Saturday, 3 February 2018

Book Review: Machine Learning and Security

Quick caveat for this review. I read this on Safari and the book hasn’t been published in paper yet (due late Feb 2018), so the content may be subject to change.

What differentiates this book from others that I’ve read around applying machine learning to security is that it dives a lot deeper than others on the why as opposed to how of machine learning. Whereas other books may outline some of the high level principles of classification and show some basic examples with approaches likes naive bases and k means clustering, this book goes beyond that and shows other approaches, along with explaining why different approaches would be more or less effective in each scenario.

Throughout the book the authors use the pretty standard Python scikit-learn package, which will be familiar to anyone who’s played around with machine learning to any extent.

The authors take the first two chapters to introduce the concepts around classification, clustering and anomaly detection and give various sample worked examples. While I often quickly skip these kinds of intro chapters in an area I’m familiar with, I’d recommend spending some more time here as these are the first areas where the depth of explanation of the areas is more in-depth than most and really sets the tone for the approach for the book, where the authors try and build an understanding of why different approaches should be used as opposed to just how to use them.

The authors then move on from the concepts to applied examples with code in Python for how to use this in analysing malware, network traffic analysis and fraud detection. The only criticism I’d have on these chapters is that the authors spend a bit too much time on explaining malware, network attacks and fraud, which is good of course for someone new to the topic, but for me someone coming to this book is probably more someone from a security space looking to understand machine learning, rather than the reverse.

The next chapter is one another that differentiates itself. It covers the challenges of taking machine learning from a fun and interesting exercise to understanding the challenges and potential solutions to dealing with production systems and real data. It covers issues like data and model quality, performance and maintainability, monitoring and privacy.

The book finishes off with a really interesting intro to how attackers can target machine learning and manipulate it, which is an area that I hadn’t spent much time considering previously. It covers obvious examples like manipulating the baseline of normal over time to avoid detection, but also some interesting ideas around manipulating how the model performs it’s analysis to bypass detection by adding features to your attack that would result in the model reducing the rating it applies to a potential attack. This chapter alone and the ideas in it should really be part of all pen testers toolkit and should be a really fun area to dig on for any system using machine learning.

Overall, I’d thoroughly recommend this book for anyone interested in applying machine learning to info sec data. Especially if you’ve already read some basic introductions to machine learning or come across more basic worked security examples.

Links:
Amazon: https://www.amazon.co.uk/Machine-Learning-Security-Clarence-Chio/dp/1491979909/
Safari: https://www.safaribooksonline.com/library/view/machine-learning-and/9781491979891/

Saturday, 20 February 2016

Book Review: Securing Systems: Applied Security Architecture and Threat Models

I bought this book pretty much the week it came out but as it wouldn’t load onto my third gen Kindle I ended up reading the first hundred or so pages before getting sidetracked and forgetting about it.

However, a few weeks back a friend mentioned it again and so it went back to the top of my reading list. The same friend, who to be fair is biased and is actually referenced in this book, has always been a huge fan and advocate for how Brook approaches threat modelling so I was really looking forward to this.

Threat modelling is one of those arts in security that really benefit from experience and I'm always interested in learning more on how different people practice it. Like most I've read what I'd consider to be one of the original volumes from Microsoft on the topic by Frank Swiderski and Window Snyder, the more recent Threat Modelling for Security by Adam Shostack and have the PASTA book (Risk Centric Threat Modeling) by Tony Uceda Velez and Marco Morana lined up for reading in the next few months.

The book is split into three sections; the first covers some background on key threat modelling concepts and the author’s approach to threat modelling, the second covers some worked examples using the approach and the final section finishes off on governance and programme considerations.

The first section starts off with a chapter giving some background in relation to security assessment, threat modelling and introduces some of the core concepts and processses that the author considers key to his approach to threat modeling, including the ATASM (Attack, Threats, Attack Surfaces, Mitigations) approach and the concept of a credible attack vector. This chapter also gives an overview of the types of threat agents/actors that exist and how to analyse them in terms of capability, activity level and sentiment and then moving on to considering risk tolerance within your organisation.

The next chapter covers an introduction as to why enterprise architecture exists, provides some guidance on creating diagrams to support threat modeling before moving onto covering the concepts of architecture patterns and starting to work through some key concepts for threat modelling including data flow analysis, component identification and decomposition.

The book then moves onto a chapter covering risk management, which I skimmed but was thrilled to see Jack Jones and the FAIR model referenced (and noticed he’s quoted on the back cover too). Even if people don’t intend to go “full FAIR” on their analysis, I’ve always considered the FAIR risk model to be a great approach to decomposing risks and any use of it is always good in my opinion! This chapter really focuses on establishing more detail on the credible attack vector and just good enough risk rating (JGERR) concepts that the author uses. I was really happy to see the author drawing attention to personal bias and the difference between a individual's personal risk appetite and the organisation’s appetite. Both of these of so often ignored in info sec risk discussions that it's great to see then come up here even in high level coverage of the topic.

The last chapter in this section walks through the ATASM process in more detail, covering each step with a simple example based on a traditional three tier web application. This is probably the chapter that will interest a lot of people most as it’s very much focused on how to approach treat modelling using the structure proposed by the author and tees up the worked examples perfectly. I have to say that this chapter is a really easy read and nice approach to threat modeling, with there being less focus on coming up with very structured bullet point approaches in lieu of just putting some fundamental principles to approaching an assessment.

The book then moves to the second part, which is focused on taking the concepts outlined in the first part and walking through of a couple of examples, starting first with a classic three tier web application, then expanding this to include a greater enterprise view, a back end data analytics application, before moving tact and covering endpoint AV, mobile and cloud. This really is the best section of the book as working through examples is really still the best way to get your head around threat modelling and these practical worked examples are often missing from books on the topic. Also, this section does a great job of covering one of the most often asked questions; how far should you decompose an application during analysis. I really liked the idea the author puts forward of a defensible component, which he defines as "the level at which the security controls and their implementation in and around that particular component can be easily understood”. These example chapters read exactly like you’re in the room with the author and he’s just chatting away. Which is both good and bad for me. For some reason I find it harder to read this style as it’s very much a stream of consciousness, rather than a very highly structured format. Maybe I’m just a simple creature who needs more structure...  however, equally it gives an insight into the process and mindset, and also is about as good as actually sitting next to him!

Personally I would have a liked a greater focus on examples or approaches to the diagramming of the threat models as for me this can often be one of the biggest stumbling blocks for people and should be a key artfact of the analysis. Also, as the author focuses so much on the nuances of levels of decomposition of analysis, for me it would have been great to show some examples of the different levels in diagrams. However, interestingly the author covers this to some degree at the end of the book by highlighting that he really aims to use whatever documentation is available already as the basis for the threat model in order to avoid trying to make security seem like a special discipline. However, unfortunately for me I find that it's most often the case that this documentation doesn't exist in the first place for many systems I've assessed! (Never a good starting point... )

The last part of the book changes tack again and looks beyond the process of performing threat modelling and looks towards governance and management of an assessment program. This is a great addition to the book as it’s easy to start doing security assessments, but inevitably you hit the problem of scale and need to figure out how to not be a blocker but also not let projects slide. Unless you can overcome this even the most positive starts will start to deteriorate either through not covering all systems, or reducing the scope and coverage of the systems resulting in ultimately no added value to the development/system team. It also covers some key lessons like the importance of building relationships within the organisation and touches on the common mistakes of people seeing the architect role as a linear promotion for good engineers, which misses the key soft skills required to be a success as an architect. For me, this is the kind of material that really should be considered mandatory for CISM type certifications, and really gives a realistic view of how security programs run and need to be run.

I really enjoyed this book and apart from more diagram examples, I can't fault it. It makes a great addition to the threat modeling resources available and I'd highly recommend that anyone involved in security read this.

One of my favorite parts of the book were a couple of simple nuggets of wisdom that attest to someone with real experience in security. There were three or four bits that particular resonated with me, but there were probably many more so for that alone, I’d highly recommend this book.
Additionally, what is a really nice touch is how the author continually highlights that no one person’s opinion or interpretation is complete and actively encourgages people to provide feedback if they think he even missed anything in the worked examples! In a professional where everyone is an expert, thought leader or evangelist, that level of humility is a refreshing change.

Links:
Amazon: http://www.amazon.com/Securing-Systems-Applied-Security-Architecture-ebook/dp/B00XKX1FK8/


Wednesday, 10 February 2016

Book Review: Hadoop Security

As a follow up to my basic into to Hadoop with Hadoop 2 Quick Start Guide, I wanted to get more detail on the security features available in the Hadoop ecosystem and this sounded like it fitted the bill and was recently published (June 2015) so figured it would be pretty up to date.

One thing that I immediately liked about the book is that apart from a very brief few pages of an intro to security concepts, it get straight into things, which for me is always a good indication taht there won't be much padding in the book.

The book first starts off with a section on security architecture starting with a basic look threat modelling for distributed systems, which is a nice touch as really threat modelling should be part of any security architecture discussion and even touching on this at a high level is great, as is puts the whole book in context.

The next chapter moves onto general security architectures in a Hadoop environment, covering network level segregation, OS level security and an overview of the different types of Hadoop node roles. This was a great start to the book as immediately it starts working through the different nodes, what user roles need access to them, what nodes can be segregated from direct access and how at a high level they interact for data loads and job submission.

The final chapter of the architecture section finishes up with an overview of Kerberos, which while initially seemed a bit strange, it becomes obvious why later on as Kerberos plays such a key role in Hadoop security. If you need to get up to speed quickly on Kerberos, I’d highly recommend Kerberos: A Network Authentication System… it’s a quick and easy read that I read over ten years ago and it’s still as good now as it was then.

The next section deep dives more into authentication and at this point the book gets straight into the hands on configuration guide, covering detailed configuration steps required to map Kerberos principles into the Hadoop world, how to map to local users, how user groups work in Hadoop and mapping to LDAP groups. The chapter then moves on to cover the various authentication protocols in use across the Hadoop ecosystem, before explaining the differences between simple and Kerberos authn and then a nice dive into token auth, including the flows of how delegation tokens are created to allow various systems to impersonate users. The chapter finishes off with a fully worked Kerberos authn configuration guide, which to be fair I skimmed over as I don’t need that level of detail at the moment.

The next chapter moves onto authz covering HDFS ACLs and extended ACLs and various service level authorisations before moving on to MapReduce (1 and 2) and YARN, and Zookeeper ACLs, HBase, and Oozie. There’s a few nice worked examples here of the effects of authz restrictions and what errors users will see when their access is restricted.

The book then moves on to cover Sentry, which is Apache’s attempt to centralise authz within the Hadoop ecosystem, which after reading through the previous few chapters it’s obvious it’s needed! The basic architecture on which Sentry works is covered and how it integrates with the various applications and then walks though how to configure each application to use Sentry. Again a very practical oriented approach is taken here with a lot of detail on the configuration steps.

The last chapter in this section covers the logging available by default in each of the various applications and their basic config. This is a quick chapter and really just goes to show the configuration aspect, rather than any analysis approaches to the logs.

The third section of the book moves onto data security, specifically to cover encryption of data in transit and at-rest, starting with great coverage of how HDFS file encryption works. What was particularly good in this chapter was the strong emphasis it places on the key management and also making the reader conscious of potential lack of encryption on temporary data such as logs. The second half of the chapter covers encryption of data in transit, mainly focusing on the configuration of SSL/TLS in the various applications in the ecosystem.

The next chapter is a short one and looks at security of data as it is loaded into the Hadoop ecosystem, covering both the confidentiality and integrity of the data, but mainly focusing on confidentiality/encryption. The following chapter then covers how client access of data in the Hadoop environment can be performed securely, focusing of course on the edge nodes and how users interact with them, through command line RPC or APIs. From an architecture perspective, I found this chapter particularly helpful as it does a good job of describing the trust boundary that will exist in most deployments and how this should be architected securely.

The last chapter in this section covers Cloudera Hue and to be honest I just skimmed this one as it wasn’t relevant to me.

The final section of the book covers some use cases nicely, outlining scenarios with business and security requirements, before walking through how to architect and configure the right mix of controls to meet the requirements. For me I would have loved more examples here as this is more at the level I’m working at, rather than the technical configuration. But still, great to see it presented in this way.

Overall, this was a great book that to be fair goes into a lot more depth in terms of technical configuration settings than I needed. This can make it a tough read if you’re just looking for the high level, however, if you’re setting up a Hadoop cluster then this should be your go-to book.

However, it also works great at the level I was looking for as it's got a strong focus on architecture considerations and puts the security functionality into context rather than just explaining the feature sets available. You just may need to skim some of the more detailed sections like I did!

Links:
Amazon: http://www.amazon.com/Hadoop-Security-Protecting-Your-Platform/dp/1491900989/
Safari: https://www.safaribooksonline.com/library/view/hadoop-security/9781491900970/


Monday, 25 January 2016

AWS Certified Solution Architect Associate Exam

Been an age since I've done any exams so decided before Christmas that I may as well try and use some of the AWS exams to formalise my knowledge a bit.

First one I picked was the AWS Solution Architect Associate and passed it this morning so figured I'd give some feedback on how I found the exam.

In terms of material I used, apart from obviously just using AWS practically and reading quite a few books over the last year on AWS, the main material I used for exam prep was the ACloudGuru training courses.

I went through all the ACloudGuru AWS associate level training material (Architect, SysOps, Developer) and the AWS Solution Architect Professional material before doing the Architect Associate exam. That's probably not necessary but I listen to a lot of material in the car so managed to get through all of them over the last two months. At the price point the ACloudGuru exams are at (very inexpensive), I would recommend that you buy all of them. The quality of the material is very high, they're interesting to listen to, they highlight a lot of exam specific questions and also are updated very frequently, which due to the pace as which new products and services are released on AWS, is essential for these exams.

I also used the official practice exam that costs $20, and this was actually worthwhile as it was reasonably close to the real exam.

So, onto the exam itself..

If you're not familiar with it, it's a 60 question, 80 minute proctored computer based exam. Similar to all the ones you've probably done before in IT in that sense.

Coverage of topics was pretty much in line with what the ACloudGuru courses stated, and with a strong emphasis on EC2, S3, the security responsibilities of users vs AWS and a lot on which combinations of AWS services to use in different scenarios. A few question on RDS, DynamoDB, Route 53 and some billing/management questions.

About 80% were scenario questions, with around three or four lines to read in each scenario. Nearly all were choose two/three of the following four answers, rather than choose one. These are more like the scenario questions you get in the practice exams, but more awkward and complex.

The remaining 20% were straight forward questions like you’d see in the ACloudGuru examples.

Most questions were effectively based on application of the knowledge you get in the Udemy/ACloudGuru course. e.g. If you know private subnets don’t include routes to the Internet, you can rule out certain answer options that include systems on the Internet accessing instances on these subnets.

The wording I thought was very poor and appears designed to catch you out, rather than test your knowledge, which always annoys me. You spend more time reading the scenarios to try and figure out what they’re actually asking, instead of clearly understanding what the requirements are and answering the question based on this. Of course, it could be said that this is probably close to having to actually interpret people’s attempts at giving you requirements in real life… :-)

Also, I noticed the fonts change in the exam questions (even when it isn’t designed to indicate a different context), which indicates pretty poor quality control on the user experience and creation of the questions (guessing copy/paste between materials).

There was at least one question where all the answers were incorrect, but two of the four answers were so completely wrong that it could only have been the other two (incorrect) answers.

In terms of timing, I got through all 60 questions in 55 minutes but had marked around 17 questions for review. I took another 10 mins for reviewing those and finished up with around 15 minutes to spare. Normally I get through these types of exams in around 60% of the time allocated so this was about right based on previous exams.

I would say though that marking questions for review is very strange for me and marking almost 30% is really high as I normally don’t ever bother reviewing any. However, some of them were so strange that I needed to re-read them at least three/four times and even then it still wasn’t entirely clear what they were asking in a few of them.

In terms of confidence in my answers.. I really couldn’t have said at the end if I passed or not, or even if I got 40% or 90%.. In the end I got 81%, which wasn’t too bad as I realized after that I’d gotten two obvious questions wrong.

To be fair, as an Architecture related exam, it’s actually does focus on application of knowledge of AWS, rather than just regurgitating lists of answers learned off. So in that sense I think it's actually a really good approach to take for this kind of exam.

However, I think it could definitely do with tightening up on the quality of the question wording as that’s key if you want the exam to be focused on application of knowledge, rather than just pick the right list of answers.

Overall, I'd definitely recommend doing this exam, especially as it gets you to learn bits of AWS that you may not use on a day to day basis yourself, and with how quickly new services pop up, this can't be a bad thing..

I'll definitely drive on with these and just need to figure out if I want to do all of the associate level exams now or just go straight to the Solution Architect Professional exam...



Wednesday, 30 December 2015

Book Review: Hadoop 2 Quick-Start Guide: Learn the Essentials of Big Data Computing in the Apache Hadoop 2 Ecosystem

Having never installed or played around with a Hadoop environment myself, I was on the look out for an intro style book that would give me the basics and enough info to start me off.

When browsing this one caught my eye as I didn’t even realise there was a Hadoop 2 and the title was pretty much spot on for what I was looking for so decided to give it a shot.

Overall, I enjoyed the book and it was spot on for what I was looking for. It’s a traditional tutorial/walk through type of book on how to get a Hadoop cluster up and running and how to admin/interact with it, but it also covers enough theory that you don’t need to have any prior experience with Hadoop to follow along.

However, I would say that I think it’s overpriced in the paper edition and retail price ebook so if you’re interested in this book, try and read it on Safari or get a Kindle edition to make it affordable. Other than that definitely recommended.

The book starts off with a really good overview of what Hadoop is, the MapReduce pattern and the changes in Hadoop 2. Good intro material.

The next chapter is a more traditional walk through on how to install Hadoop uses both the Hortonworks distribution and the Apache sources. It also covers use of Ambari for a simple web based admin console for your cluster. Nothing too detailed is explained here as it’s covered off later, but it’s a straight forward walk through so is spot on for that.

The third chapter gives a really good intro to how HDFS works, covering the nodes involved, their roles and the approach taken to replication and then some basic file system commands. I particularly enjoyed this chapter as I hadn’t used HDFS before and so some of the concepts around the different nodes, compute following data, append only files and block sizes were spot on for what I needed to understand.

The forth chapter covers running jobs and monitoring them in the web gui, along with some examples for base lining the performance of the cluster.

The fifth and sixth chapters walks through the MapReduce approach to data analysis, using word counting in text files as the main example and then moves on to the basics of writing code to create MapReduce jobs, covering the basics in Java and Python. Simple and straightforward, but again spot on in term of depth.

The seventh chapter runs through some of the other Apache tools within the Hadoop ecosystem, covering Pig, Hive, Sqoop, Flume, Oozie and HBase. These are just quick overviews but interesting as I wasn’t aware of some of these.

The eight chapter is really nice in that it focuses exclusively on YARN (Yet Another Resource Negotiator), which is new to Hadoop 2 and is one of the big differences in the new version. It walks through how to use YARN for things other than the traditional MapReduce pattern, using the YARN distributed shell as an example, before touching briefly on how some of the other Apache tools can be used with YARN.

The last two chapters focus on admining Hadoop through the commands required and the Ambari interface. I skimmed these as I’m only doing a very basic setup to get my head around Hadoop but would look back to these as needed.

In summary, the author notes initially that this book is written to a "hello world" level in terms of depth and that’s spot on across the book. It gives you enough info to get you to a working example, and then it’s up to you. I really liked this analogy and it’s exactly the level I was looking for. I also liked the author’s style of writing so will also be going looking for more of his book to find some more advanced material on Hadoop.

If you looking for an intro to Hadoop that’s a nice combination of both theory and high level tech implementation, then this is definitely worth a read.

One thing I would say is that I got through the book very quickly (3 hours roughly), and was surprised to see when I checked Amazon that the paper version is just over 300 pages as it really didn’t feel like that. It reads more like a book of around 150 pages, which in my head makes sense for quick start book.

Why I highlight this is that while I really enjoyed the book, as I mention earlier, I don’t think it’s worth the price of $27 that the paper version is currently retailing for. For me it’s more in the $15 - $18 bracket and so if you’re going to read this then definitely try and go for the Kindle edition which is worth it at $17.

Links:
Amazon: http://www.amazon.com/Hadoop-Quick-Start-Guide-Essentials-Addison-Wesley/dp/0134049942
Safari: https://www.safaribooksonline.com/library/view/hadoop-2-quick-start/9780134050119/

Monday, 28 December 2015

Book Review: Creating A Data-Driven Organization

I stumbled across this book while browsing and it’s title obviously jumped out to me as I'm always  interested in anything to help quantify analysis or build data driven approaches to what I do.


I wasn't entirely sure what to expect but in summary, it's a really enjoyable, easy read on how to build data-driven teams and the culture to support them in an organisation.

The book starts off by establishing what the author really means by data-driven, touching on some of the fundamentals of data quality, collection and analysis.

After these initial chapters the book really got interesting for me as it starts to look at the organisational and cultural consideration of building a data-driven program.

The author first outlines the different skillets required for a rounded data-driven analysis team, covering skillets like business skills, programming, devops, stats, visualisation, machine learning and big data analysis. I really liked how the author shows these as complementary skills across the team, but highlights that your team don't need to be experts at all.

One really nice aspect is that the need for strong visualisation is hishlighted immediately, specifically in relation to it’s role in not just performing data analysis, but selling it the rest of the organisation. This is further later on in the book through a whole chapter on visualation, including how it can/should be used effectively, covering a lot of the ideas from Tufte, etc in a really nicely summarised form.

The author then moves on to describe the different types of data-analysis, how they are used and then works through some discussion around metrics and A/B testing as core examples of how data analysis can be applied to business contexts.

The next three chapters cover what I think to be the most important aspect of the whole book; the approach of decision making and it’s effect on data-driven approaches, the key comments of a data-driven culture within an organisation and the role of the C-suite in establishing this culture. These chapters outline many of the key cultural challenges to moving towards a more data-driven approach and are great reads for anyone who may be pushing for more data analysis within their organisation, but it struggling to get traction.

The book finishes out with a chapter on privacy, ethics and risk, which obviously as a security guy I love to see. I particularly like the “ick” factor approach that the author outlines to dealing with data analysis and privacy.

Overall I think this book is a great introduction to a lot of topics relating to data analysis and data driven decision making, and incorporates some really good lessons on organisational structure, culture, skillets and challenges with adopting data-driven approaches within organisations.

The author highlights thoughout that this book doesn’t touch on the tools or technology used for data analysis, or details on data analysis approaches, as these are covered in many other books, which are referenced at needed. So if you're looking for this type of material, definitely go elsewhere.

However, if you’re new to applying data-driven approaches to your field (IT, business or otherwise) or if you’re a manager or leader looking to understand how you can affect change within your organisation towards a data driven approach, I'd highly recommend this.


Links:
Amazon: http://www.amazon.com/Creating-Data-Driven-Organization-Carl-Anderson/dp/1491916915
Safari: https://www.safaribooksonline.com/library/view/creating-a-data-driven/9781491916902/

Monday, 23 November 2015

Book Review: Building Microservices

Continuing my up-skilling on cloud security, I wanted to get a better handle on application architectures that map into cloud computing patterns and while micro services aren’t a cloud specific architecture, the key goals of loose coupling, high scalability, etc align well to a cloud environment so I figured this would be a good book to have a a read through.

The first two chapters are very easy reads, covering an introduction to micro services and their benefits, mapping strategic goals to principles and practices.

The next chapter introduces the fictional MusicCorp organisation and application that is used throughout the remainder of the book, demonstrating the concept of bounded contexts and how to apply it to a monolithic application. At this point the book really gets into more detailed discussions on the topics, with each of the further few chapters being pretty meaty in comparison to the earlier chapters. The rest of the chapter covers some of the key technologies that can be used to facilitate micro services (RPC, SOAP, REST, XML, JSON, message queues, etc) touching on both the positives and negatives of each and also covers area like versioning, choreography/orchestration and integration with COTS.

The author then expands on the MusicCorp example and uses it to demonstrate how to split out the application into multiple micro services, before moving on to CI topics like deployment and testing and a further short chapter on monitoring. For me the chapter on breaking a monolithic application into micro services wasn’t as relevant for what I was looking for, but it some of the high level approaches were interesting to understand how it may be tackled.

Security is touched on next but as the author mentions early on in the book, he’s not a security specialist so this is a fairly light chapter covering authn/authz and SSO, touching on OpenID Connect and SAML One nice thing to see in this chapter was a call to be frugal with data storage in light of potential data loss events, particularly where personally identifiable information may be in play. Nice touch!

The last main two  chapters cover system/organisational design and micro services at scale, both of which I thought were great introduction on the topics.  Too many organisations think concepts such as devops or micro services can simply be tacked on to their exist structure, but this chapter does a nice job of dispelling this myth. Chirstian Posta wrote a really good blog post on this specifically related to micro services and I'd also recommend Mike Cohn's chapter on team structure from his Succeeding with Agile book.

One aspect of the book that I really liked was the liberal use of links to other material and books when further more detailed explanations are merited. This avoids the author going off on tangents, which I often find many authors doing (sometimes as a necessity to explain a concept… and sometimes just to pad the book).

I’m not a developer or application architect so at times the book goes slightly into too much detail for what I needed, but to be fair this only rarely happens and so doesn’t detract from the overall flow. Of course that probably means for someone who is a developer or application architect that it won’t go into enough detail, which sometime that is held out by other reviewers.

From a security perspective, I’d highly recommend this book as a great way to get up to speed on how applications should/will be deployed in the cloud and microservices in general. Additionally, if you're still working in a very specialised/siloed organisation, this should be up there to read to understand how things may change. Ultimately, if your organisation isn’t doing something in this space now, then they will soon and you may as well be up to speed!

Links:
Amazon: http://www.amazon.com/Building-Microservices-Sam-Newman/dp/1491950358
Safari: https://www.safaribooksonline.com/library/view/building-microservices/9781491950340/