What do you think?
Rate this book
Security Engineering: A Guide to Building Dependable Distributed Systems
The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here's straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.
1088 pages, Hardcover
Published April 14, 2008
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 31 reviews
August 20, 2013
An impressive technical book that looks at security in all its forms (physical, computer based, social) and shows you the various ways security can be implemented and compromised.
This book also shows you why security should never be a 'by-the-way' or implemented after the fact but must be considered right at the start. Not only that, it also shows you why a world-view of security should be considered; it is not something that can only be targeted at one part of a system and expected to work.
Covering some theory of encryption and technical description of various security systems, the book goes on to show how security touches all our lives either directly (passwords) or indirectly (our privacy or safety).
The book provides plenty of examples of how security systems work and don't work. It includes examples from the author's personal experience, showing how even he has a hard time making sure that the systems he makes are really secure and showing how he has managed to break systems that other people claim are secure.
One of the more important aspects that the book covers is responsibility and deniability in security; how the desire to push responsibility on to other people or get plausible deniability when a breach occurs drives the way security is implemented. This, of course, causes distortions in the security model, making it even more likely that the security would be broken.
Whether you are interested in general security or only in one aspect of security, this is a good book to read. And after reading it, you will get a very good idea of how hard it actually is to make a system secure and why you must hire very capable people to do it and to avoid 'snake-oil' security implementations.
The First and Second Editions of this book are available as a free download
This book also shows you why security should never be a 'by-the-way' or implemented after the fact but must be considered right at the start. Not only that, it also shows you why a world-view of security should be considered; it is not something that can only be targeted at one part of a system and expected to work.
Covering some theory of encryption and technical description of various security systems, the book goes on to show how security touches all our lives either directly (passwords) or indirectly (our privacy or safety).
The book provides plenty of examples of how security systems work and don't work. It includes examples from the author's personal experience, showing how even he has a hard time making sure that the systems he makes are really secure and showing how he has managed to break systems that other people claim are secure.
One of the more important aspects that the book covers is responsibility and deniability in security; how the desire to push responsibility on to other people or get plausible deniability when a breach occurs drives the way security is implemented. This, of course, causes distortions in the security model, making it even more likely that the security would be broken.
Whether you are interested in general security or only in one aspect of security, this is a good book to read. And after reading it, you will get a very good idea of how hard it actually is to make a system secure and why you must hire very capable people to do it and to avoid 'snake-oil' security implementations.
The First and Second Editions of this book are available as a free download
August 4, 2008
If there are any technical books that are page-turners, this is one of them.
Page after page of real world security and engineering issues. Lucidly explained and illustrated.
The sections on nuclear reactor design and smart cards are very illuminating.
If you've ever wondered why good engineering is expensive, this is the one to explain it.
I wish I could write as clearly as Anderson.
Page after page of real world security and engineering issues. Lucidly explained and illustrated.
The sections on nuclear reactor design and smart cards are very illuminating.
If you've ever wondered why good engineering is expensive, this is the one to explain it.
I wish I could write as clearly as Anderson.
March 19, 2013
This book took me four weeks to read, but it is fantastic. Just like what the two security engineers said.
"Security Engineering is different from any other kind of programming...if you're even thinking of doing any security engineering, you need to read this book." -Bruce Schneier
"This is the best book on computer security. Buy it, but more importantly, read it and apply it to your work." -Gary McGraw
"Security Engineering is different from any other kind of programming...if you're even thinking of doing any security engineering, you need to read this book." -Bruce Schneier
"This is the best book on computer security. Buy it, but more importantly, read it and apply it to your work." -Gary McGraw
July 16, 2017
Good book even though it is 10 year old. There are a lot of case of study but it is useless if you know nothing about information security. The book is not a guide to building a dependable system but rather a guide to system failures
February 17, 2020
I read the third edition, which is available for free right now except chapters 20 to 25 which aren't released yet.
It contains a lot of the history regarding the different domains where security engineering is applied. It raised awareness in me regarding potential security pitfalls.
However, the book lacks actionable advice on how to actually BUILD dependable systems.
Will maybe update my review when the other chapters are released.
It contains a lot of the history regarding the different domains where security engineering is applied. It raised awareness in me regarding potential security pitfalls.
However, the book lacks actionable advice on how to actually BUILD dependable systems.
Will maybe update my review when the other chapters are released.
October 18, 2019
I enjoyed the book and there was moments I couldn't stop reading. however, I think it was vague sometimes, but despite the fact, I can't tell if it was the author's mistake. The topic is hard, it is about deception, understanding it, and find a way to defend against it. if something is easy to understand then it is not a deception!
So beware, You'll need a lot of time to read this book, and you should think a lot of how deceptions work, and how the current way of defending against them might help.
So beware, You'll need a lot of time to read this book, and you should think a lot of how deceptions work, and how the current way of defending against them might help.
December 5, 2016
I will do my best to recommend this book to anyone involved in IT. Despite being last updated 8 years ago almost every prediction about security engineering still holds true today. This isn't a technical how-to book to build distributed systems but teaches you the principles while entertaining you with real world examples from the writer's own experience.
August 8, 2018
This is the penultimate book about InfoSec. A friend once said, "look, the app I'm making has nothing to do with security. It's for turning on lights." When their little program turned into a doorway for a nasty hackathon, they realized that all apps and api can be a doorway. So, I always recommend this to coders and really anyone heading into tech design/production. I mean, even hardware designs have security flaws.
May 7, 2023
I found it interesting how many topics this book had ties. I found the perspective different than our typical briefings and work training. I did learn a lot and some new things about security breaches. I found it annoying the constant we'll discuss this further in such and such section. The book could have probably been condensed a bit by optimizing the order and compiling similar sections. I also found he tended to drift into soap boxes as many engineers do.
August 9, 2021
This is for the Third Edition, released in 2020 and still phenomenal. I haven't found a better survey of the security engineering space yet, and highly recommend this to any security practitioner, especially people entering the field. I would have been significantly better off if I had read this back in undergrad.
August 5, 2013
Yes.. It's a textbook, but an interesting one. It covers a wide range of security topics with plenty of supporting material, future reading, and even research ideas. The fact that it was updated recently and released for free as PDF helps as well. Anyone interested in security should read this.
February 7, 2016
The best security book ever written.
September 3, 2021
I am reading the 3rd edition of this book; for me, a person who isn't stricly involved, in this area, there is much that can be gleaned. The main complaint, is a lack of "connection", between some of the topics, which are introduced, sometimes, with part of the context omitted, and the practical implications, not thoroughly explored.
June 11, 2023
The point of this book is that information security is everywhere. Infosec plays a huge role in:
* a friend or foe identification system on an aircraft,
* a tachograph in trucks,
* a prepaid card meter for electricity,
* and so on (hundreds of examples)
It's not an easy read. It's very impressive but boring at times. Anyway, I'm glad it raised my awareness about the subject.
* a friend or foe identification system on an aircraft,
* a tachograph in trucks,
* a prepaid card meter for electricity,
* and so on (hundreds of examples)
It's not an easy read. It's very impressive but boring at times. Anyway, I'm glad it raised my awareness about the subject.
May 7, 2020
Conversationally written but OLD. Very outdated as far as some of the examples (the author referred to Windows Vista as the latest Windows version).
Concepts for the most part hold true but the book is old if you want something with up to date information and statistics.
Concepts for the most part hold true but the book is old if you want something with up to date information and statistics.
April 4, 2023
It's a hard book to read, really hard, but cover in a good way the security engineering, have a lot of topics since how to affect manual systems (medical equipment) to cryptography. Read the book if you are ready to gain a lot of knowledge in the area, without the time pressure.
May 22, 2020
Good reference text to keep around
January 24, 2021
Easy to read and follow along, even though it is large. Contains lots of great data, insight, and fun horror story examples.
March 7, 2022
It took me ages, but I eventually succeeded at reading this (3rd ed) cover to cover (minus bibliography). This book is simply fantastic, though I would describe it more as a history book than a "guide to building." It contains a host of fantastic anecdotes to go with the most comprehensive, systematically organized overview of security issues that I've yet seen, and I came away with nearly 400 highlights from the portions I read on my kindle - simply reading those again will be like reading another book.
The book would be worth reading only as a guide to the 'Further Reading' sections, which provide excellent resources to go into depth into the many topics covered. To top it all off, the writing is quite good and reads like a series of "let me tell you about the time..." stories you'd hear from someone who's been there and done that. That's not to say it's always easy going; depending on the reader's interests some chapters will fly by and others will drag, but that is probably inevitable based on the breadth offered.
Altogether this work is exemplary and I'm thrilled that such an attempt has been made to cover a very expansive field. Certainly no one needs to read it cover to cover, but I'm glad I did. Highly recommended for the those in the security realm, and very curious people.
The book would be worth reading only as a guide to the 'Further Reading' sections, which provide excellent resources to go into depth into the many topics covered. To top it all off, the writing is quite good and reads like a series of "let me tell you about the time..." stories you'd hear from someone who's been there and done that. That's not to say it's always easy going; depending on the reader's interests some chapters will fly by and others will drag, but that is probably inevitable based on the breadth offered.
Altogether this work is exemplary and I'm thrilled that such an attempt has been made to cover a very expansive field. Certainly no one needs to read it cover to cover, but I'm glad I did. Highly recommended for the those in the security realm, and very curious people.
May 26, 2021
I struggle a lot reviewing this book. Just finished reading the 3rd ed.
On one hand this book is highly respected amongst security professionals and Ross has done a great job bring knowledge about all these disparate areas together. On the other hand, I hate the writing style, it's too chaotic/disorganized for me. The book is filled with historical tidbits and knowledge, but actually lacks any clear actionable advice or examples of good architectural patterns while engineering secure software.
Overall, I am quite disappointed. If one day I have a lot of free time and I want to read up on random security topics like details around banking and credit card security, I will open this book. For more practical/actionable content, I would look elsewhere.
On one hand this book is highly respected amongst security professionals and Ross has done a great job bring knowledge about all these disparate areas together. On the other hand, I hate the writing style, it's too chaotic/disorganized for me. The book is filled with historical tidbits and knowledge, but actually lacks any clear actionable advice or examples of good architectural patterns while engineering secure software.
Overall, I am quite disappointed. If one day I have a lot of free time and I want to read up on random security topics like details around banking and credit card security, I will open this book. For more practical/actionable content, I would look elsewhere.
September 9, 2016
A solid book on security, covering many aspects - threat modelling, vulnerability analysis, enforcement, assurance/certification, with a heavy focus on the economic interests of the various principles involved in security, both electronic and physical. The book is very readable; the stuff with scary maths is easily skimmed over, and the rest of the book is full of well-written, relevant and interesting examples. I didn't give this book 5 stars only because it was a little too general; it seemed more like a tour of various security domains sprinkled with examples, rather than a focused tome on trying to nurture in the reader a rigorous security engineering mindset.
June 27, 2013
Amazing, everything one could dream for in a technical textbook. I'd venture to say it's well-enough written that it might appeal to readers passingly interested in the subject or even bored sitters in a room with no other form of entertainment (these types might even want to carry it out of the unfortunate situation as thanks for the help in passing the time amicably). My favorite schoolbook since returning to duty.
September 6, 2014
Wow took me a while to finish this one. At first i tried to read cover to cover but was unable to due to work and i had trouble to stay focused and interested but after a while i had to skip some parts. Nonetheless book is a great compilation of various security and side-fields which provide historical lessons and "what to not do" when building security systems.
June 16, 2015
I'm ashamed to say that it took me more than 2 years to finish this book. However, I think it is significant that even a fiction reader, like me, can enjoy this book. In my opinion, the book is losing relevance because even this second edition is now 7 years old. While reading it, there were many times that I wondered what the author would say about more recent developments.
September 24, 2016
I took this as a pleasurable read, not for class work. I was curious in particular about how common physical security measures are implemented and in encryption methods. The book is a bit dated (2001), but I was not disappointed. I particularly liked the sections on bank and military security.
Read
June 20, 2011Available for free at http://www.cl.cam.ac.uk/~rja14/book.html !
December 17, 2013
ugh. This book was chocked full of information, but it was obfuscated by nearly illegible grammar and structure. Exceptionally difficult reading.
September 14, 2013
One of the best security books I have ever read. I plan on applying a number of principles outlined in the book. I recommend it to any serious security practitioner.
December 1, 2015
Great reference
November 24, 2016
Excellent book. We are a long way from a grand theory of security. Yet Anderson pulls together an incredibly wide range of sub-disciplines and draws out the common themes (read failures).
Displaying 1 - 30 of 31 reviews