Engineering Security

As an industry, we’ve been trying to build secure systems for many decades now, particularly in the last fifteen years or so as a combination of the penetration of the Internet into everyday life and the increasing use of computerised devices and systems has enabled attacks at a scope and scale never before possible. In all of that time, we’ve gathered quite a bit of insight into what works and what doesn’t. Like Ross Anderson’s excellent book Security Engineering, this book talks about all of the things that conventional security books usually don’t: Stories of problems with secure (or, to be more accurate, allegedly secure) systems that turned out to be not so secure when they were exposed to attack. 

It also devotes quite a bit of space to discussing why some mechanisms and systems that have been proposed as solutions to various problems don’t actually solve them, and in some cases don’t really solve any problem at all (to use a phrase that comes up several times in this book, they don’t defend against anything that attackers are doing).