[Book Review] Windows Security Essentials

Every asset in an organization always has risk. That is my first mind set when starting to read this book. The challenge is to minimize the risk and maintain its level to a level where we can handle it. One way to minimize risk is implementing security controls. It should be applied as a holistic security. Holistic security covers people, processes and technology elements where our systems or applications are. It also include physical place where our hardware are placed.

If you have system(s) running on Windows, you can read this book, Windows Security Essentials. This book covers the basic of security in a Microsoft environment. Some interesting topics in this book are

Understanding how risk and threat impact security principles

Recognizing malware in all its forms

Defending against social engineering attacks

Identifying the three aspects of user authentication

Securing access using NTFS permissions

Protecting clients, servers, and networks

Understanding encryption, certificates and PKIs

The one thing I like from this book is about understanding risk and hardening our system. It explaining from the basic with explanation that is easy to understand. I get more knowledge about NTFS and how to secure it with permissions.

Quality and Security

What is a distinction between quality and security?

In every software development, all software must go through a quality assurance (or testing) before being released or deployed. At this phase, all functionalities are validated and verified. There are two purposes:
a. All functions must work properly as designed
b. All functions must meet the requirements as specified in requirement specification

Some software also go to follow quality processes and certification (e.g. Six Sigma). It will prove that quality standard has been applied during development.

However, we must understand that those processes do not mean that the software is secure. A software product that is secure will add to the quality of that software but the inverse is not always necessarily true. It is also important to recognize that it does not guarantee that the software is secure when the software has security feature.

In order to develop hack-resilient software, it is important to incorporate security concepts in all software life cycle ( requirements, design, code, release and disposal phases).