This page contains new material and links for part 3 of my book `Security Engineering'. These four chapters cover the management, policy and assurance aspects of security engineering. For reference, here are the table of contents and the bibliography. The errata for the print version, including for the bibliography, are at the end.
On page 521, I used reliability growth ideas to estimate that there were about three dozen errors of substance remaining in the book. By the first pass at these errate pages, in January 2003, I'd found or been told of about six. So far so good ...
Security Disclosure Guidelines: The debate on whether vulnerabilities should be disclosed, kept secret, or kept secret for a limited period is settling in favour of the limited-period approach, as I recommended in section 23.4.3. The current proposal from a consortium of security companies is that a researcher finding a vulnerability should allow up to 67 days - 7 days for the vendor company to respond, then a further 30 days to release a patch, and publish the vulnerability 30 days after that.
Regulatory arbitrage: At p 458 (second last para), I
remarked that calls made from phone boxes were `free to market', and
people have asked what this means. It is slang used by signals
intelligence people meaning that such calls don't need separate
authorisation by warrant, merely the easily obtained consent of the
phone company. In general, as legislatures enact more controls on
surveillance, the agencies look for ways round. The increased use of
traffic data is one example, and the principle applies in the
regulatory sphere as well. For example, Commerce Undersecratary
William Reinsch admitted at EPIC 1998 that export controls were neither fair
nor effective, but available" (i.e. implementatable without prior
scrutiny by the legislature or judiciary, being a Foreign Affairs
matter in the gift of the Executive branch).
Return to Ross Anderson's
Thanks to Austin Donnelly, Mike Ellims, Sam Simpson, Stuart Wray and Stefek
Return to Ross Anderson's home page
Thanks to Austin Donnelly, Mike Ellims, Sam Simpson, Stuart Wray and Stefek Zaba