By Craig Balding
April 7th, 2008
7 years ago, a Cambridge Professor called Ross Anderson published a book
called .Security Engineering..
Up until that time, it wasn.t often you would hear anyone talk about
.Security Engineering. - let alone find an entire book written on the
As soon as the book came out, it made a real and lasting impression on
the security community.
Richard Bejtlich summed it up with his review on Amazon:
This book changes everything. .Security Engineering. is the new
must-read book for any serious information security professional.
In fact, it may be required reading for anyone concerned with
engineering of any sort. Ross Anderson.s ability to blend
technology, history, and policy makes .Security Engineering.
a landmark work.
Ross has now finished a major update and the new edition is just hitting
the stores. Security Wannabe caught up with him to find out more about
Security Engineering 2.0. We managed to cover a lot of ground in 8
1. In essence, what is .security engineering.?
Security engineering is about building systems to remain
dependable in the face of malice, error or mischance. As a
discipline, it focuses on the tools, processes and methods needed
to design, implement and test complete systems, and to adapt
existing systems as their environment evolves.
2. Why is security engineering important?
It.s often a showstopper when people get it wrong - for example, a
$20bn program to computerize healthcare in the UK looks set to
fall to pieces, because the lack of adequate protection for
privacy and safety is leading doctors to reject it. And poor
security engineering leads to huge waste of resources. The USA has
spent $14bn harassing airline passengers since 9/11 but has failed
to complete a $500m program to reinforce cockpit doors - and many
US airports still don.t do background checks on ground staff.
3. What prompted you to write the book .Security Engineering.?
There were no good books - just specialist works looking at some
aspect or other of locks, or ciphers, or access controls. Yet
security is a system-level property.
4. The 1st Edition covered an incredible range of topics. How much
research went into the book?
Fifteen years of academic research, plus teaching materials
developed for undergraduate courses over the same period.
5. What motivated you to pick up the virtual pen again and write a
The world had changed a lot in seven years - not just 9/11 and all
its sequelae, but also the fact that the Internet had become
mainstream, and all sorts of devices that were previously dumb or
standalone started acquiring CPUs and connectivity.
6. For owners of the 1st edition (Ed: selfish question), how much new
core content is there in the 2nd edition vs .bug fixes.?
It.s about 50% bigger. I won.t know the exact page count until I
get the first paper copies on Monday, but in the draft it had gone
from 600-odd pages to 900+.
7. The 1st edition was chock full of real world examples -
personally, I found these very engaging. Can you give a taste of
There are plenty new examples from postal meters through API
security to terrorism. I.ve also expanded the scope, so that
physical security doesn.t just mean alarms but also locks
(including recent results on lock bumping) and environmental
security - why it is that some neighbourhoods have crime and
others don.t. In addition, I.ve added chapters on economics and
psychology which open up new examples of different kinds. Both
approaches are needed in a world where the most rapidly-growing
types of fraud involve deception and where systems are less and
less under the control of single organisations.
8. What is your vision for security engineering in the next 5 years?
We.ll be dealing more and more with complex socio-technical
systems, in which we have to consider people as well as servers
and software, and which will evolve over time in response to all
sorts of economic and political pressures. This isn.t just about
security and its cousin dependability, it.s much broader than
that. It.s something truly new, that hasn.t existed before.
Anticipating both the opportunities and the threats will be really
important for companies, for governments, and for everybody.
I.d like to thank Ross for agreeing to do this interview, especially as
he was on holiday at the time.
Frankly, I.m just blown away by the 300 pages of extra content. How many
respected Infosec authors even get close to that?
[Update: Ross just emailed to say he received his first copies of the
book - the actual page count is 1040!]
Subscribe to InfoSec News