Interview with Ross Anderson: Security Engineering 2.0
7 years ago, a Cambridge Professor called Ross Anderson published a book called ‘Security Engineering’.
Up until that time, it wasn’t often you would hear anyone talk about ‘Security Engineering’ - let alone find an entire book written on the subject.
As soon as the book came out, it made a real and lasting impression on the security community.
Richard Bejtlich summed it up with his review on Amazon:
This book changes everything. “Security Engineering” is the new must-read book for any serious information security professional. In fact, it may be required reading for anyone concerned with engineering of any sort. Ross Anderson’s ability to blend technology, history, and policy makes “Security Engineering” a landmark work.
Ross has now finished a major update and the new edition is just hitting the stores. Security Wannabe caught up with him to find out more about Security Engineering 2.0. We managed to cover a lot of ground in 8 questions…
In essence, what is ’security engineering’?
Security engineering is about building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.
- Why is security engineering important?
It’s often a showstopper when people get it wrong - for example, a $20bn program to computerize healthcare in the UK looks set to fall to pieces, because the lack of adequate protection for privacy and safety is leading doctors to reject it. And poor security engineering leads to huge waste of resources. The USA has spent $14bn harassing airline passengers since 9/11 but has failed to complete a $500m program to reinforce cockpit doors - and many US airports still don’t do background checks on ground staff.
What prompted you to write the book ‘Security Engineering’?
There were no good books - just specialist works looking at some aspect or other of locks, or ciphers, or access controls. Yet security is a system-level property.
The 1st Edition covered an incredible range of topics. How much research went into the book?
Fifteen years of academic research, plus teaching materials developed for undergraduate courses over the same period.
What motivated you to pick up the virtual pen again and write a second edition?
The world had changed a lot in seven years - not just 9/11 and all its sequelae, but also the fact that the Internet had become mainstream, and all sorts of devices that were previously dumb or standalone started acquiring CPUs and connectivity.
For owners of the 1st edition (Ed: selfish question), how much new core content is there in the 2nd edition vs “bug fixes”?
It’s about 50% bigger. I won’t know the exact page count until I get the first paper copies on Monday, but in the draft it had gone from 600-odd pages to 900+.
The 1st edition was chock full of real world examples - personally, I found these very engaging. Can you give a taste of new examples?
There are plenty new examples from postal meters through API security to terrorism. I’ve also expanded the scope, so that physical security doesn’t just mean alarms but also locks (including recent results on lock bumping) and environmental security - why it is that some neighbourhoods have crime and others don’t. In addition, I’ve added chapters on economics and psychology which open up new examples of different kinds. Both approaches are needed in a world where the most rapidly-growing types of fraud involve deception and where systems are less and less under the control of single organisations.
What is your vision for security engineering in the next 5 years?
We’ll be dealing more and more with complex socio-technical systems, in which we have to consider people as well as servers and software, and which will evolve over time in response to all sorts of economic and political pressures. This isn’t just about security and its cousin dependability, it’s much broader than that. It’s something truly new, that hasn’t existed before. Anticipating both the opportunities and the threats will be really important for companies, for governments, and for everybody.
I’d like to thank Ross for agreeing to do this interview, especially as he was on holiday at the time.
Frankly, I’m just blown away by the 300 pages of extra content. How many respected Infosec authors even get close to that?
[Update: Ross just emailed to say he received his first copies of the book - the actual page count is 1040!]