- Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a security policy.
In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing and security printing have been around for many years.
Due to recent catastrophic events, most notably 9/11, Security Engineering has quickly become a rapidly growing field. In fact, in a recent report completed in 2006, it was estimated that the global security industry was valued at US$150 billion.
Security engineering involves aspects of social science, psychology (such as designing a system to 'fail well' instead of trying to eliminate all sources of error) and economics, as well as physics, chemistry, mathematics, architecture and landscaping. Some of the techniques used, such as fault tree analysis, are derived from safety engineering.
Other techniques such as cryptography were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson.
- 1 Qualifications
- 2 Security stance
- 3 Core practices
- 4 Sub-fields
- 5 Methodologies
- 6 Employers of security engineers
- 7 Criticisms
- 8 See also
- 9 References
Typical qualifications for a security engineer are:
- Security+ - Entry Level
- Professional Engineer, Chartered Engineer, Chartered Professional Engineer
- Certified Protection Professional (CPP) - International certification by ASIS International
- Physical Security Professional (PSP) - International certification by ASIS International
- Certified Information Systems Security Professional (CISSP)
However, multiple qualifications, or several qualified persons working together, may provide a more complete solution.
The two possible default positions on security matters are:
1. Default deny - "Everything, not explicitly permitted, is forbidden"
2. Default permit - "Everything, not explicitly forbidden, is permitted"
- Allows greater functionality by sacrificing security.
- This is only a good approach in an environment where security threats are non-existent or negligible.
- See computer insecurity for an example of the failure of this approach in the real world.
- Security Requirements Analysis
- Security architecture
- Secure coding
- Security testing
- Security Operations and Maintenance
- Economics of security
- deter attackers from accessing a facility, resource, or information stored on physical media.
- protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access.
- See esp. Computer security
- the economic aspects of economics of privacy and computer security.
Technological advances, principally in the field of computers, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also coercion, fraud, and deception by confidence tricksters.
According to the Microsoft Developer Network the patterns & practices of Security Engineering consists of the following activities:
- Security Objectives
- Security Design Guidelines
- Security Modeling
- Security Architecture and Design Review
- Security Code Review
- Security Testing
- Security Tuning
- Security Deployment Review
These activities are designed to help meet security objectives in the software life cycle.
- Understanding of a typical threat and the usual risks to people and property.
- Understanding the incentives created both by the threat and the countermeasures.
- Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
- Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
- Overview of common physical and technological methods of protection and understanding their roles in deterrence, detection and mitigation.
- Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.
Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorised persons. Methods include placing Jersey barriers, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombings. Improving the method of visitor management and some new electronic locks take advantage of technologies such as fingerprint scanning, iris or retinal scanning, and voiceprint identification to authenticate users.
Employers of security engineers
- US Department of State, Bureau of Diplomatic Security (ABET certified institution degree in engineering or physics required)
Use of the term engineer
Some criticize this field[who?] as not being a bona fide field of engineering because the methodologies of this field are less formal or excessively ad-hoc compared to other fields and many in the practice of security engineering have no engineering degree.
Security engineering as a systems engineering discipline
Security engineering is not considered to be a true form of systems engineering by some. Part of the problem lies in the fact that while conforming to positive requirements is well understood; conforming to negative requirements requires complex and indirect posturing to reach a closed form solution. In fact, some rigorous methods do exist to address these difficulties but are seldom used, partly because they are viewed as too old or too complex by many practitioners. As a result, many ad-hoc approaches simply do not succeed.
- Ross Anderson (2001). Security Engineering. Wiley. ISBN 0-471-38922-6. http://www.cl.cam.ac.uk/~rja14/book.html.
- Ross Anderson (2008). Security Engineering - A Guide to Building Dependable Distributed Systems. Wiley. ISBN 0-470-06852-3.
- Ross Anderson (2001). "Why Information Security is Hard - An Economic Perspective"
- Bruce Schneier (1995). Applied Cryptography (2nd edition ed.). Wiley. ISBN 0-471-11709-9.
- Bruce Schneier (2000). Secrets and Lies: Digital Security in a Networked World. Wiley. ISBN 0-471-25311-1.
- David A. Wheeler (2003). "Secure Programming for Linux and Unix HOWTO". Linux Documentation Project. http://www.dwheeler.com/secure-programs. Retrieved 2005-12-19.
Articles and papers
- patterns & practices Security Engineering on Channel9
- patterns & practices Security Engineering on MSDN
- patterns & practices Security Engineering Explained
- Basic Target Hardening from the Government of South Australia
- ^ "Data analytics, networked video lead trends for 2008". SP&T News (CLB MEDIA INC). http://www.sptnews.ca/index.php?option=com_content&task=view&id=798&Itemid=4. Retrieved 2008-01-05. [dead link]
- ^ http://findarticles.com/p/articles/mi_m1216/is_n5_v181/ai_6730246
- ^ http://www.asla.org/safespaces/pdf/design_brochure.pdf
- ^ http://careers.state.gov/specialist/opportunities/seceng.html
Wikimedia Foundation. 2010.
Look at other dictionaries:
Information Systems Security Engineering Professional — is a designation awarded by the International Information Systems Security Certification Consortium [http://www.isc2.org (ISC)2] .For experienced information security professionals with an International Information Systems Security Certification… … Wikipedia
Information Systems Security Engineering — (ISSE) is the process used to discover and meet the users protection needs. ISSE should be part of systems engineering (SE) and the formal certification and accreditation process to ensure that security solutions are effective and efficient. E… … Wikipedia
Security controls — are safeguards or countermeasures to avoid, counteract or minimize security risks. To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security… … Wikipedia
Security policy — is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors,… … Wikipedia
Security protocol notation — Security (engineering) protocol notation is a way of expressing a protocol of correspondence between entities of a dynamic system, such as a computer network. In the context of a formal model, it allows reasoning about the properties of such a… … Wikipedia
Security through obscurity — In cryptography and computer security, security through obscurity (sometimes security by obscurity) is a controversial principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. A… … Wikipedia
Security-focused operating system — This is an alphabetical list of operating systems with a sharp security focus. Their order does not imply rank.In our context, Security focused means that the project is devoted to increasing the security as a major goal. As such, something can… … Wikipedia
Security modes — Generally, Security modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. Often, these systems contain information at various levels of security classification. The mode of operation is… … Wikipedia
Security lighting — In the field of physical security, security lighting is often used as a preventative and corrective measure against intrusions or other criminal activity on a physical piece of property. Security lighting may be provided to aid in the detection… … Wikipedia
Security sector reform — (SSR) is a concept to reform or rebuild a state s security sector that emerged first in the 1990s in Eastern Europe. It starts where a dysfunctional security sector is unable to provide security to the state and its people effectively and under… … Wikipedia