Security Engineering — Third Edition

I've written a third edition of Security Engineering. The e-book version is available now for $42 from Wiley and for $47 from Amazon; paper copies are now shipping from Wiley USA and UK.

You can order the paper book from Wiley here but if you prefer Amazon, click here for delivery in the USA and here for the UK.

Here are fifteen teaching videos we made based on the book for a security engineering class at Edinburgh, taught to masters students and fourth-year undergrads:

• Lecture 1: who is our adversary?
• Lecture 2: threat models and security policies
• Lecture 3: banking security
• Lecture 4: payment security
• Lecture 5: security economics
• Lecture 6: security psychology
• Lecture 7: network security
• Lecture 8: hardware security
• Lecture 9: hardware security
• Lecture 10: operating system security
• Lecture 11: virtualisation, containers and sandboxes
• Lecture 12: app stores, supply chains and ecosystem security
• Lecture 13: safety and security
• Lecture 14: assurance and sustainability
• Lecture 15: governance and regulation

Here are the seven sample chapters as I last put them online for review:

• Preface
• Chapter 1: What is Security Engineering?
• Chapter 2: Who is the Opponent?
• Chapter 3: Psychology and Usability
• Chapter 4: Protocols
• Chapter 5: Cryptography
• Chapter 6: Access Control
• Chapter 7: Distributed Systems
• Chapter 8: Economics
• Chapter 9: Multilevel Security
• Chapter 10: Boundaries
• Chapter 11: Inference Control
• Chapter 12: Banking and Bookkeeping
• Chapter 13: Physical Protection
• Chapter 14: Monitoring and Metering
• Chapter 15: Nuclear Command and Control
• Chapter 16: Security Printing and Seals
• Chapter 17: Biometrics
• Chapter 18: Physical Tamper Resistance
• Chapter 19: Side Channels
• Chapter 20: Advanced Cryptographic Engineering
• Chapter 21: Network Attack and Defence
• Chapter 22: Phones
• Chapter 23: Electronic and Information Warfare
• Chapter 24: Copyright and DRM
• Chapter 25: Taking Stock
• Chapter 26: Surveillance or Privacy?
• Chapter 27: Secure Systems Development
• Chapter 28: Assurance and Sustainability
• Chapter 29: Beyond 'Computer Says No'
• Bibliography

Endorsements:

‘Best computer security book published to date’
Gary McGraw

‘Buy buy buy read read’
Ben Goldacre

I'm very grateful to the dozens of people who pointed out errors and omissions. We've found a few more since going to press, as one does; here are the third edition errata.

With both the first edition in 2001 and the second edition in 2008, I put six chapters online for free at once, then released the others four years after publication. For the third edition, I negotiated an agreement with the publishers to put the chapters online for review as I wrote them. So the book came out by instalments, like Dickens' novels, from April 2019 to September 2020. On the first of November 2020, all except seven sample chapters disappeared from this page for a period of 42 months; I'm afraid Wiley insisted on that. But after that, the whole book will be free online forever.

This approach was inspired by the collaborative authorship model pioneered by my late friend and colleague David MacKay for his great books on sustainable energy and coding theory.

I made a video for the launch, which you can watch here. For comments, see our blog here, Bruce Schneier's blog here and El Pais here.

The Second Edition (2008)

Download for free here:

• Table of contents
• Preface
• Acknowledgements
• Chapter 1: What is Security Engineering?
• Chapter 2: Usability and Psychology
• Chapter 3: Protocols
• Chapter 4: Access Control
• Chapter 5: Cryptography
• Chapter 6: Distributed Systems
• Chapter 7: Economics
• Chapter 8: Multilevel Security
• Chapter 9: Multilateral Security
• Chapter 10: Banking and Bookkeeping
• Chapter 11: Physical Protection
• Chapter 12: Monitoring and Metering
• Chapter 13: Nuclear Command and Control
• Chapter 14: Security Printing and Seals
• Chapter 15: Biometrics
• Chapter 16: Physical Tamper Resistance
• Chapter 17: Emission Security
• Chapter 18: API Security
• Chapter 19: Electronic and Information Warfare
• Chapter 20: Telecom System Security
• Chapter 21: Network Attack and Defence
• Chapter 22: Copyright and DRM
• Chapter 23: The Bleeding Edge
• Chapter 24: Terror, Justice and Freedom
• Chapter 25: Managing the Development of Secure Systems
• Chapter 26: System Evaluation and Assurance
• Chapter 27: Conclusions
• Bibliography
• Index

• Buy from Amazon.com
• Buy from Wiley
• Buy from Amazon.co.uk (Kindle version)

Endorsements:

‘There is an extraordinary textbook written by Ross Anderson, professor of computer security at University of Cambridge. It’s called Security Engineering, and despite being more than 1,000 pages long, it’s one of the most readable pop-science slogs of the decade.’
Ben Goldacre

‘I'm incredibly impressed that one person could produce such a thorough coverage. Moreover, you make the stuff easy and enjoyable to read. I find it just as entertaining — and far more useful — than novels (and my normal science fiction). When I first got it in the mail, I said to myself "I'm never going to read all of that." But once I started reading I just kept going and going. Fantastic: well done. Now, let's hope that all those in charge of security for information technology will also read the book and heed the lessons.’
Don Norman

‘The book that you MUST READ RIGHT NOW is the second edition of Ross Anderson's Security Engineering book. Ross did a complete pass on his classic tome and somehow made it even better...’
Gary McGraw

‘It's beautiful. This is the best book on the topic there is’
Bruce Schneier

Errata and supplementary materials: Here are the errata for the second edition, and here's a page of notes and links concerning relevant topics that I've come across since publication.

This book was developed from material taught in three courses at Cambridge:

• the first part in second-year Introduction to Security (course material and past exam questions)
• the second in third-year Security (course material and questions), and
• the third part in our second-year Software Engineering (course, questions and still more questions).

The first edition (2001)

You can also download all of the first edition for free:

The foreword, preface and other front matter

1. What is Security Engineering?
2. Protocols
3. Passwords
4. Access Control
5. Cryptography
6. Distributed Systems
7. Multilevel Security
8. Multilateral Security
9. Banking and Bookkeeping
10. Monitoring Systems
11. Nuclear Command and Control
12. Security Printing and Seals
13. Biometrics
14. Physical Tamper Resistance
15. Emission Security
16. Electronic and Information Warfare
17. Telecom System Security
18. Network Attack and Defense
19. Protecting E-Commerce Systems
20. Copyright and Privacy Protection
21. E-Policy
22. Management Issues
23. System Evaluation and Assurance
24. Conclusions
25. Bibliography

My goal in making the first edition freely available five years after publication was twofold. First, I wanted to reach the widest possible audience, especially among poor students. Second, I am a pragmatic libertarian on free culture and free software issues; many publishers (especially of music and software) are too defensive of copyright.

If you own the first edition of my book, I hope you liked it enough to upgrade to the second and third editions. I also have online errata for the first edition here.

There are reviews of the first edition, which was translated into Japanese, Chinese and Polish.

Return to Ross Anderson's home page