We modeled the Cybersecurity Canon after the Baseball Hall of Fame and the Rock & Roll Hall of Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Cyber Canon Book Review: “Security Engineering, A Guide to Building Dependable Distributed Systems,” (2nd edition, 2008), by Ross Anderson
Book Reviewed by: Cybersecurity Canon Committee Member Ron Woerner, RWX Security Solutions
Bottom Line: I recommend this book for the Cybersecurity Canon Hall of Fame.
Review:
If you could have only one cybersecurity book, it should be Ross Anderson’s Security Engineering: A Guide to Building Dependable Distributed Systems, second edition.
This book is the encyclopedia of everything about security. While the subtitle insinuates it’s only about distributed systems, it covers every topic associated with systems security, both technical and non-technical. It provides in-depth explanations of cryptography, multilevel security, biometrics, telecom system security and API attacks. It is more than a textbook or manual in that it includes other topics such as “Usability and Psychology,” “Economics,” “Physical Security,” “Electronic Warfare,” “Terror, Justice, and Freedom,” and “The Bleeding Edge.”
This review is of the second edition, which Dr. Anderson updated in 2008 due to the many changes that occurred between those years. Don’t let the date of the book fool you into thinking it’s out of date. While technologies and terms may have changed, the concepts have not. For example, in the Preface (p. xxix) Dr. Anderson states, “How good is all this new security technology? Unfortunately, the honest answer is “nowhere near as good as it should be. New systems are often rapidly broken, and the same elementary mistakes are repeated in one application after another.” This is still true over ten years later.
Dr. Anderson is the perfect person to have written this book. He has computer engineering experience since the 1970s, has worked in industry and academia for over 30 years and this book shows this mix. His industry experience includes aviation, banking, and technology development. Today, Dr. Anderson is a Professor of Security Engineering at University of Cambridge and still writes on his website and blog, both of which are also recommended reading. The writing style is conversational and easy to understand. He takes from experience and uses case studies as examples.
Security Engineering accomplishes multiple goals. It was written to help working engineers better secure systems. Its purpose, which it achieves, is to give a solid introduction to security engineering at four levels:
As he says in the forward, his audience is Dilbert: the working programmer, systems administrator, business analyst or engineer who is “who is trying to design real systems that will keep on working despite the best efforts of customers, managers, and everybody else.” It is useful to the established professional security manager or consultant as a first-line reference; to the computer science professor doing research in or teaching cryptology; to the working police detective trying to figure out the latest phishing scams; and to policy wonks struggling with the conflicts involved in regulating security, privacy, systems and anonymity.
Dr. Anderson divided Security Engineering into three parts:
It’s impossible to do justice to all of the content and context contained within the nearly 1,000-page Security Engineering. Below are some highlights:
No book is perfect. The challenge with this one is that some of the information is dated and have been overcome by new technology. For example, Windows Vista and Passport are no longer used. Cloud computing, virtualization, mobile, and IoT were in its infancy when the second edition was written. Dr. Anderson addresses the concepts underlying these ideas but was unable to provide details needed to securely engineer today’s environments. Don’t let this dissuade you from reading Security Engineering. The concepts haven’t changed and apply to all new technologies.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.