on 21 June 2001
This book does so much more than guiding the reader through the design of distributed systems. It is the most comprehensive and general definition and illustration of information security that I have ever seen in one place. This is a book that can teach you to look at the world through security glasses so to speak and that of course is a prerequisite for security engineering. It is also a good thing to be able to do if you need to evaluate security measures for quality and appropriateness.
The way Ross Anderson goes about this task is systematic and pedagogical. He has obviously been lecturing for many years and is both an excellent presenter and a person demonstrating a good understanding of learning curves. Both the book as a whole and the individual chapters have been constructed in such a way that the reader can give up at various points of complexity without losing the plot altogether and simply start at the beginning of the following chapter for a less deep education than if he read and understood everything but nevertheless gaining a comprehensive feel for the nature of security and how to tackle its implementation. This design also enables the book to be used either as a textbook or as a reference work. Very smart - many technical authors could learn something from observing how Ross goes about it.
I also like that each chapter ends with a discussion of possible research projects, literature recommendations and of course a summary. The only irritating thing is that there are too many stupid typos such as missing words, things which another read-through by the editor should have caught. An example: `...using the key in Figure 5.7, it enciphers to TB while rf enciphers to OB...' should be `...using the key in Figure 5.7, rd enciphers to TB while rf enciphers to OB...' It is fine to use typographic tricks for illustrative purposes but you must make sure they make it into print if you do. I'm certain many readers will find the chapter on cryptography difficult enough without errors. Well, next edition...
The book consists of three parts. The first is a quite basic intro to security concepts, protocols, human-to-computer interfaces, access control, cryptography and distributed systems. I think that perhaps Ross gets a little bit carried away in Chapter 5 on crypt - I mean, why is a proof for Fermat's little theorem included? There are no other mathematical proofs anywhere. I also think that parts of this chapter could benefit from added verbosity or perhaps a few more illustrations. Whereas in this context it is not so important how crypt primitives function internally it is of course very important how they behave as system components. Just a suggestion - no real criticism.
In the second part of the book the author ingeniously uses a whole range of well-known systems incorporating security to illustrate both analytical methods and security engineering fundamentals. Using this pedagogical method, moving from the concrete and well-known to the abstract and general is good engineering practice. Almost every main section contains a subsection called What Goes Wrong in which the author analyses and presents architectural and design weaknesses in everything from ATMs to nuclear systems. I find this approach incredibly valuable, not only because it teaches good engineering methodology but also because it gives the author an opportunity to present a huge number of security problems at the implementation level in a context, from which they can be lifted, cross-referenced and placed in different contexts. This method, combined with the informed and intelligent analysis is what makes this book such a brilliant generator of understanding of security, the broad and full concept.
Also in this part of the book there is a clear line which is not only technological but which serves to place security concepts in organisational frameworks, another very strong point in favour of this work. This leads to the third part of the book, which in the words of the author deals with politics, management and assurance. Very good entertainment as well. The book ends with one of the best bibliographies that I have ever seen in the field.
Kudos to Ross Anderson for writing such a fantastic book - highly recommended reading!
on 1 September 2001
Think you are an expert on computer security? Yes? Well, no matter if you can do triple-DES in your head, by carefully reading this book (and learning its lessons) you will find many holes in any security system you have ever designed. Guess what? They don't need to crack your 1024 bit key to thwart your procedures -- there's at least a hundred ways to go around encryption.
Ross Anderson surveys the entire spectrum of contemporary techno-security, from nuclear weapons to the electric meters used in South Africa, and tells you the nuts-n-bolts of how they are architected, and where things fall apart. What becomes clear is that perfect security doesn't exist in the real world, so you need to create "security in depth", where you secure all aspects of your enterprise. Attacks can come from the CEO, your customer, the janitor, the designer, or a passing crack head. In fact, the biggest threat is time itself -- a procedure secure today will become vulnerable in a couple of years if you don't treat security as a living, growing, changing, high-priority part of your enterprise.
Early in the book he opened my eyes -- I know a thing or two about security, yet his example of a military IFF system blew me away. If I had been asked, I would have swore it was a perfect system. Yet, with a simple little trick, the enemy not only defeated it but used it as a weapon. There's a hundred head-slapping moments in this book where you mutter "holy crap!" when you see how vulnerable some things have been.
Look, just buy the damn book, ok? If you have any responsibility for security, you need it. End of story..
on 5 July 2011
If you're interested in cyber (and physical) security in any way or have a few subjects touching on the topic at university or at a technical colleague this book is a must.
It focuses very much on secure systems and their implementation, while at the same time acknowledging the drawbacks that plague secure systems every day. The topic range is extremely broad and the author does indeed have great knowledge regarding all the topics he writes about.
If you're unsure if this book is for you you should go to Robert Andersons website and download the 1st edition for free.
on 15 September 2003
The best general Information Security introduction Iï¿½ve read. Very readable, with lots of references, Ross combines a wealth of practical experience with his academic prowess. Note that whilst he explains much of the technology in detail, it is not technology-specific in the way of, say, Hacking Exposed. This is not really a ï¿½how to do IS in 10 easy stepsï¿½ book - it is more reflective, and questions many traditional assumptions. It also takes a critical look at many of the issues involved with physical security, though does not cover Disaster Recovery/ Business Continuity Planning.
on 30 July 2003
Security Engineering combined with Ross's website is a great service to Computer Security professionals and Security researchers.
I used to spend countess hours searching for information on banking security and other topics, since I got this book, my time is better spent analysing information rather than searching. The book has excellent references and resources. I am amazed at the amount of information this book contains.
Security Engineering is a great text book for my Security Courses.
I sincerely hope that Ross will write some more books soon.
on 23 April 2001
This book is superbly good - at once an introduction for those new to the field and an easy reference for experts. As would be expected of Ross Anderson, the book is full of well-chosen examples of real systems.
It is an important book; a lot of people should read it. There is malice in the world, and this must be taken into account when designing almost any system of any kind.
The most valuable perspective, for me, was seeing designs broken by shifting environmental assumptions. It's very educating to find that in many cases what previously looked like boneheaded stupidity was actually a valid decision that later turned sour.
As a minor caveat I did find numerous misprints in the book, some of which were material errors. Since the book is designed as an overview, the mistakes can easily be spotted once you turn to more detailed works on particular topics, however. Therefore the book is still easily worth the full five stars.
on 16 June 2011
Security Engineering was already a classic text in its field and the new edition simply builds on this. It's comprehensive, correct, well written and easy to use. Highly recommended.
on 4 March 2013
If you care about security, just get this book already. One other review wonders why the book needs to veer into a discussion on the safety of atomic bombs, and that was the moment I ordered the book. The range of things covered is astoundingly broad, and the cross-relevance is huge. Most books are about one kind of security, which makes you particularly blind to 'off angle' attacks. Not so in Security Engineering!
on 31 August 2001
This book is for anyone who wonders how security mechanisms function. What separates this book from every other book on security is that this book is not limited to computer or network security, it gets into the nitty gritty of digital security.
The author is nothing short of brilliant. He covers a great variety of security issues, from smart cards, power monitoring, cryptography, passwords, access control, EMF emission monitoring [Tempest], biometrics, banking security, the history of all the previous topics, etc., etc., etc..
The other impressive qualities of this book are its clear and amusing writing style, excellent references, and tieing all this together in a fashion that provides a cohesive strategy for implementing truly secure systems.
While this book purports not to be for hackers, they will doubtlessly find this book of immense interest as well, as it covers information that I have not seen addressed in any other book that I have come across. You will learn more from reading this book than reading three years worth of 2600 Magazine.
All in all, great reading, intensely valuable information, and more fun than a barrel of monkeys.
on 1 June 2012
This has to be one of the best books I have ever read in the security field. The book covers more topics than I could have imagined. The information provided is simply amazing, it uses real case studies which the writers have been expose to and how they resolve the problems along with practical guidance based on their professional experience.
Another highly recommended book.