Interview with Ross Anderson: Security Engineering 2.0

Interview with Ross Anderson: Security Engineering 2.0
Interview with Ross Anderson: Security Engineering 2.0 

By Craig Balding
April 7th, 2008

7 years ago, a Cambridge Professor called Ross Anderson published a book 
called .Security Engineering..

Up until that time, it wasn.t often you would hear anyone talk about 
.Security Engineering. - let alone find an entire book written on the 

As soon as the book came out, it made a real and lasting impression on 
the security community.

Richard Bejtlich summed it up with his review on Amazon:

    This book changes everything. .Security Engineering. is the new 
    must-read book for any serious information security professional. 
    In fact, it may be required reading for anyone concerned with 
    engineering of any sort. Ross Anderson.s ability to blend 
    technology, history, and policy makes .Security Engineering. 
    a landmark work.

Ross has now finished a major update and the new edition is just hitting 
the stores. Security Wannabe caught up with him to find out more about 
Security Engineering 2.0. We managed to cover a lot of ground in 8 


   1. In essence, what is .security engineering.?

      Security engineering is about building systems to remain 
      dependable in the face of malice, error or mischance. As a 
      discipline, it focuses on the tools, processes and methods needed 
      to design, implement and test complete systems, and to adapt 
      existing systems as their environment evolves.

   2. Why is security engineering important?

      It.s often a showstopper when people get it wrong - for example, a 
      $20bn program to computerize healthcare in the UK looks set to 
      fall to pieces, because the lack of adequate protection for 
      privacy and safety is leading doctors to reject it. And poor 
      security engineering leads to huge waste of resources. The USA has 
      spent $14bn harassing airline passengers since 9/11 but has failed 
      to complete a $500m program to reinforce cockpit doors - and many 
      US airports still don.t do background checks on ground staff.

   3. What prompted you to write the book .Security Engineering.?

      There were no good books - just specialist works looking at some 
      aspect or other of locks, or ciphers, or access controls. Yet 
      security is a system-level property.

   4. The 1st Edition covered an incredible range of topics. How much 
      research went into the book?

      Fifteen years of academic research, plus teaching materials 
      developed for undergraduate courses over the same period.

   5. What motivated you to pick up the virtual pen again and write a 
      second edition?

      The world had changed a lot in seven years - not just 9/11 and all 
      its sequelae, but also the fact that the Internet had become 
      mainstream, and all sorts of devices that were previously dumb or 
      standalone started acquiring CPUs and connectivity.

   6. For owners of the 1st edition (Ed: selfish question), how much new 
      core content is there in the 2nd edition vs .bug fixes.?

      It.s about 50% bigger. I won.t know the exact page count until I 
      get the first paper copies on Monday, but in the draft it had gone 
      from 600-odd pages to 900+.

   7. The 1st edition was chock full of real world examples - 
      personally, I found these very engaging. Can you give a taste of 
      new examples?

      There are plenty new examples from postal meters through API 
      security to terrorism. also expanded the scope, so that 
      physical security doesn.t just mean alarms but also locks 
      (including recent results on lock bumping) and environmental 
      security - why it is that some neighbourhoods have crime and 
      others don.t. In addition, added chapters on economics and 
      psychology which open up new examples of different kinds. Both 
      approaches are needed in a world where the most rapidly-growing 
      types of fraud involve deception and where systems are less and 
      less under the control of single organisations.

   8. What is your vision for security engineering in the next 5 years?

      We.ll be dealing more and more with complex socio-technical 
      systems, in which we have to consider people as well as servers 
      and software, and which will evolve over time in response to all 
      sorts of economic and political pressures. This isn.t just about 
      security and its cousin dependability, it.s much broader than 
      that. It.s something truly new, that hasn.t existed before. 
      Anticipating both the opportunities and the threats will be really 
      important for companies, for governments, and for everybody. 

I.d like to thank Ross for agreeing to do this interview, especially as 
he was on holiday at the time.

Frankly, I.m just blown away by the 300 pages of extra content. How many 
respected Infosec authors even get close to that?

[Update: Ross just emailed to say he received his first copies of the 
book - the actual page count is 1040!]

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods