Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: Current, comprehensive and correct Review: The review copy of Security Engineering (still not finished reading) will soon take pride of place in my book case, next to Schneier's Applied Cryptography. I have now found a pair of books to suit my Master of Information Technology semester subject "Advances in Information Security". My students, many commercial data processing people with IT degrees, can take this book to work after class. It will help them answer competently many questions of the "how do they..." type.This book is current. For example in relation to SET Anderson says "...is being allowed to expire quietly". Often conference, web and journal research fails to pick up the demise of an idea, research is swamped by the proposal. In my class I set research topics and get papers reporting what was to be, and rarely, what is. This book will replace most of my paper readings and, if I am not mindful, replace my role as skeptic before my class. My pet topic traffic analysis gets a solid mention. Look, this book is comprehensive. There are 823 items in the bibliography. What would you expect from the foundation editor of Computer & Communications Security Abstracts. The style is that of a self confident expert. There are many anecdotes of protocol failure with analysis. I think it may be time to put book indexes online. I would love to see a search engine, returning key word in context with page references for this book. It is 612 pages long and I found the 18 page index insufficient. If my wishes came true, I would also have some discussion questions and exercises at the end of chapters. Each chapter has a summary, research problems and further readings, but no simple exercises. The maths and BAN notation is kept to a minimum. In summary, in my opinion, this book met three of its stated purposes, as a text, a reference and a significant contribution to the science (some might say art) of security engineering. It is a bit light on as an introduction to crypto, but good as an introduction to other fundamental security tools like tamper resistance, authentication, multilevel security and models. I agree with Schneier who says in the foreword "It's the first, and only, end-to-end modern security design and engineering book ever written." I will prescribe this book to my next class, and I strongly recommend it to you "dear reader".
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: A watershed book for the security community Review: This book changes everything. "Security Engineering" is the new must-read book for any serious information security professional. In fact, it may be required reading for anyone concerned with engineering of any sort. Ross Anderson's ability to blend technology, history, and policy makes "Security Engineering" a landmark work. Engineers learn more from failure than success. "Security Engineering" brings this practice to life, investigating the design and weaknesses of ATM machines, currency printing, nuclear command and control, radar, and dozens of other topics. Anderson's insights are accurate and helpful, partly because he's served as consultant for diverse industries. His descriptions of criminal and intelligence agency exploitation of insecure systems are startling; fake cellular base stations, fly-by-night phone companies, TEMPEST/EMSEC viruses, freezing electronics to preserve RAM -- all are explained in layman's terms. The bibliography offers exceptional opportunities for further research, but the second edition needs a glossary. I found some of the cryptography chapter too complicated for non-mathematicians. I also believe the author was misled by whomever told him that "at the time of writing, the US Air Force has so far not detected an intrusion using the systems it has deployed on local networks." (p. 387) (I know from experience this is false.) Nevertheless, these are my only criticisms for a 612 page text. "Security Engineering" is a book of principles, lessons, and case studies. It offers history, tools, and standards to judge engineering endeavors. This book actually inspired me to learn how brick-and-mortar engineers learn their trade, as their methods and failure analysis may apply to the software world. "Security Engineering" will remain relevant for years, but I recommend you read it as soon as possible.
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: A watershed book for the security community Review: This book changes everything. "Security Engineering" is the new must-read book for any serious information security professional. In fact, it may be required reading for anyone concerned with engineering of any sort. Ross Anderson's ability to blend technology, history, and policy makes "Security Engineering" a landmark work. Engineers learn more from failure than success. "Security Engineering" brings this practice to life, investigating the design and weaknesses of ATM machines, currency printing, nuclear command and control, radar, and dozens of other topics. Anderson's insights are accurate and helpful, partly because he's served as consultant for diverse industries. His descriptions of criminal and intelligence agency exploitation of insecure systems are startling; fake cellular base stations, fly-by-night phone companies, TEMPEST/EMSEC viruses, freezing electronics to preserve RAM -- all are explained in layman's terms. The bibliography offers exceptional opportunities for further research, but the second edition needs a glossary. I found some of the cryptography chapter too complicated for non-mathematicians. I also believe the author was misled by whomever told him that "at the time of writing, the US Air Force has so far not detected an intrusion using the systems it has deployed on local networks." (p. 387) (I know from experience this is false.) Nevertheless, these are my only criticisms for a 612 page text. "Security Engineering" is a book of principles, lessons, and case studies. It offers history, tools, and standards to judge engineering endeavors. This book actually inspired me to learn how brick-and-mortar engineers learn their trade, as their methods and failure analysis may apply to the software world. "Security Engineering" will remain relevant for years, but I recommend you read it as soon as possible.
Rating: ![3 stars](http://www.reviewfocus.com/images/stars-3-0.gif) Summary: Content is good - writing style is horrendous Review: This book covers a wide range of security engineering related domains. In general, the content is good and the level of detail is high-level in order to cover the wide scope of topics. However, the writing style leaves much to be desired. The book is peppered with sentences starting a discussion on a topic and then abruptly ending it, referring to other chapters for more details, which quickly becomes very annoying to the reader. The style of writing is also dry as a mouthful of flower. In addition, the layout of the book will put most readers to sleep since there are few figures and diagrams to explain relationships and methodologies where needed. Hopefully the shortcomings will be fixed in the second edition.
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: Fantastic book - highly recommended reading on security Review: This book does so much more than guiding the reader through the design of distributed systems. It is the most comprehensive and general definition and illustration of information security that I have ever seen in one place. This is a book that can teach you to look at the world through security glasses so to speak and that of course is a prerequisite for security engineering. It is also a good thing to be able to do if you need to evaluate security measures for quality and appropriateness. The way Ross Anderson goes about this task is systematic and pedagogical. He has obviously been lecturing for many years and is both an excellent presenter and a person demonstrating a good understanding of learning curves. Both the book as a whole and the individual chapters have been constructed in such a way that the reader can give up at various points of complexity without losing the plot altogether and simply start at the beginning of the following chapter for a less deep education than if he read and understood everything but nevertheless gaining a comprehensive feel for the nature of security and how to tackle its implementation. This design also enables the book to be used either as a textbook or as a reference work. Very smart - many technical authors could learn something from observing how Ross goes about it. I also like that each chapter ends with a discussion of possible research projects, literature recommendations and of course a summary. The only irritating thing is that there are too many stupid typos such as missing words, things which another read-through by the editor should have caught. An example: `...using the key in Figure 5.7, it enciphers to TB while rf enciphers to OB...' should be `...using the key in Figure 5.7, rd enciphers to TB while rf enciphers to OB...' It is fine to use typographic tricks for illustrative purposes but you must make sure they make it into print if you do. I'm certain many readers will find the chapter on cryptography difficult enough without errors. Well, next edition... The book consists of three parts. The first is a quite basic intro to security concepts, protocols, human-to-computer interfaces, access control, cryptography and distributed systems. I think that perhaps Ross gets a little bit carried away in Chapter 5 on crypt - I mean, why is a proof for Fermat's little theorem included? There are no other mathematical proofs anywhere. I also think that parts of this chapter could benefit from added verbosity or perhaps a few more illustrations. Whereas in this context it is not so important how crypt primitives function internally it is of course very important how they behave as system components. Just a suggestion - no real criticism. In the second part of the book the author ingeniously uses a whole range of well-known systems incorporating security to illustrate both analytical methods and security engineering fundamentals. Using this pedagogical method, moving from the concrete and well-known to the abstract and general is good engineering practice. Almost every main section contains a subsection called What Goes Wrong in which the author analyses and presents architectural and design weaknesses in everything from ATMs to nuclear systems. I find this approach incredibly valuable, not only because it teaches good engineering methodology but also because it gives the author an opportunity to present a huge number of security problems at the implementation level in a context, from which they can be lifted, cross-referenced and placed in different contexts. This method, combined with the informed and intelligent analysis is what makes this book such a brilliant generator of understanding of security, the broad and full concept. Also in this part of the book there is a clear line which is not only technological but which serves to place security concepts in organisational frameworks, another very strong point in favour of this work. This leads to the third part of the book, which in the words of the author deals with politics, management and assurance. Very good entertainment as well. The book ends with one of the best bibliographies that I have ever seen in the field. Kudos to Ross Anderson for writing such a fantastic book - highly recommended reading!
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: Great resource, cover to cover Review: This book has helped us a great deal over the past two years with various issues related to our security architecture. Highly recommended, but only if you require a deep level of understanding. I suggest you review the TOC of this book before purchasing it, just to understand what it covers.
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: Comprehensive, but detailed and easy to read Review: This book is a rare combination of depth and breadth. Not only does Anderson cover a wide range of topics (see the other reviews), but he breaks down his explanations of very complicated concepts into comprehensible chunks. It's disturbing/enlightening to learn how complicated it is to engineer a secure system (or how easy they are to break) after Anderson explains the technology behind them.
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: Most incredible overview of security I have ever seen. Review: This book is for anyone who wonders how security mechanisms function. What separates this book from every other book on security is that this book is not limited to computer or network security, it gets into the nitty gritty of digital security. The author is nothing short of brilliant. He covers a great variety of security issues, from smart cards, power monitoring, cryptography, passwords, access control, EMF emission monitoring [Tempest], biometrics, banking security, the history of all the previous topics, etc., etc., etc.. The other impressive qualities of this book are its clear and amusing writing style, excellent references, and tieing all this together in a fashion that provides a cohesive strategy for implementing truly secure systems. While this book purports not to be for hackers, they will doubtlessly find this book of immense interest as well, as it covers information that I have not seen addressed in any other book that I have come across. You will learn more from reading this book than reading three years worth of 2600 Magazine. All in all, great reading, intensely valuable information, and more fun than a barrel of monkeys.
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: Superb Security Book Review: This is a "must read" for anybody that deals with security issues, especially in the technical and computer fields. Ross Anderson's writing style lends itself to ready understanding and comprehension of the intricacies of security management. His "warts & all" examination of the various security-related technologies can give one insight to serious security implementations. The text is replete with observations, examples and suggestions. Our only regret is that there would be more examples, but that would expand an already large text. Fortunately, Ross mostly eschews the detailed mathematics which can make some of the other security texts difficult for non-technical types. For those who desire that level of detail, plenty of references are given. For the rest of us, it is entirely readable. We highly recommend it................................
Rating: ![5 stars](http://www.reviewfocus.com/images/stars-5-0.gif) Summary: Incomparable book on information security Review: Those of us in the computer security business have been mining Ross Anderson's web site for years, since he's done some really unique and important work in the field. Finally he's pulled it into an incredible book, one that's essential for anyone interested in information security. Two elements combine make this book unique: first, the book manages to cover all of the major topics in the field, and second, the book covers the whole range of attacks that systems can face: technical, procedural and physical. Historically, writers on information security have focused on computers and disembodied "users," downplaying the crucial issues of physical security, perimeters, operating procedures, and the limits of human behavior. This book tries to integrate such concerns into information security thinking, instead of treating them as "special concerns that computer geeks don't really care about." Best of all, the book is a great read. Ross has a fine way of drawing out the irony we encounter in user behavior, enterprise behavior, and even in the actions of presumed authorities in industry and government. At one point he discusses a government endorsed security evaluation process "which, as mentioned, is sufficient to keep out all attackers but the competent ones." Ross unabashedly explains several aspects of information security that most writers ignore entirely, like security printing, seals, tamper resistance, and associated procedures. In my own books, reviewers have chided me for including such "irrelevant" topics, even though they play an essential part in making a real system work. As Ross ably points out, most successful attacks these days are pretty mundane and don't involve cryptanalysis or sophisticated protocol hacking. ATM fraud, for example, often relies on pre-computer technology like binoculars to pick up a victim's PIN. This book should open a lot of peoples' eyes.
|