OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[ISN] Interview with Ross Anderson: Security Engineering 2.0

From: InfoSec News (alertsinfosecnews.org)
Date: Wed Apr 09 2008 - 03:09:20 CDT

http://securitywannabe.com/blog/2008/04/07/interview-with-ross-anderson-security-engineering-20/

By Craig Balding
April 7th, 2008

7 years ago, a Cambridge Professor called Ross Anderson published a book
called .Security Engineering..

Up until that time, it wasn.t often you would hear anyone talk about
.Security Engineering. - let alone find an entire book written on the
subject.

As soon as the book came out, it made a real and lasting impression on
the security community.

Richard Bejtlich summed it up with his review on Amazon:

    This book changes everything. .Security Engineering. is the new
    must-read book for any serious information security professional.
    In fact, it may be required reading for anyone concerned with
    engineering of any sort. Ross Anderson.s ability to blend
    technology, history, and policy makes .Security Engineering.
    a landmark work.

Ross has now finished a major update and the new edition is just hitting
the stores. Security Wannabe caught up with him to find out more about
Security Engineering 2.0. We managed to cover a lot of ground in 8
questions.

 

   1. In essence, what is .security engineering.?

      Security engineering is about building systems to remain
      dependable in the face of malice, error or mischance. As a
      discipline, it focuses on the tools, processes and methods needed
      to design, implement and test complete systems, and to adapt
      existing systems as their environment evolves.

   2. Why is security engineering important?

      It.s often a showstopper when people get it wrong - for example, a
      $20bn program to computerize healthcare in the UK looks set to
      fall to pieces, because the lack of adequate protection for
      privacy and safety is leading doctors to reject it. And poor
      security engineering leads to huge waste of resources. The USA has
      spent $14bn harassing airline passengers since 9/11 but has failed
      to complete a $500m program to reinforce cockpit doors - and many
      US airports still don.t do background checks on ground staff.

   3. What prompted you to write the book .Security Engineering.?

      There were no good books - just specialist works looking at some
      aspect or other of locks, or ciphers, or access controls. Yet
      security is a system-level property.

   4. The 1st Edition covered an incredible range of topics. How much
      research went into the book?

      Fifteen years of academic research, plus teaching materials
      developed for undergraduate courses over the same period.

   5. What motivated you to pick up the virtual pen again and write a
      second edition?

      The world had changed a lot in seven years - not just 9/11 and all
      its sequelae, but also the fact that the Internet had become
      mainstream, and all sorts of devices that were previously dumb or
      standalone started acquiring CPUs and connectivity.

 
   6. For owners of the 1st edition (Ed: selfish question), how much new
      core content is there in the 2nd edition vs .bug fixes.?

      It.s about 50% bigger. I won.t know the exact page count until I
      get the first paper copies on Monday, but in the draft it had gone
      from 600-odd pages to 900+.

   7. The 1st edition was chock full of real world examples -
      personally, I found these very engaging. Can you give a taste of
      new examples?

      There are plenty new examples from postal meters through API
      security to terrorism. I.ve also expanded the scope, so that
      physical security doesn.t just mean alarms but also locks
      (including recent results on lock bumping) and environmental
      security - why it is that some neighbourhoods have crime and
      others don.t. In addition, I.ve added chapters on economics and
      psychology which open up new examples of different kinds. Both
      approaches are needed in a world where the most rapidly-growing
      types of fraud involve deception and where systems are less and
      less under the control of single organisations.

   8. What is your vision for security engineering in the next 5 years?

      We.ll be dealing more and more with complex socio-technical
      systems, in which we have to consider people as well as servers
      and software, and which will evolve over time in response to all
      sorts of economic and political pressures. This isn.t just about
      security and its cousin dependability, it.s much broader than
      that. It.s something truly new, that hasn.t existed before.
      Anticipating both the opportunities and the threats will be really
      important for companies, for governments, and for everybody.

I.d like to thank Ross for agreeing to do this interview, especially as
he was on holiday at the time.

Frankly, I.m just blown away by the 300 pages of extra content. How many
respected Infosec authors even get close to that?

[Update: Ross just emailed to say he received his first copies of the
book - the actual page count is 1040!]

___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn