Security knowledge is becoming increasingly important, even for those who don’t have much time to devote to the subject. To help you on your way, SAP’s security product management will provide a series of resource reviews so you can invest time wisely.
This set of summaries of security-related books, articles, and Web resources will all follow roughly the same pattern: brief introduction of the author (what qualifies the author to write about security), target audience (who should read the resource), and the approach, structure and topics covered in the resource (what can you expect from it).
10 Oct 2000
We start with Ross Anderson's book "Security Engineering – A Guide to Building Dependable Distributed Systems". Ross Anderson has accumulated security expertise over more than 25 years, both in academia and industry. Among other activities, Ross promotes the mindset of security engineering as the art of "building systems that continue to perform robustly in the face of malice"
This book as aimed toward managers, architects, and designers who are responsible for developing secure applications. Note that the book contains no source code and is not necessarily a hacker book (although it shows how weak protection mechanisms can be fooled). As there is no background knowledge required, Ross' book can be used as a sound introduction to key security concepts. However, it goes far beyond typical books about security that usually deal with cryptography or access control models.
Ross' book is the first to be explicitly dedicated to security as an engineering discipline. His key insight is that failures play an important role in successful design. By learning from errors, we develop a sense of the limitations of new technologies, and security is a domain where learning from errors is vital. However, it is still true that the same errors are repeated over and over again.
The main value of the book lies in providing a set of 14 real-life case studies that cover sensitive, complex application domains such as banking and bookkeeping, telecom system security, as well as copyright and privacy protection. Each case study is examined from an engineer’s point of view. What was the intention of the people that developed the application? What went wrong and why did security fail? The bottom line is that "many of these failures could have been foreseen if designers had just a little bit more knowledge of what had been tried, and had, failed elsewhere". In other words, the book can effectively be used as a workbook for architects and designers of secure applications.
The final part of the book gives guidance as to how security engineering can be implemented and what areas (such as regulatory compliance, corporate security polices, and risk management) are related to this new discipline.