The world has changed in the seven years since the first edition of this seminal book was published. Anyone involved in designing any kind of security system should read this second edition.

This is not just a textbook for students. It's a book that should be required reading for everyone involved in designing any kind of security system, whether what's being protected is an airplane full of passengers or a personal computer.

Security is a process, not a product. One of the more helpful consequences of this principle is that Security Engineering is not a particularly technical book; Anderson covers his many technical subjects in plain, well-written, English. The book, as Anderson explains, grew out of his notes for the course on the subject that he teaches at Cambridge; he began writing the book in the late 1990s because existing books didn't cover the same ground. Even now, most books on security either talk about specific tools such as cryptography or securing individual applications and operating systems.

Look, by comparison, at the list of just some of the topics Anderson covers: usability, psychology, access control, economics, banking, nuclear command and control, copyright and digital rights management, terrorism. For the subjects relating to types of applications, he includes not only explanations of the basics and the technologies and system designs involved, but a section on what goes wrong with those systems, plus an outline of areas needing further research. Economics and psychology may seem peripheral, but both are key to building security correctly: psychology helps an engineer understand how users — often the biggest vulnerability in any system — think, while economics, particularly game theory, helps analyse incentives. The point is, it's not enough to have tools and know what their features are: designing good security is much more complex than that.

At the 2008 Black Hat conference, a court ruling stopped a team from MIT from presenting the results of research into vulnerabilities in the implementation of RFID payment cards in use on Boston's mass transit system. The incident serves as a reminder that disclosing security information can still be controversial. Anderson takes the view that the 'bad guys' already know this stuff and that the 'good guys' will benefit much more.

If you're in any doubt about whether you need this book, you can sample it for yourself online: six chapters of the new edition and the full text of the first edition are all available for download for free.

Copyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.