thanks,

Mark

"Engineering is the art of making the right compromises"

]]>The information in the online pdfs is interesting, but the number of typos in the text is astounding.

I think I'll wait for the next printing to purchase.

]]>Your comments are almost always good. Thanks.

]]>Got my copy of the 2e last week. Among other things, I think we finally have a robust-enough textbook for a graduate-level security class (for IT, engineering, MBA, etc.)

]]>Engineering: The process of using existing scientific and mathematical knowledge to design and create an object for the express purpose of realizing a solution to a problem within a given context and set of failure scenarios.

Science: The process of exposing phenomena to observation for the purpose of creating predictive or explanatory models.

Mathematics: The process of developing or exploring logically consistent closed systems.

Design: The process of exposing underlying assumptions to observation for the purpose of ensuring engineering takes place within the proper context.

]]>My memory (20+ yrs ago so permit some memory lapse) is of the material science lectures in the 1st year, an entire year on the maths of semiconductors. On the other hand the circuits guy said the pn potential is between 0.6V and 0.7V use 0.65V, it's close enough and works. Now that is engineering.

]]>:-}

@anon,

I don't think we're disagreeing in substance. There might be a slight difference in superfical style or emphasis.

The word "mathematics" is the one I do remember from my introductory lecture--but perhaps that word choice is part of the reason the compact description takes some commentary to unfold.

In my comment above, I almost used the phrase "mathematical models". Implicit in the idea of "applying mathematics" is the idea that there is an acceptable model of a real-world phenomen.

Those mathematical models must originate from repeatable science.

It's precisely the lack of modelling that I'm criticizing in security "engineering".

When Bruce criticizes the TSA, for instance, as he does often enough here on this blog, he doesn't usually make what I would consider "engineering" criticisms. That is, he doesn't say "here is a validated model for air transport security" and "here is the result of my calculations based on that model". No one does that. Because, in all honesty, we don't know how yet. The underlying security science isn't there yet to be turned into engineering art.

]]>Regarding "Security" and "Engineering:" Certainly "Security Engineering" is not as mature as its siblings. However, this book helps to speed the maturation process. When we can recognize the underlying elements, we can begin to develop and mature standardized methods.

Thanks, Ross! Outstanding!

]]>I pre-ordered mine through Amazon and I know it's on the way, but being in Australia it takes an age to get here.. :-(

]]>I totally agree with you.

]]>"Engineering is the art of applying mathematics to the solution of real world problems."

I've always thought of engineering being the application of (repeatable) science to the solution of real world problems.

Does it have to be mathematics? Or can be broadened to observed and tested phenomenon?

-Kim.

"Engineering is the art of applying mathematics to the solution of real world problems."

Our class, like others before and after us, went over that definition in some depth. It's a compact description --perhaps even elegant-- and there's enough packed into it to make a good hour-long lecture.

I'm sorry, but I don't think security "engineering" is an engineering discipline yet. It may be an art, with a recognized body of knowledge common among practitioners, but it's still too much black art and too little mathematics.

Imho.

]]>http://securitywannabe.com/blog/2008/04/07/interview-with-ross-anderson-security-engineering-20/

I know I did.

]]>