* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Cybersecurity Canon](https://www.paloaltonetworks.com.au/blog/category/canon/)
* Cyber Canon Book Review: ...

# Cyber Canon Book Review: Security Engineering

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2019%2F09%2Fcyber-canon-book-review-security-engineering%2F)  
[](https://twitter.com/share?text=Cyber+Canon+Book+Review%3A+Security+Engineering&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2019%2F09%2Fcyber-canon-book-review-security-engineering%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2019%2F09%2Fcyber-canon-book-review-security-engineering%2F&title=Cyber+Canon+Book+Review%3A+Security+Engineering&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2019/09/cyber-canon-book-review-security-engineering/&ts=markdown)  
\[\](mailto:?subject=Cyber Canon Book Review: Security Engineering)  
Link copied  
By [Ron Woerner](https://www.paloaltonetworks.com/blog/author/ron-woerner/?ts=markdown "Posts by Ron Woerner")  
Sep 09, 2019  
7 minutes  
[Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Cybersecurity Canon Review](https://www.paloaltonetworks.com/blog/tag/cybersecurity-canon-review/?ts=markdown)

*We modeled the [Cybersecurity Canon](https://cybercanon.paloaltonetworks.com/) after the Baseball Hall of Fame and the Rock \& Roll Hall of Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number. Please write a review and nominate your favorite.*

*The Cybersecurity Canon is a real thing for our community. We have designed it so that you can [directly participate in the process](https://cybercanon.paloaltonetworks.com/nominate-a-book/). Please do so!*

**Cyber Canon Book Review:** "Security Engineering, A Guide to Building Dependable Distributed Systems," (2nd edition, 2008), by Ross Anderson

**Book Reviewed by: Cybersecurity Canon Committee Member Ron Woerner, RWX Security Solutions**

**Bottom Line: I recommend this book for the Cybersecurity Canon Hall of Fame.**

**Review:**

If you could have only one cybersecurity book, it should be Ross Anderson's[*Security Engineering:* *A Guide to Building Dependable Distributed Systems, second edition*](https://www.cl.cam.ac.uk/~rja14/book.html).

This book is **the** encyclopedia of everything about security. While the subtitle insinuates it's only about distributed systems, it covers every topic associated with systems security, both technical and non-technical. It provides in-depth explanations of cryptography, multilevel security, biometrics, telecom system security and API attacks. It is more than a textbook or manual in that it includes other topics such as "Usability and Psychology," "Economics," "Physical Security," "Electronic Warfare," "Terror, Justice, and Freedom," and "The Bleeding Edge."

This review is of the second edition, which Dr. Anderson updated in 2008 due to the many changes that occurred between those years. Don't let the date of the book fool you into thinking it's out of date. While technologies and terms may have changed, the concepts have not. For example, in the Preface (p. xxix) Dr. Anderson states, "*How good is all this new security technology? Unfortunately, the honest answer is "nowhere near as good as it should be. New systems are often rapidly broken, and the same elementary mistakes are repeated in one application after another* ." This is still true over ten years later.

Dr. Anderson is the perfect person to have written this book. He has computer engineering experience since the 1970s, has worked in industry and academia for over 30 years and this book shows this mix. His industry experience includes aviation, banking, and technology development. Today, Dr. Anderson is a Professor of Security Engineering at University of Cambridge and still writes on his[website](https://www.cl.cam.ac.uk/~rja14/) and[blog](https://www.lightbluetouchpaper.org/), both of which are also recommended reading. The writing style is conversational and easy to understand. He takes from experience and uses case studies as examples.

*Security Engineering* accomplishes multiple goals. It was written to help working engineers better secure systems. Its purpose, which it achieves, is to give a solid introduction to security engineering at four levels:

1. *As a textbook read cover-to-cover as an introduction to security* .
2. *As a reference book that provides an overview of the security workings of specific systems* including ATMs, industrial systems, communications and medical records databases.
3. *As an introduction to underlying security technologies* , such as cryptography, access controls, tamper resistance (both physical and cyber), biometrics, emission control, etc. This is a basic roadmap for each subject, plus a reading list.
4. *As an original, scientific contribution providing common principles that underlie security engineering and the lessons that people building systems should learn* .

As he says in the forward, his audience is Dilbert: the working programmer, systems administrator, business analyst or engineer who is "who is trying to design real systems that will keep on working despite the best efforts of customers, managers, and everybody else." It is useful to the established professional security manager or consultant as a first-line reference; to the computer science professor doing research in or teaching cryptology; to the working police detective trying to figure out the latest phishing scams; and to policy wonks struggling with the conflicts involved in regulating security, privacy, systems and anonymity.

Dr. Anderson divided *Security Engineering* into three parts:

1. A review of basic concepts of computing systems, such as usability and psychology, protocols, access controls, cryptography, updates, and economics. Yes, economics and psychology! Security is fundamentally both a financial and human problem solved through people, process and technology.
2. Details of specific computing applications, which are used to introduce more advanced technologies and concepts. Topic areas include military communications, medical record systems, financial machines, mobile phones, and pay-tv. It also considers information security from the viewpoint of a number of different interest groups, such as companies, consumers, criminals, police, and spies.
3. A review of organizational and policy issues: How computer security interacts with law, evidence and corporate politics; how we can gain confidence that a system will perform as intended and how the whole business of security engineering can best be managed.

It's impossible to do justice to all of the content and context contained within the nearly 1,000-page *Security Engineering* . Below are some highlights:

* Chapter 1 describes the fundamentals of security: How security is much more than technology and requires cross-disciplinary expertise in areas like computer science, mathematics, physical and logical protection as well as knowledge of economics, applied psychology, organizations and the law. Security professionals need to figure out what needs protecting, and how to do it. They also need to ensure that the people who will guard the system and maintain it are properly motivated. This chapter provides a high-level framework required in every security program. It leverages four case studies as examples of this framework, which will resonate with any reader.
* Security Engineering goes into detail on cryptography, algorithms and managing encryption keys. Chapter 5 provides significant background on encryption modes of operation, symmetric and asymmetric cryptography, and hashing algorithms. These are the tools that underlie most modern security protocols. Any security professional studying for a certification exam should read this chapter for an in-depth, yet highly readable explanation of these potentially challenging topics.
* Ross Anderson prognosticated much of the future of security. For example, in sections 2.4.8, *The Future of Phishing* , he explains how phishing will morph into spear phishing and whaling. "Research has shown that the bad guys can greatly improve their yields if they match the context of their phish to the targets; so phish will get smarter and harder to tell from real emails, just as spam has." (p. 50) He wasn't entirely correct with this prediction: "I would not be surprised to see exclusive private banks issuing their customers with dedicated payment devices." Although, he wasn't so far off with some providing multi-factor authentication devices.
* Not only does *Security Engineering* go into the aspects of security associated with all industries and systems such as crypto, access control and authentication, and network attacks and defenses, but also into the verticals with chapters on Banking and Bookkeeping, Electronic Warfare, and Telecommunications. These areas affect us all, no matter where you work.
* Dr. Anderson takes information from the experts at the time of writing. The bibliography itself is massive; 1379 references over 100 pages. If there's anything you need to learn about computing, it's in here. In today's Internet age, it's not as much what you know, but if you know where to find it. *Security Engineering* 's prose and bibliography provide the reference needed on every security professional's bookshelf.

No book is perfect. The challenge with this one is that some of the information is dated and have been overcome by new technology. For example, Windows Vista and Passport are no longer used. Cloud computing, virtualization, mobile, and IoT were in its infancy when the second edition was written. Dr. Anderson addresses the concepts underlying these ideas but was unable to provide details needed to securely engineer today's environments. Don't let this dissuade you from reading *Security Engineering* . The concepts haven't changed and apply to all new technologies.

*** ** * ** ***

## Related Blogs

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "Black Box Thinking"](https://www.paloaltonetworks.com.au/blog/2020/04/cyber-canon-black-box-thinking/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "The Cyber Conundrum"](https://www.paloaltonetworks.com.au/blog/2020/04/cyber-canon-cyber-conundrum/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "Design for How People Think"](https://www.paloaltonetworks.com.au/blog/2020/04/cyber-canon-design-for-how-people-think/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "InSecurity"](https://www.paloaltonetworks.com.au/blog/2020/03/cyber-canon-insecurity/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: How America Lost Its Secrets](https://www.paloaltonetworks.com.au/blog/2020/03/book-review-how-america-lost-its-secrets/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "The Perfect Weapon"](https://www.paloaltonetworks.com.au/blog/2020/03/cyber-canon-the-perfect-weapon/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language