Wednesday, April 6, 2016

Book review: Security Engineering, by Ross Anderson



Yesterday, finally, I finished a book that I've been working through for the last few years. Or at least that's how it feels: it really only took me about a month to finish the 1000 pages.

Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition, by Ross Anderson, 2008
https://www.cl.cam.ac.uk/~rja14/book.html (free e-book)
http://www.amazon.com/Security-Engineering-Building-Dependable-Distributed/dp/0470068523/

Where to start to describe such a massive work? I'm tempted to call it an encyclopedia given its amazingly broad coverage of security, privacy, and freedom in all their facets, the deep historical perspective, and its connections to and insights from so many other fields. But it's not the hodge-podge of an encyclopedia; rather it’s the cohesiveness and purpose of a novel, with a plot that builds as you turn the pages. That the author is able to fit all this in his head and spin it into a very coherent story is a both a mystery to ponder and a marvel to behold.

The strong message of the book, loud and clear, is that properly engineering security into products and services is a very difficult task, always more complex than expected, and one that even experts will get wrong in the absence of peer review. In this way the book reminds me somewhat of the tales of the 1940 Tacoma Narrows Bridge collapse told to generations of engineering students, with the hope of making them a little bit more humble and less certain of their expertise. The author shows clearly that when dealing with security you need to step back, squint, and look at the entire system of people, process, and technology. He points out that practitioners are often tempted to focus on technical matters such as protocols and algorithms and ignore the social and economic contexts; but that won't help them understand what's really going on and where the big risks are.

This book should be considered a must-read for anyone involved in the creation of any product, service, or process that touches on computing, communications, or the Internet (which seems to apply to almost everything these days). Product managers, project managers, sales engineers, business analysts, security architects, solution architects, designers, engineers, testers, etc. -- all will find it very useful, and humbling.

I loved the book and highly recommend it.