Security Engineering, by Ross Anderson

I just received the second edition of Ross Anderson's Security Engineering in the mail. It's beautiful.

This is the best book on the topic there is, and I recommend it to everyone working in this field -- and not just because I wrote the foreword. You can download the preface and six chapters. (You can also download the entire first edition.)

Posted on May 5, 2008 at 1:28 PM • 20 Comments

Comments

AlanMay 5, 2008 6:52 PM

In 2003, were there more mobile phones connected to the internet than computers?

MarkMay 5, 2008 7:14 PM

Alan, I read that too & was a bit surprised at that comment... Does Ross still refer to Bruce as Prince Schneier? That was awesome...

AnonymousMay 5, 2008 8:03 PM

In my intro to engineering class (some years back now), I learned something about engineering:

"Engineering is the art of applying mathematics to the solution of real world problems."

Our class, like others before and after us, went over that definition in some depth. It's a compact description --perhaps even elegant-- and there's enough packed into it to make a good hour-long lecture.

I'm sorry, but I don't think security "engineering" is an engineering discipline yet. It may be an art, with a recognized body of knowledge common among practitioners, but it's still too much black art and too little mathematics.

Imho.

KimMay 5, 2008 11:47 PM

@Anonymous:

"Engineering is the art of applying mathematics to the solution of real world problems."

I've always thought of engineering being the application of (repeatable) science to the solution of real world problems.

Does it have to be mathematics? Or can be broadened to observed and tested phenomenon?

-Kim.

Chris SamuelMay 6, 2008 7:44 AM

I wish my copy would arrive already!

I pre-ordered mine through Amazon and I know it's on the way, but being in Australia it takes an age to get here.. :-(

Kevin D. S.May 6, 2008 7:53 AM

I purchased a copy last week. I've only read the first few chapters of this edition but I'm enjoying it at least as much as the first. My only wish is for book to be published in two volumes. It gets a bit tricky to lug it around with a laptop and lunch box! :)

Regarding "Security" and "Engineering:" Certainly "Security Engineering" is not as mature as its siblings. However, this book helps to speed the maturation process. When we can recognize the underlying elements, we can begin to develop and mature standardized methods.

Thanks, Ross! Outstanding!

AnonymousMay 6, 2008 9:02 AM

"I've always thought of engineering being the application of (repeatable) science to the solution of real world problems."

@anon,

I don't think we're disagreeing in substance. There might be a slight difference in superfical style or emphasis.

The word "mathematics" is the one I do remember from my introductory lecture--but perhaps that word choice is part of the reason the compact description takes some commentary to unfold.

In my comment above, I almost used the phrase "mathematical models". Implicit in the idea of "applying mathematics" is the idea that there is an acceptable model of a real-world phenomen.

Those mathematical models must originate from repeatable science.

It's precisely the lack of modelling that I'm criticizing in security "engineering".

When Bruce criticizes the TSA, for instance, as he does often enough here on this blog, he doesn't usually make what I would consider "engineering" criticisms. That is, he doesn't say "here is a validated model for air transport security" and "here is the result of my calculations based on that model". No one does that. Because, in all honesty, we don't know how yet. The underlying security science isn't there yet to be turned into engineering art.

P.E. DabblerMay 6, 2008 9:10 AM

engineer == small engine mechanic who could afford to go to university

:-}

RossMay 6, 2008 1:49 PM

One of the messages I try to get across in my book is that a security engineer can use many different models - that is, many types of mathematics - to analyse protection problems. In addition to the well-known models from cryptography (number theory, statistics) and computer science (complexity, semantics), we can draw on electrical engineering (Maxwell's equations) and economics (microeconomic analysis) to explain other phenomena. There are other, less mathematical, disciplines that matter too - from psychology to locksmithing

KeithMay 6, 2008 2:36 PM

Re: What is engineering. I always thought it was the art of making things work.

My memory (20+ yrs ago so permit some memory lapse) is of the material science lectures in the 1st year, an entire year on the maths of semiconductors. On the other hand the circuits guy said the pn potential is between 0.6V and 0.7V use 0.65V, it's close enough and works. Now that is engineering.

Pat CahalanMay 6, 2008 3:52 PM

Here's a couple of definitions for ya'll to chew on.

Engineering: The process of using existing scientific and mathematical knowledge to design and create an object for the express purpose of realizing a solution to a problem within a given context and set of failure scenarios.

Science: The process of exposing phenomena to observation for the purpose of creating predictive or explanatory models.

Mathematics: The process of developing or exploring logically consistent closed systems.

Design: The process of exposing underlying assumptions to observation for the purpose of ensuring engineering takes place within the proper context.

Reader XMay 6, 2008 4:35 PM

Readers of this blog may also enjoy Ross Anderson's blog, Light Blue Touchpaper (http://www.lightbluetouchpaper.org/).

Got my copy of the 2e last week. Among other things, I think we finally have a robust-enough textbook for a graduate-level security class (for IT, engineering, MBA, etc.)

Andre LePlumeMay 7, 2008 2:19 PM

@Pat Cahalan:

Your comments are almost always good. Thanks.

Scott ShorterMay 8, 2008 5:57 AM

Got my copy a couple of days ago, will have time to curl up with it this weekend.

EliMay 8, 2008 3:30 PM

My eyes! The typos!

The information in the online pdfs is interesting, but the number of typos in the text is astounding.

I think I'll wait for the next printing to purchase.

devomanMay 9, 2008 5:57 AM

My own definition of engineering:

"Engineering is the art of making the right compromises"

Mark BacchusJuly 22, 2008 6:07 AM

I am planning to read this book but it comes in 2 editions, what are the differences and is it worth reading the first free version out there?

thanks,
Mark

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..