Security Engineering - The Book

There are many books on security tools, such as cryptology, access controls and intrusion detection systems, but so far there has been almost nothing on how to use them in real systems. As a result, most security systems don't fail because the protection mechanisms were weak, but because they weren't used right. Dealing with such failures has frustrated me so much, and for so many years, that I finally wrote a book.

`Security Engineering - a Guide to Building Dependable Distributed Systems' goes down into the details of applications such as automatic teller machines, burglar alarms, copyright protection mechanisms, de-identified medical record databases and electronic warfare systems. It also covers a lot of technology for which there isn't any good introductory text, such as biometrics, emission security, tamper-resistant electronics and the tricks used in phone fraud. Using real-world examples not only lets me explain when certain types of cipher or auditing mechanism should or shouldn't be used; it also brings out a lot of system-level engineering issues such as false alarm rates, protection versus resilience, naming, security usability, reliability, and assurance.

Although the book grew out of notes for security courses I teach at Cambridge, I've rewritten the material to ensure it's accessible to the working programmer, and added lots of case histories and practical advice drawn from fifteen years' experience as an information security consultant. Here is the Table of Contents, and here's the foreword by Bruce Schneier.

What is Security Engineering?

Security engineering is about building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.

It requires cross-disciplinary expertise, ranging from cryptography and computer security, through hardware tamper-resistance and formal methods, to a knowledge of applied psychology, organizational methods, audit and the law. System engineering skills - from business process analysis through software engineering to evaluation and testing - are also important, but they are not sufficient. They only deal with error and mischance rather than with malice.

Why is Security Engineering Important?

For generations, people have defined and protected their property and their privacy using locks, fences, signatures, seals, account books, and meters. These have been supported by a whole host of social constructs ranging from international treaties through national laws to manners and customs.

This is changing, and quickly. Most records are now electronic, from bank accounts to registers of company shares and real property; and transactions are increasingly electronic, as shopping moves to the Internet. Just as important, but less obvious, are the many everyday systems that have been quietly automated. Burglar alarms no longer wake up the neighborhood but send silent messages to the police; students no longer fill their dormitory washers and dryers with coins but credit them using a smartcard they recharge at the college bookstore; locks are no longer simple mechanical affairs but are operated by electronic remote controls or swipe cards; and instead of renting videocassettes, millions of people get their movies from satellite or cable channels. Even the humble banknote is no longer just ink on paper, but may use tricks such as digital watermarks to enable many forgeries to be detected by machine.

How good is all this new security technology? Unfortunately, the honest answer is `nowhere near as good as it should be'. New systems are often rapidly broken, and the same elementary mistakes are repeated in one application after another. It often takes four or five attempts to get a security design right, and that is far too much.

A common view of the Internet divides its history into three waves, the first being centered around mainframes and terminals, and the second (from about 1992 until now) on PCs, browsers, and a GUI. The third wave, starting now, will see the connection of all sorts of devices that are currently in proprietary networks, standalone, and non-computerized. By 2003, there will be more mobile phones connected to the Internet than computers. Within a few years we will see many of the world's fridges, heart monitors, bus ticket dispensers, burglar alarms, and electricity meters talking IP. By 2010, `ubiquitous computing' will be part of our lives. We already have a number of the component technologies required to make ubiquitous computing dependable; the last twenty years have seen much work on the theoretical aspects of computer security and cryptology. But there has been much less on the practice. Many insecure systems are built, and the resulting safety, privacy and crime prevention problems (both real and perceived) are a significant impediment to building the `electronic society'. Once communicating embedded systems become both ubiquitous and critical, we will simply have to do better.

Why do We Need Another Book on Security Engineering?

I don't know of any book that's even adequate. Although there are good books some of the component technologies, such as cryptography, and adequate textbooks on some others, there is no good introduction to the discipline as a whole, and large sections of it are completely uncovered. For example, much of the research in computer security focuses on information flow controls, yet there isn't any introduction to it that's both comprehensive and accessible to a working programmer. (In fact, even bright graduate students have a hard time finding their way into the subject.) For technologies such as Tempest, for attacks on smartcards, for how cash machines work, for the vulnerabilties of seals, for the interaction between computer security and economics - and for many other important topics - there are at most a few research publications, often in conference proceedings that are out of print.

Even where solid textbooks exist, they often use too much mathematics and too few examples. They can be very valuable to a graduate student working under the guidance of a professor who can provide the motivation and describe the big picture, but for poor old Dilbert - or any working programmer or engineer who suddenly needs to learn a lot about security engineering, and quickly - they are too heavy going. (In fact, even I find many of them to be rather turgid.)

My book is based on industrial consulting I've done over the last fifteen years, the lessons from which are written up in a number of papers on my home page; on lecture notes I've developed over five years at Cambridge to teach courses for second year and third year undergraduate students; and on training I've done for all sorts of clients from consulting firms through medics, and in a number of countries round the world. So the material has been piloted all the way from research to the classroon to the server room. I hope you find it useful!

cover Buy the book from Amazon.

Return to Ross Anderson's home page