"Security engineering is different from any other kind of programming. . . . if you're even thinking of doing any security engineering, you need to read this book."

— Bruce Schneier

"This is the best book on computer security. Buy it, but more importantly, read it and apply it in your work."

— Gary McGraw

This book created the discipline of security engineering

The world has changed radically since the first edition was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy — and as they specialize, they get better. New applications, from search to social networks to electronic voting machines, provide new targets. And terrorism has changed the world. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice.

Here's straight talk about

• Technical engineering basics— cryptography, protocols, access controls, and distributed systems

• Types of attack— phishing, Web exploits, card fraud, hardware hacks, and electronic warfare

• Specialized protection mechanisms— what biometrics, seals, smartcards, alarms, and DRM do, and how they fail

• Security economics— why companies build insecure systems, why it's tough to manage security projects, and how to cope

• Security psychology— the privacy dilemma, what makes security too hard to use, and why deception will keep increasing

• Policy— why governments waste money on security, why societies are vulnerable to terrorism, and what to do about it

The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Heres straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.

The book is a security design manual for embedded systems, the only one of its kind, thought to be a seminal work and controversial in high-level circles because because of the powerful algorithms presented within. The author gets right to providing the crucial do's and don'ts of creating high quality security software that works to prevent all manner of security breaches. The revisions and updates include more than 200 new pages on Vista, Xen, phishing, Google issues, declassified military doctrine, "Richard Clarke issues," Skype, mobile fraud, music security issues, antitrust issues, and more.

Ross Andersonis Professor of Security Engineering at Cambridge University and a pioneer of security economics. Widely recognized as one of the world's foremost authorities on security, he has published many studies of how real security systems fail and made trailblazing contributions to numerous technologies from peer-to-peer systems and API analysis through hardware security.

Preface to the Second Edition.

Foreword by Bruce Schneier.

Preface.

Acknowledgments.

Part I.

Chapter 1 What Is Security Engineering?

Chapter 2 Usability and Psychology.

Chapter 3 Protocols.

Chapter 4 Access Control.

Chapter 5 Cryptography.

Chapter 6 Distributed Systems.

Chapter 7 Economics.

Part II.

Chapter 8 Multilevel Security.

Chapter 9 Multilateral Security.

Chapter 10 Banking and Bookkeeping.

Chapter 11 Physical Protection.

Chapter 12 Monitoring and Metering.

Chapter 13 Nuclear Command and Control.

Chapter 14 Security Printing and Seals.

Chapter 15 Biometrics.

Chapter 16 Physical Tamper Resistance.

Chapter 17 Emission Security.

Chapter 18 API Attacks.

Chapter 19 Electronic and Information Warfare.

Chapter 20 Telecom System Security.

Chapter 21 Network Attack and Defense.

Chapter 22 Copyright and DRM.

Chapter 23 The Bleeding Edge.

Part III.

Chapter 24 Terror, Justice and Freedom.

Chapter 25 Managing the Development of Secure Systems.

Chapter 26 System Evaluation and Assurance.

Chapter 27 Conclusions.

Bibliography.

Index.