Book: Security Engineering by Ross AndersonVery excellent book for security
geeks
Ross J.
Anderson
Security Engineering: A Guide to Building Dependable Distributed Systems Wiley, 2001 ISBN: 0-471-38922-6 $75.00 (list price, routinely discounted; available free online) 543 pages (main text) Ross Anderson's book Security Engineering is a big and very excellent book. At least it's very excellent for any geek who has an interest in medium- and large-scale security problems. Since Bruce Schneier has praised the book, it's likely that anything I have to say will be beside the point. But I'll have a couple of things to say anyway. And I think it's also worth mentioning that the book's free availability online caused me to buy a physical copy. When I have a particular hat on, I'm a bit of a security geek. But my experience is limited to computers and relatively small networks of them. So, while I know something about some of the subjects that Mr Anderson touches on, there are large sections that I'm not qualified to criticize. On the subjects I do know about, I learned some useful things and found nothing to complain about. On the subjects I don't know well, I learned a lot from the book. The book was published a few years ago and the security field changes quickly, but on the subjects that I'm familiar with I could find only a few unimportant facts that are no longer true. To begin with, the book has a very broad scope. There are the chapters you'd expect on cryptography, passwords, access control, and so on. But there are also chapters on multilevel security (handling data with different security requirements on the same machine), multilateral security (preventing one user from finding out another user's data), banking, monitoring systems, nuclear command and control, security printing, tamper-resistance, project management, system evaluation, and half a dozen others. Mr Anderson's has wide experience in security and the amount of detail here is very great. He gives examples from banking, intelligence, and the military that I would have supposed were secret. There is lots of nonsense written about security by people in marketing departments and on committees. Mr Anderson's style and candor are a delightful antidote to that. Security is a hard problem and Mr Anderson doesn't try to hide that. He does, however, always provide useful advice. Here are a couple of quotes that give some of the flavor of the book: But making such systems work well in real life is much harder than it looks. (p. 181) and: In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid-1980s was to worry about criminals being clever; we should rather have worried about our customers -- the banks' system designers, implementers, and testers -- being stupid. (p. 203) Mr Anderson delighted me by mentioning my favorite pet security observation. That's that unreliable software doesn't seem to get much more reliable over time, even as bugs are patched. There's much in Security Engineering that's likely to be new even to quite an accomplished security geek. For example, I was genuinely surprised to read: I have long since given up reporting crooked bankers to the [U.K.] police: there has been no prosecution of a senior banker that anyone can remember. In the United States, about a thousand bankers at the grade of vice president and up get prosecuted every year, and over a third get jail time. This isn't a matter of British virtue, or American vice, but has to do with how the two law enforcement systems are organized. (p. 471) Security really does encompass many systems. There's a good many references forward and backward through the book and a great many numbered subdivisions. Those are both no doubt very useful to people dipping into it. They're a bit distracting when reading it through. There are a couple of tiny editing errors. There's a quote missing from "('Quality of Service Technology is promised by Microsoft for 'the Win2K timeframe'.)" (p. 64). And "In some countries, notably Scandinavia...." is missing an "in" (p. 352). Posted: Sat - November 4, 2006 at 05:20 PM Main Category: |
Quick Links
Calendar
Categories
Archives
XML/RSS Feed
Me
Statistics
Total entries in this blog:
Total entries in this category: Published On: Nov 04, 2006 06:08 PM |