Security Engineering: Third Edition

I’m writing a third edition of my best-selling book Security Engineering. The chapters will be available online for review and feedback as I write them.

Today I put online a chapter on Who is the Opponent, which draws together what we learned from Snowden and others about the capabilities of state actors, together with what we’ve learned about cybercrime actors as a result of running the Cambridge Cybercrime Centre. Isn’t it odd that almost six years after Snowden, nobody’s tried to pull together what we learned into a coherent summary?

There’s also a chapter on Surveillance or Privacy which looks at policy. What’s the privacy landscape now, and what might we expect from the tussles over data retention, government backdoors and censorship more generally?

There’s also a preface to the third edition.

As the chapters come out for review, they will appear on my book page, so you can give me comment and feedback as I write them. This collaborative authorship approach is inspired by the late David MacKay. I’d suggest you bookmark my book page and come back every couple of weeks for the latest instalment!

48 thoughts on “Security Engineering: Third Edition

  1. Re:
    Security Engineering: Third Edition, Ch.24
    nicely done. Typos (not exhaustive):

    page 743 near the bottom
    “could either either use their”

    page 746 near the bottom
    “that they simply obeying”

    page 747 near the bottom
    “that this was make it easier”

    1. Security Engineering, Third Edition,

      page 108, chapter 4.1
      Tdiagnostichey often involve interaction,

      page 119, chapter 4.4
      A pirate device can inserts extra pulses

      page 127, chapter 4.8
      there are morer subtle attacks

    2. I apologize, email is brokenly relayed at the mo.

      SEv3-ch3-june29.pdf ERRATA

      the fraudster get the mark to concentrate [ “got” rather than get? ]

      who has got to be root [suggest “who has gained root access” ]

      that he wrote afterwards [ back tic missing after title ]

    3. Looking good.

      The roadblock to the videos for me is that U-tube expects a log-in to download them for viewing off-line: And public libraries limit one’s freedoms.

      Thanks just the same!

  2. Beautifully written preface. Maybe more emphasis on data and semantic interoperability over the lifetime of chip embedded products and digital services. Very interested to see if you have something to say about what I believe was the evolution of Bletchley Park to GCHQ.

  3. Don’t you think the preface should mention Stuxnet, “cyber war”, SCADA etc.? To my mind that is a much bigger game changer than Snowden. You should also consider including in the preface the topics of economics as well as people issues like personality and culture.

  4. NZ is in the process of responding to the Christchurch mosque attacks, in particular look hard at control of online hate speech.

    It would be interesting to see your opinion on how this issue should be handled.

    Previously Internet Service Providers have rightly argued that they are neutral carriers like postmen.

    They are not responsible for the content of the letters they deliver.

    But to the extent a service provider _looks_ inside a conversation, to datamine and monetized that information, then yes, they bear responsibility for what they deliver.

  5. Maybe a few words about what you mean with online property crime p.32 would be helpful. AS terms as intelectual property could add up to a confusion here.

  6. I downloaded those PDF files, and I have noticed that they don’t have the model tree available for quick navigation to different sections within the chapter. It would be helpful if that was available

  7. Page 47, second paragraph:

    … it wanted both him and the investigator to declare
    that the paper hadnˆa˘A´Zt relied upon …

    Looks like some sort of encoding issue. I am using Adobe acrobat on Windows 10.

  8. Page 74, first paragraph:

    … arguing that the propositional attitudes we use
    to reason ˆa˘A¸S beliefs, desires and perceptions ˆa˘A¸S some down to the intentions
    of people and animals.

    Again, some sort of encoding issue. I am using Adobe acrobat on Windows 10.

  9. Page 79, section 3.3.2

    … Wilson researched and appeared in nine series of TV programs …

    nine seasons would be easier to understand by most readers, even British ones.

  10. Page 81, 4th paragraph:

    … In the same year, the UK privacy authorities prosecuted a private detective agency that did blagging jobs for top law firms [834].

    You have only used the word “blagging” once in the whole chapter without defining what it means. (I think it refers to social engineering over the telephone).

  11. Surveillance and Privacy chapter

    p. 729, para. 2: FTC, not FDA, punishes privacy policy violations in U.S.

    p. 736, para 3: you might want to include mention of SCOTUS decision in US vs. Carpenter, 2018, which concerns requirement of warrants for cellphone location data.

    p. 753, Sec. 24.4, first para. last sentence: typo — “underling” for “underlying”

  12. P. 61 of the SEv3-ch2-May16.pdf file:
    “As a result, nations are more likely to make strategic miscalculations, *which* could lead not just to cyber conflict*,* but the kinetic variety too.”

    Great read thanks

  13. p. 437 iris recognition

    Iris recognition might not be that accurate in terms of security. People leave high definition pictures of them everywhere and contact lens detection is in its infancy.

  14. p. 269 Second Paragraph DRM

    DRM is not at all dead, it just moved into the browser or the proprietary app. Further I strongly urge to use the term copyright infringement as this has absolutely nothing to do with patents, trademarks et al.

  15. It would be useful if you would put up the new references list. It is sort of doable to match the new reference numbers (with context) with the old list, but not very convenient.

  16. In the chapter on biometrics you mention that it is offensive to use words like goats for people. This makes sense, not least due to racial epithets like gorilla having been used in practice (

    However, in other parts of the chapter you actually use animal terms. Perhaps you can be more consistent and avoid such terms?

  17. “… European law also restricts trucks to 100 km/h on freeways …..”

    This is probably wrong. The median maximum speed limit on European roads for trucks is either 80 or 90.

  18. “When the operator is ordered to produce charts and supporting documents
    such as pay records, weigh station slips and ferry tickets, his office may well
    conveniently burn down. (It’s remarkable how many truck companies operate
    out of cheap wooden sheds that are a safe distance from the trucks in their

    Any source for this?

  19. “By now, the reader might feel a certain cynicism about anything called ‘smart’. The regulations are a further move in the direction of pervasive enforcement, but fight shy of demanding that vehicle units keep detailed GPS history. Privacy law in some countries would make that difficult; in egregious cases, such as toxic waste dumping, the authorities can always subpoena the driver’s mobile phone history.”

    You should probably also mention that most modern vehicle all have internal phones. At least for all new vehicle below 3,5t eCall is mandatory. Interestingly this is not mandatory for heavy trucks, not even the ones carrying hazardous materials. I guess this is due to lobbying, although I do not have any proof. Anyhow this will probably not be postponed forever.

  20. Here firstly, I’m so lucky to have such a wonderful some kind of people like you all to help me finding answers and solutions for my phone’s, I forget to say Thanks for the help and I’m sorry for the late. However, the truth is I’m verry don’t like this situation cause it must have some thing like a miracle to show you the way. And, what the must important here, is trust and believe. I’m sorry for my bad written in English. Anyway. Thank you all so much for the helping on me. Bye everyone. 😉

  21. Hi! When will the book be coming out? The Cambridge web page says 2020-1, Wiley seems to list it well into 2021 (either that, or some major online bookshops have made up their own release dates).

  22. 21.2.6 Email

    Maybe important side fact is that PGP was on the US export control list for all long time. So is was not possible for any American Company to include this into there programs such as Windows. Which probably is part of why a network effect never kicked in.

  23. Chapter 25, page 805. Duplicate word. “arguing arguing”.

    The Elec-tronic Privacy Information Center15had been arguing arguing ever since theCambridge Analytica scandal broke that Facebook had violated the terms of its2011 settlement with the FTC.

  24. It is stirring to see that the web address for Peter Gutmann’s “A Cost Analysis of Windows Vista Content Protection” still works. But please could you use more durable links:
    DOI, Internet Archive, WebCite,

    Thanks very much

  25. Chapter 25, P781
    “Many of the attacks hinge on specific applications, as does much of the coll research.”
    ?college research?

  26. 25.2 “The world’s navies develop underwater mines, autonomous submersibles to find them, and much else.” <– and much more.

  27. Chapter 13 is listed as “Physical Protection” but is actually titled “Locks and Alarms” when opened.

  28. It was a pleasure to read the book – love the word “eventually”. Had some contributions to functional safety the last 20 years – found a difference to security I noticed sometimes before. In safety we do things only when we believe them to be reasonably safe and measures to be adequate. In security as described in the book, seems that things are done in a functional way and perhaps some security measures are implemented. The last security standard I read was the automotive one and the message of all pages is – “the organization shall provide a security organization”.

    So please, please don’t get stuck here! Go for an adequate technical standardization.

    Examples correlating to the book:

    1) 17 years ago I was asked by an automotive tier 1 about the safety implications of having a communication device (navigation, phone) connected to the CAN. My answer was simple: do not connect Tx and find a solution for ACK of dedicated Rx-messages, if any, e.g. ACKing by another node. This proposal was not accepted, so you could write the story about safety implication of security in cars.

    2) In Germany the government’s Gematik decided the health records to be encrypted, but no part of the key is handed over to the patient. This would have been possible, as the records are only subject to change if the patient is present in a cabinet or hospital. Smartcard and password are used as an index to the database and as an authorization management key. The example with the hospital from the book will happen in Germany, there will be misuse by “authorized organizations”; or a future government could decide to use data for “research organizations” (in the best case), “Euthanasie”, finding “terror critical individuals”, as this is the best “Stasi” records ever seen.
    A security standard, imposing that in case sensitive data from many individuals is stored in a central database, part of the encryption key needs to be given to the individual, who could decide with whom to share information seems to be unavailable. GDPR could have done it – but it didn’t. By the way the smartcard-B identifying the medical cabinet to the infrastructure is stored in the patient’s terminal and theft protected by a (signed!) piece of paper and a PIN which turned out to be the same in nearly all cabinets, used by a certified installer, no LAN encryption apart optional TLS (known broken in Windows for MITM till spring 2020) ,… I found an endless list of design failures, which would not have been tolerated if any safety standard (like 61508) had been used with a kind of safety requirement: e.g. SIL 1 Ensure protection of data for every patient. I was totally frustrated reading your comments about CC-certification. This system is CC-certified. Last, in Germany the dysfunctional system it is not cheaper than in England… Perhaps the gematik should have had a glance in your book.

  29. I don’t know if this is too late, but anyway –

    Security Engineering – forthcoming third edition

    Chapter 1, section 1.7 Definitions – page 32

    Near the head of the page there are 3 (three) occurrences of
    duty of confidence
    I think all 3 (three) should be
    duty of confidentiality
    because “confidentiality” is being defined, and it makes more sense.

  30. Security Engineering – forthcoming third edition

    Chapter 3, Psychology and Usability
    section 3.2.1 Cognitive psychology
    page 79 about optical flow
    they contain receptions for specific aspects
    should be
    they contain receptors for specific aspects

    section 3.2.2 Gender, diversity and interpersonal variation
    page 80 – second paragraph
    it’s not out fault
    should be
    it’s not our fault

    page 81 – first paragraph
    groups who have been sigmatised
    should be
    groups who have been stigmatised

  31. The page footer (book title and author) is not being applied evenly, i.e. missing on page 1, 22, 35, 75, 125, … throughout the whole book.

    On page 751, the titles of the 2 figures are overlapping.

    On page 1020, the first link is not wrapped to the next line, creating a larger page.

  32. 2ed was so awesome, I lamely never finished it.

    I noticed that API Security didn’t make the cut this time. Is single sign on covered? and other authentication methods?

    Does this book have coverage of ABAC? I’d really like to find a good source of material on implementing ABAC and when to use it over DAC, MAC, and RBAC. also seems like MAC? is becoming more used. in application execution authorization, or at least it seems like Apple is now using a technology similar to SELinux to authorize applications and access… maybe it’s actually a DAC I’m not certain…

  33. Is there, can there be a “diff” breakdown of the book? a “read this if you read the second edition”? or is it really a read the whole book?

  34. Is there a published errata for the published third edition?
    One to add in section Bob returns M⊕xA⊕xB and Alice finally sends him M⊕xA⊕xB

  35. “a *linear* transformation in which each input bit in one round is
    the exclusive-or of several output bits in the previous round” – should this be nonlinear? As indeed stated in

    5.5.7 “GCM and other authenticated encryption modes expand the plaintext by adding
    a *message key* and an authenticator tag.” – should this be IV?

Leave a Reply

Your email address will not be published. Required fields are marked *