Customer Reviews

Security Engineering: A Guide to Building Dependable Distributed Systems

5 star:		(6)
4 star:		(0)
3 star:		(3)
2 star:		(0)
1 star:		(0)

 

 

For the typical busy security professional, reading a 900-page tome cover to cover represents an investment of time that may be difficult to justify. Frankly, security books that are worth the effort are few and far between. Security Engineering is one such book, for several reasons.

First, Ross Anderson's vast knowledge, experience and insight on the subject are well known, and his reputation as one of the top security experts in the world is well deserved. No doubt a reflection of this, his book covers a very broad range of security topics, the discussions ranging from high-level policy issues, all the way down to details of smartcard hacking and the mathematics of cryptography. The topics are well researched and described at a level of detail useful to the non-specialist. Concise summaries and occasional nuggets of insight indicate an in-depth understanding of the subject matter. The book is well written, easy to follow, and devoid of the vagueness and platitudes so typical of much of the security literature.

Second, the book exposes the sheer difficulty of engineering secure systems in the face of the many forces at play in a typical product development lifecycle. Through many case studies of success and failure, the author illustrates the numerous pitfalls that may befall even a well-intentioned design. Lessons learned from deploying products in the real world include the negative impact of perverse economic incentives, the importance of designing security features for maximum usability, and the need to look at a security problem from many different angles in a holistic manner. The book is a treasure trove of wisdom for the aspiring security engineer.

Lastly, the book brings together insight from many diverse areas of research. Disciplines ranging from economics, psychology, sociology, criminology, banking and bookkeeping, safety research, electronic warfare, to politics are all mined for ideas and results that could yield a better understanding of - and novel approaches to - difficult security problems. It is perhaps in this aspect that the book will prove to be most influential. Since the first edition was published in 2001, security economics, security usability, and security psychology have emerged as fertile areas of research.

Four beneficial take-aways from Ross Anderson's book, Security Engineering: A Guide to Building Dependable Distributed Systems:

1. After reading 600 pages of prose, there are four bullets on page 652 that epitomize the entire book. Here they are:

DEFENSE AGAINST NETWORK ATTACK - four sets of tools to defend against network attack:

(1) Management (i.e. CM)
(2) Filtering (i.e. Firewalls)
(3) Intrusion Detection (i.e. IDS devices)
(4) Encryption (i.e. VPN devices with encryption)


2. I discovered a little known standard that may have influenced the Risk Management Framework (RMF) methodology developed in the NIST SP 800-37. Read this excerpt (p. 838): "It is important for the Security Engineer to have some knowledge of internal controls. There is a shortage of books on this subject... the most influential is the Risk Management Framework from the Committee of Sponsoring Organizations (COSO), a group of U.S. accounting and auditing bodies [ [].... Its basic process is an evolutionary cycle: in a given environment, you assess the risks, design controls, monitor their performance, and then go around the loop again."

3. There's a small blurb on the Capability Maturity Model (p. 849). I think this little concept helps to understand all the CMM documents on the street. Here it is: "Some useful insights come from the Capability Maturity Model developed by the Carnegie-Mellon University. Although this is aimed at dependability and at delivering code on time rather than specifically at security, their research shows that capability is something that develops in groups; it's not just a purely individual thing."

Then another blurb on p.864-865:
"The Carnegie-Mellon research showed that newly formed teams tended to underestimate the amount of work in project, and also had a high variance in the amount of time they took; the teams that worked best together were much better able to predict how long they'd take, in terms of the mean development time, but reduced the variance as well."

4. Lastly, the author admits that he's a cynic, and a cynical attitude is probably the BEST way to look at the Common Criteria.

Certainly a top 5 in its space. Especially notable for its broad coverage and excellent references to other more detailed material. This is a very worthwhile update from the first edition (which is freely available from the author's web site as a PDF).

This has got to be, hands down, one of the best security books that I have ever read. I ended up in a class where this was the text and groaned when I saw how thick it was, but it really doesn't read that way. It's full from cover to cover of great examples, including everything from infosec to physsec. It's definitely written to be a textbook, but is completely readable and will leave you with a much better understanding of how security engineering works. Awesome read!

This book has been the definitive guide for my embedded and distributed cryptosystems projects thus far. The writing is good--easy and fun to read. The content is incredible, and Bruce Schneier's approval doesn't hurt. I don't think I've ever learned as much in as few pages before.

A comprehensive overview of the field with great attention to important details and fundamental security concepts. Extensive bibliography assists with future research on a given topic. A deep insight on current state and future directions. It is a guide indeed to building robust secure systems. [...]

Written by Ross Anderson of Cambridge University's famed Computer Security Group.
I would consider this the bible on this subject.
It is well written and fascinating.
This subject will become increasingly important in the future.

I bought this book to get started with Security engineering. It is a reasonably good book. The reasons I have given it 3 stars is that it is too bulky and also a little difficult for a beginner to understand.

Excellent book so far (I have not finished reading it yet) however my one criticism is that there is NO cd available. No excuse for that in this day and age. If you are going to produce a book with 27 chapters, it is going to be big and bulky. It's also going to decrease the likelihood of someone carrying the book around with them. Having the ability to print a chapter at a time would allow me to read it on the commute into work or at lunch. I even called the publisher and they said no cd or ebook is available. This is why I only gave it three stars.