assessments to more ongoing vigilance, which is crucial in our threat-filled world.Final Thoughts"IT Audit Field Manual" is more than a technical guide—it’s a blueprint for auditors who want to make a meaningful difference in their organizations. It’s packed with practical tips, forward-thinking insights, and strategies that make IT auditing not only relevant but essential. Whether you’re just starting out or looking to deepen your expertise, this book has everything you need to make your audits impactful in today’s digital world.Reviewer BioAbbas Kudrati, a long-time cybersecurity practitioner and CISO, is Microsoft Asia’s Chief Cybersecurity Advisor. In addition to his work at Microsoft, he serves as an executive advisor to Deakin University, HITRUST, EC Council, and several security and technology start-ups. He supports the broader security community through his work with ISACA Chapters and student mentorship. He is the Technical Editor of various books and the bestselling author of books such as, "Threat Hunting in the Cloud" and "Zero Trust and Journey Across the Digital Estate". He is also a part-time Professor of Practice with LaTrobe University and a keynote speaker on Zero-Trust, Cybersecurity, Cloud Security, Governance, Risk, and Compliance.

We are pleased to share a comprehensive review of "Threat Modeling Gameplay with EoP", published by Packt, and written by the reviewer Michael Bernhardt. This review offers an in-depth exploration of the book's key themes and insights, providing readers with a thorough understanding of its value. This book helps you to explore software security through gamified threat modeling, uncovering risks while making it enjoyable. You’ll learn to identify, mitigate, and defend against threats, enhancing your system's security.Please find the review below:You won't forget the first Threat Model workshop that you conducted. Whether it is the excitement in preparation of the workshop or the attempt to find the right attack vectors during the workshop. Remembering my first workshops more than 15 years ago, I was glad to work together with a group of technical-savvy and security-interested people. Over the years, I met diverse groups that helped me to constantly complement my skills and perspectives on the matter. What do you do when nowadays you want to prepare yourself best for the first time you are conducting a Threat Modeling with a team? Numerous books have meanwhile been released that talk about the process and the concepts. While this is for sure a helpful input to have a template for Threat Modeling, it does not guide you in the discussion with the teams on the particular threats in the application and the respective resolutions. There, Brett's Threat Modeling Gameplay with EoP comes as a helpful guide, giving you the right examples and proposals at hand for anyone starting into the domain. It leverages STRIDE as the most used framework for the security assessment and TRIM for privacy alike. So, how does it look like? Do you know what is behind the term Repudiation, can you correlate the term Inference to an example? Considering that you know Repudiation, did you consider assuring the secure time synchronization across the application systems and for the logging service? As a provider of a large language model, did you consider that the model may pose a sensitive information disclosure risk by insufficient training data evaluation and thereby contradict common AI regulations? The book brings you more than 200 examples, outlining on the threat itself, providing its attack pattern and weakness classification, and provides you the security controls and guidance for preventing it. And, if you find together with a bunch of security folks interested to complement their skills over a deck of card, the book gives you a strategic advantage playing Adam Shoestack’s Elevation of Privilege – but sshhhh, don’t tell the others… Best of luck for your endeavor into the world of Threat Modeling and enjoy the journey! Reviewer BioMichael Bernhardt is a seasoned security strategist and believes that a solid security culture is the essential glue for technological innovation and strong security. Throughout his more than 15 years in the profession, he has advised dozens of Fortune-500 SAP ERP customers and is currently helping Germany’s second-largest telecommunication provider in their secure cloud transformation as head of product security. He is leading the Corporate Security Program Evolution Model (CSPEM) initiative, which brings along tools and concepts for the organizational transformation of security programs. Additionally, he is a founder of the OWASP Security Champions Manifesto and Threat Modeling Connect, and regularly shares his perspective at conferences and on blogs.

We are pleased to share a comprehensive review of "The Aspiring CIO and CISO", published by Packt, and written by Ali Husamuddeen. This review offers an in-depth exploration of the book's key themes and insights, providing readers with a thorough understanding of its value.Please find the review below:This comprehensive book provides an authentic portrayal of the challenges and opportunities that come with being a Chief Information Security Officer (CISO) or Chief Information Officer (CIO). David candidly discusses the prerequisites for entering these roles, the responsibilities that come with them, and how to navigate one's career when in these positions.One of the most appealing aspects of this book is its honesty, which sets it apart from others in the genre. Rather than painting a rosy picture or using grandiose self-aggrandizing language, David acknowledges the stress and continuous learning required in these roles while breaking them down into smaller digestible pieces of wisdom. After having read all of it, one understands why it is important to be comfortable being uncomfortable.The book adopts a practical approach, prescribing SKEB analysis and Myers Briggs to help readers understand the nuances of CISO and CIO universe. Initially, some readers may find the format a bit unusual, however with David’s extensive experience, this style is well-suited to convey the subject matter effectively. The inclusion of technology risk management adds an extra layer of depth to the discussion, making it particularly interesting for those unsure about the CISO/CIO pathway.A standout section in the book is dedicated to "moments of truth," which offers valuable insights into the critical junctures that can define a career as a CISO or CIO. This part arrives at an opportune moment and is sure to resonate with readers on their own professional journeys. The particular story at the end of which it was impossible to tell who was the contractor, staff, or vendor, will always stay with me. I only wish I had discovered these lessons years ago.There is much to learn on how to be a good CISO / CIO in between these pages. The writing style is steadfast, making for an enjoyable read that feels grounded in reality. David also candidly delves into the topic of organisational politics and questions whether it's wise to bring one's former team to the new organisation. It was delightful to see it encouraging loyalty to the enterprise rather than individuals.Many CISO / CIO aspirants are bound to find this book re-assuring. Yes, honesty can exist at all levels. Yes, data based decision making can take precedence. Yes, objective hiring and retention can be aspired for. Yes, one can still have a work life balance. It serves as a source of inspiration, highlighting the possibilities available to those who pursue such career paths.And when one thinks one is done, thought-provoking questions in the appendix encapsulate its key takeaways and provide a solid foundation for further reflection.If one were to contrast this book with every LinkedIn post and a curated selection of books addressing the same subject, it would be evident that this book would stand head and shoulders above the rest because of its humble tone, genuine purpose, and demystifying content alone.