The best information security book I ever read is….

Posted on by Ben Rothke

Hands down, the best book I have read to date is Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson.  The second edition came out in 2008. 

If you are looking for 50 pages of screen prints on how to install and configure a printer under Windows, this is the wrong book for that. What Anderson does, in great detail and with lucidity, is particularizing all of the aspects that are required to create a security infrastructure. He relentlessly reiterates that security must be engineered into information systems from the outset. When security is retrofitted into an application or system, it is never as effective. 

Anderson defines security engineering as "building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves." 

The book covers every domain of computer security. As noted security guru Bruce Schneier writes in the book's foreword "If you're even thinking of doing any security engineering, you need to read this book." Schneier's comment compliments his own attitude that security is not a product, rather a process. Going with that mantra, Anderson demonstrates in exhaustive detail how information security must be implemented in every aspect of the information system's infrastructure in order for systems to be dependable and secure. 

Anderson lays the groundwork on how to build a secure and dependable system. Every aspect of information security is discussed in the book -- from passwords, access control, and attacks, to physical security and policy. Additionally, relevant and timely topics such as information warfare, privacy protection, access control, and more are discussed. This is the only book that covers the end-to-end spectrum of security design and engineering. 

While many of the chapter topics may sound unexciting, Anderson has a wonderful writing style and at times reads almost like a Tom Clancy thriller with its details of military command and control systems and other similar topics. Anyone responsible for information security should read Security Engineering.

Ben Rothke

Senior Information Security Manager, Tapad

data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs