The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here's straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.
An impressive technical book that looks at security in all its forms (physical, computer based, social) and shows you the various ways security can be implemented and compromised.
This book also shows you why security should never be a 'by-the-way' or implemented after the fact but must be considered right at the start. Not only that, it also shows you why a world-view of security should be considered; it is not something that can only be targeted at one part of a system and expected to work.
Covering some theory of encryption and technical description of various security systems, the book goes on to show how security touches all our lives either directly (passwords) or indirectly (our privacy or safety).
The book provides plenty of examples of how security systems work and don't work. It includes examples from the author's personal experience, showing how even he has a hard time making sure that the systems he makes are really secure and showing how he has managed to break systems that other people claim are secure.
One of the more important aspects that the book covers is responsibility and deniability in security; how the desire to push responsibility on to other people or get plausible deniability when a breach occurs drives the way security is implemented. This, of course, causes distortions in the security model, making it even more likely that the security would be broken.
Whether you are interested in general security or only in one aspect of security, this is a good book to read. And after reading it, you will get a very good idea of how hard it actually is to make a system secure and why you must hire very capable people to do it and to avoid 'snake-oil' security implementations.
The First and Second Editions of this book are available as a free download
Good book even though it is 10 year old. There are a lot of case of study but it is useless if you know nothing about information security. The book is not a guide to building a dependable system but rather a guide to system failures
I enjoyed the book and there was moments I couldn't stop reading. however, I think it was vague sometimes, but despite the fact, I can't tell if it was the author's mistake. The topic is hard, it is about deception, understanding it, and find a way to defend against it. if something is easy to understand then it is not a deception! So beware, You'll need a lot of time to read this book, and you should think a lot of how deceptions work, and how the current way of defending against them might help.
This is the penultimate book about InfoSec. A friend once said, "look, the app I'm making has nothing to do with security. It's for turning on lights." When their little program turned into a doorway for a nasty hackathon, they realized that all apps and api can be a doorway. So, I always recommend this to coders and really anyone heading into tech design/production. I mean, even hardware designs have security flaws.
I found it interesting how many topics this book had ties. I found the perspective different than our typical briefings and work training. I did learn a lot and some new things about security breaches. I found it annoying the constant we'll discuss this further in such and such section. The book could have probably been condensed a bit by optimizing the order and compiling similar sections. I also found he tended to drift into soap boxes as many engineers do.
This is for the Third Edition, released in 2020 and still phenomenal. I haven't found a better survey of the security engineering space yet, and highly recommend this to any security practitioner, especially people entering the field. I would have been significantly better off if I had read this back in undergrad.
I am reading the 3rd edition of this book; for me, a person who isn't stricly involved, in this area, there is much that can be gleaned. The main complaint, is a lack of "connection", between some of the topics, which are introduced, sometimes, with part of the context omitted, and the practical implications, not thoroughly explored.
The point of this book is that information security is everywhere. Infosec plays a huge role in: * a friend or foe identification system on an aircraft, * a tachograph in trucks, * a prepaid card meter for electricity, * and so on (hundreds of examples)
It's not an easy read. It's very impressive but boring at times. Anyway, I'm glad it raised my awareness about the subject.
Conversationally written but OLD. Very outdated as far as some of the examples (the author referred to Windows Vista as the latest Windows version). Concepts for the most part hold true but the book is old if you want something with up to date information and statistics.
It's a hard book to read, really hard, but cover in a good way the security engineering, have a lot of topics since how to affect manual systems (medical equipment) to cryptography. Read the book if you are ready to gain a lot of knowledge in the area, without the time pressure.
It took me ages, but I eventually succeeded at reading this (3rd ed) cover to cover (minus bibliography). This book is simply fantastic, though I would describe it more as a history book than a "guide to building." It contains a host of fantastic anecdotes to go with the most comprehensive, systematically organized overview of security issues that I've yet seen, and I came away with nearly 400 highlights from the portions I read on my kindle - simply reading those again will be like reading another book.
The book would be worth reading only as a guide to the 'Further Reading' sections, which provide excellent resources to go into depth into the many topics covered. To top it all off, the writing is quite good and reads like a series of "let me tell you about the time..." stories you'd hear from someone who's been there and done that. That's not to say it's always easy going; depending on the reader's interests some chapters will fly by and others will drag, but that is probably inevitable based on the breadth offered.
Altogether this work is exemplary and I'm thrilled that such an attempt has been made to cover a very expansive field. Certainly no one needs to read it cover to cover, but I'm glad I did. Highly recommended for the those in the security realm, and very curious people.
I struggle a lot reviewing this book. Just finished reading the 3rd ed.
On one hand this book is highly respected amongst security professionals and Ross has done a great job bring knowledge about all these disparate areas together. On the other hand, I hate the writing style, it's too chaotic/disorganized for me. The book is filled with historical tidbits and knowledge, but actually lacks any clear actionable advice or examples of good architectural patterns while engineering secure software.
Overall, I am quite disappointed. If one day I have a lot of free time and I want to read up on random security topics like details around banking and credit card security, I will open this book. For more practical/actionable content, I would look elsewhere.
A solid book on security, covering many aspects - threat modelling, vulnerability analysis, enforcement, assurance/certification, with a heavy focus on the economic interests of the various principles involved in security, both electronic and physical. The book is very readable; the stuff with scary maths is easily skimmed over, and the rest of the book is full of well-written, relevant and interesting examples. I didn't give this book 5 stars only because it was a little too general; it seemed more like a tour of various security domains sprinkled with examples, rather than a focused tome on trying to nurture in the reader a rigorous security engineering mindset.
Amazing, everything one could dream for in a technical textbook. I'd venture to say it's well-enough written that it might appeal to readers passingly interested in the subject or even bored sitters in a room with no other form of entertainment (these types might even want to carry it out of the unfortunate situation as thanks for the help in passing the time amicably). My favorite schoolbook since returning to duty.
I will do my best to recommend this book to anyone involved in IT. Despite being last updated 8 years ago almost every prediction about security engineering still holds true today. This isn't a technical how-to book to build distributed systems but teaches you the principles while entertaining you with real world examples from the writer's own experience.
Wow took me a while to finish this one. At first i tried to read cover to cover but was unable to due to work and i had trouble to stay focused and interested but after a while i had to skip some parts. Nonetheless book is a great compilation of various security and side-fields which provide historical lessons and "what to not do" when building security systems.
I'm ashamed to say that it took me more than 2 years to finish this book. However, I think it is significant that even a fiction reader, like me, can enjoy this book. In my opinion, the book is losing relevance because even this second edition is now 7 years old. While reading it, there were many times that I wondered what the author would say about more recent developments.
Yes.. It's a textbook, but an interesting one. It covers a wide range of security topics with plenty of supporting material, future reading, and even research ideas. The fact that it was updated recently and released for free as PDF helps as well. Anyone interested in security should read this.
I took this as a pleasurable read, not for class work. I was curious in particular about how common physical security measures are implemented and in encryption methods. The book is a bit dated (2001), but I was not disappointed. I particularly liked the sections on bank and military security.