Security Engineering: A Guide to Building Dependable Distributed Systems, 3rd Edition
Published by Wiley. December, 2020
By Ross J. Anderson
Now that there’s software in everything, how can you make anything secure? Understand how to engineer dependable systems with this newly updated classic.
In Security Engineering: A Guide to Building Dependable Distributed Systems, Third Edition Cambridge University professor Ross Anderson updates his classic textbook and teaches readers how to design, implement, and test systems to withstand both error and attack.
This book became a best-seller in 2001 and helped establish the discipline of security engineering. By the second edition in 2008, underground dark markets had let the bad guys specialize and scale up; attacks were increasingly on users rather than on technology. The book repeated its success by showing how security engineers can focus on usability.
Now the third edition brings it up to date for 2020. As people now go online from phones more than laptops, most servers are in the cloud, online advertising drives the Internet and social networks have taken over much human interaction, many patterns of crime and abuse are the same, but the methods have evolved. Ross Anderson explores what security engineering means in 2020, including:
- How the basic elements of cryptography, protocols, and access control translate to the new world of phones, cloud services, social media and the Internet of Things
- Who the attackers are – from nation states and business competitors through criminal gangs to stalkers and playground bullies
- What they do – from phishing and carding through SIM swapping and software exploits to DDoS and fake news
- Security psychology, from privacy through ease-of-use to deception
- The economics of security and dependability – why companies build vulnerable systems and governments look the other way
- How dozens of industries went online – well or badly
- How to manage security and safety engineering in a world of agile development – from reliability engineering to DevSecOps
The third edition of Security Engineering ends with a grand challenge: sustainable security. As we build ever more software and connectivity into safety-critical durable goods like cars and medical devices, how do we design systems we can maintain and defend for decades? Or will everything in the world need monthly software upgrades, and become unsafe once they stop?
Read more and Buy the Book »
(Please support your local bookseller.)
About the Author:
Ross Anderson is Professor of Security Engineering at the Computer Laboratory at Cambridge University and is a pioneer of security economics. Widely recognized as one of the world’s foremost authorities on security, he has published many studies of how real security systems fail and made trailblazing contributions to numerous technologies from peer-to-peer systems and API analysis through hardware security. Read more about his work and research.
- Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Ed., by Ross Anderson.
As of June 1, 2021, I have finished reading this book cover-to-cover. I really enjoyed reading this book. I didn’t want it to finish. It was a joy to read. (Not many people are going to say that, not about a “textbook.” But, in my opinion this book is anything but an ordinary textbook.) I found it compelling, well written, well informed, very current and insightful. I’ve seen criticisms that it’s not about security engineering, as if it must include page after page of obscure math and cryptographic detail. That’s not the point of this book. The point of this book, among others, is to elucidate all the many variations of security engineering and provide important context and history in a way that I find accessible and engaging. Anderson covers many different topics and provides insights that will help the reader understand the context of security engineering, or computer based systems engineering with an eye toward dependability, safety and security. That’s the short of my take on it. I strongly recommend this book. It is worth the $70 cover price, but only if you’re interested in the topics discussed. If you find this stuff interesting then the price is most reasonable, imho you will get your money’s worth and then some. (To make sure your money goes the furthest, please consider buying this book through an independent book seller. They will appreciate your business.)
Preface to the Third Edition:
The first edition of Security Engineering was published in 2001 and the second in 2008. Since then there have been several big changes.
The most obvious is that the smartphone has displaced the PC and laptop. Most of the world’s population now walk around with a computer that’s also a phone, a camera and a satnav; and the apps that run on these magic devices have displaced many of the things we were building ten years ago. Taxi rides are now charged by ride hailing apps rather than by taxi meters. Banking has largely gone online, with phones starting to displace credit cards. Energy saving is no longer about your meter talking to your heating system but about both talking to your phone. Social networking has taken over many people’s lives, driving everything from advertising to politics.
A related but less visible change is the move to large centralised server farms. Sensitive data have moved from servers in schools, doctors’ offices and law firms to cloud service providers. Many people no longer do their writing on word processing software on their laptop but on Google Docs or Office365 (I’m writing this on Overleaf). This has consequences. Security breaches can happen at a scale no-one would have imagined twenty years ago. Compromises of tens of millions of passwords, or credit cards, have become almost routine. And in 2013, we discovered that fifteen years’ worth of UK hospital medical records had been sold to 1200 organisations worldwide without the consent of the patients (who were still identifiable via their postcodes and dates of birth).
The biggest game-changer of the last decade was probably the Snowden revelations, also in 2013, when over 50,000 Top Secret documents about the NSA’s signals intelligence activities were leaked to the press. The scale and intrusiveness of government surveillance surprised even cynical security engineers. This brings us to the third big change, which is a much better understanding of security threats. In addition to understanding the capabilities and priorities of western intelligence agencies, we have a reasonably good idea of what the Chinese, the Russians and even the Syrians get up to.
And where the money is, the crooks follow too. The last decade has also seen the emergence of a cyber-crime ecosystem, with malware writers providing the tools to subvert millions of machines, many of which are used as criminal infrastructure while others are subverted in various ways into defrauding their users. We have a team at Cambridge that studies this, and so do dozens of other researcher groups worldwide. The rise of cybercrime is changing policing, and other state activity too: cryptocurrencies are not just making it easier to write ransomware, but undermining financial regulation. And then there are individual threats such as cyber-bullying, which usually fall below the threshold for criminal prosecution but which cause real distress, are made easier by social networks, and happen at such a scale as to matter.
So online harms now engage all sorts of people from banks and the military down to schoolteachers. It is ever more important to measure the costs of these harms, and the effectiveness of the measures we deploy to mitigate them.
Some of the changes would have really surprised someone who read my book ten years ago and then spent a decade in solitary confinement. For example, the multilevel security industry is moribund, despite being the beneficiary of billions of dollars of US government funding over forty years; the Pentagon’s entire information security philosophy – of mandating architectures to stop information flowing downward from Top Secret to Secret to Confidential to Unclassified – has been abandoned as unworkable. While architecture still matters, the emphasis has shifted to ecosystems. Given that bugs are ubiquitous and exploits inevitable, we had better be good at detecting exploits, fixing bugs and recovering from attacks. The game is no longer trusted systems but coordinated disclosure, DevSecOps and resilience.
What might the future hold? A likely game-changer is that as we put software into safety-critical systems like cars and medical devices, and connect them to the Internet, safety and security engineering are converging. This is leading to real strains; while security engineers fix bugs quickly, safety engineers like to test systems rigorously against standards that change slowly if at all. A wicked problem is how we will patch durable goods. At present, you might get security patches for your phone for three years and your laptop for five; you’re expected to buy a new one after that. But cars last for fifteen years on average and if we’re suddenly asked to scrap them after five the environmental costs won’t be acceptable. So tell me, if you’re writing navigation software today for a car that will launch in 2022, what toolchain will you choose to ensure that you’ll be able to keep on shipping security patches in 2032, 2042 and 2052?
Finally, there has been a sea change in the political environment. After decades in which political leaders considered technology policy to be for anoraks, and generally took the line of least resistance, the reports of Russian interference in the Brexit referendum and the Trump election really got their attention. The prospect of losing your job can concentrate the mind wonderfully. The close attention of lawmakers is changing the game, first with tighter rules (such as Europe’s General Data Protection Regulation) and second as software and online connectivity find their way into products that are already regulated for safety, from cars and railway signals to children’s toys.
The questions the security engineer has to ask today are just the same as a decade ago: what are we seeking to prevent, and will the proposed mechanisms actually work? However, the canvas on which we work is now much broader. Almost all human life is there.
Author’s launch video / Acceptance speech for Cybersecurity Canon award, May 16 2019.
I’m writing a third edition of Security Engineering, which will be published in November 2020. With both the first edition in 2001 and the second edition in 2008, I put six chapters online for free at once, then added the others four years after publication. For the third edition, I negotiated an agreement with the publishers to put the chapters online for review as I wrote them. So the book came out by installments over 2019-20, like Dickens’ novels. Once the manuscript goes to press at the end of September 2020, all except seven sample chapters will disappear for a period of 42 months. I’m afraid the publishers insist on that. But thereafter the whole book will be free online forever.
Security engineering is not just concerned with infrastructure matters such as firewalls and PKI. It’s also about specific applications, such as banking and medical record-keeping, and about embedded systems such as automatic teller machines and burglar alarms. It’s usually done badly: it often takes several attempts to get a design right. It is also hard to learn: although there were good books on a number of the component technologies, such as cryptography and operating systems, there was little about how to use them effectively, and even less about how to make them work together. Most systems don’t fail because the mechanisms are weak, but because they’re used wrong.
My book was an attempt to help the working engineer to do better. As well as the basic science, it contains details of many applications – and lot of case histories of how their protection failed. It describes a number of technologies which aren’t well covered elsewhere. The first edition was pivotal in founding the now-flourishing field of information security economics: I realised that the narrative had to do with incentives and organisation at least as often as with the technology. The second edition incorporates the economic perspectives we’ve developed since then, and new perspectives from the psychology of security, as well as updating the technological side of things.
- As relevant further material comes along that could be useful to students studying using my book and engineers using it as a reference, the author will make available a page accumulating further notes on the third edition of Security Engineering – A Guide to Building Dependable Distributed Systems. You will find it on his home page for the book, probably listed as “notes and links.”
- Chapter 1: What is Security Engineering?
- Chapter 2: Who is the Opponent?
- Chapter 3: Psychology and Usability
- Chapter 4: Protocols
- Chapter 5: Cryptography
- Chapter 6: Access Control
- Chapter 7: Distributed Systems
- Chapter 8: Economics
- Chapter 9: Multilevel Security
- Chapter 10: Boundaries
- Chapter 11: Inference Control
- Chapter 12: Banking and Bookkeeping
- Chapter 13: Physical Protection
- Chapter 14: Monitoring and Metering
- Chapter 15: Nuclear Command and Control
- Chapter 16: Security Printing and Seals
- Chapter 17: Biometrics
- Chapter 18: Physical Tamper Resistance
- Chapter 19: Side Channels
- Chapter 20: Advanced Cryptographic Engineering
- Chapter 21: Network Attack and Defence
- Chapter 22: Phones
- Chapter 23: Electronic and Information Warfare
- Chapter 24: Copyright and DRM
- Chapter 25: Taking Stock (1 Sep)
- Chapter 26: Surveillance or Privacy?
- Chapter 27: Secure Systems Development
- Chapter 28: Assurance and Sustainability
- Chapter 29: Beyond ‘Computer Says No’
Schneier on Security
(Or, why doesn’t this book have lots of traditional engineering formulas and highly technical detail?)
Ross Anderson’s Security Engineering Online (Schneier on Security)
Read Schneier’s blog for comments between author R. Anderson and Gweihir who raises valid concerns about the book based on the title “Security Engineering.” It has to do with the notion that the title necessitates it being an engineering text with “at least a strong focus on the engineering aspects that are known.” While the text may not provide a detailed engineering background on the subject it seems fair to say the author does not intend to provide such background. Rather, after having read the entire book I can say that the author seems to me to have provided a wealth of useful information, perhaps purposely not diving into deep engineering detail. Perhaps that would have made it unreadable. There are plenty of other resources for that detail that one can find if interested. Anderson’s book does a very good job of addressing issues and concepts that an otherwise dry tome might not adequately address. Several comments describe how readable it is, which is part of the beauty of the book.
That is to say, while it is titled Security Engineering, it is not an engineering text, but it does discuss security engineering, which in itself is quite useful. And it does it in a way that covers ground that an otherwise typical engineering text couldn’t. Anderson’s book covers the topic in a way that others likely do not, giving much needed context and insight.
Nick P. comments: “Awesome! There are few good resources on security engineering. I’m glad he makes this series free after a while. The first one was helpful long after it was free. I’m sure the second one will be the same.”
Note on Online Availability
Yes, the entire 2nd edition is available online in PDF format at no charge. Visit the author’s website. The 3rd edition has been available online while it is being written, in part to help facilitate manuscript review. Once the manuscript goes to press at the end of September 2020, all except seven sample chapters will disappear for a period of 42 months, then the entire 3rd edition will also be freely available online, after 42 months/3.5 years, so Spring of 2024.