Bruno Kerouanton

During my whole involvment in IT security, I have read a significant amount of publications and books related to security, but among the best writings I found, Ross Anderson’s Security Engineering book was my prefered for a number of reasons. Some may argue that it is a bit outdated as it was first printed in 2001, but the principles that are exposed are still fundamental for a good understanding of IT security basics, and at the time of publication it was a new approach that I still consider worth reading.

What I really liked in his book was that Ross vision of IT security is not only theorical and technical (explaining protocols, cryptography and different security schemes), but that he also wants the reader to understand that even if security measures were designed by serious scientists and widely implemented in real life, there are always methods to attack those measures that could sometimes be conducted by malicious people by using different approaches that the designers didn’t even think about, like for example using hardware or side-channel attacks. He also explains that since Information Technology is now integrated everywhere around us, including in ATM machines or medical and transportation systems, this means every single portion of those businesses has to be checked and audited in order to prevent dramatic impact that could even lead to deaths. It is important to work not only on the classical security issues, but also to those lateral threats.

Professor Ross Anderson has set up and manages a laboratory in his university that focuses on such attacks. Most of the staff and PhD researchers work on physical and tampering attacks that involve electronics and physics, FPGA and processor security, and other great subjects I had the opportunity to present at SSTIC 2003 and 2004. In 2003 I got in touch with Ross and proposed him to translate his book in french. But then lack of time made me abandon this huge project.

The good news is that Wiley has finally agreed to let Ross Anderson put his book online on his website. You can find it here. Enjoy !

RESUME

Le professeur Ross Anderson fait partie des personnages illustres du monde de la sécurité. Son ouvrage “Security Engineering” écrit en 2001 est excellent et je le considère comme l’un de mes préférés. Tout en présentant les différents domaines de la sécurité des Systèmes d’Information sous un angle Il traite notamment des problèmes de sécurité sous un angle nouveau (pour l’époque), celui des attaques indirectes. Tout en expliquant que l’informatique est omniprésente, il part du principe que les attaquants ont toute latitude d’attaque, y compris en employant les méthodes les plus insolites telles que les attaques matérielles ou électroniques. Le laboratoire qu’il dirige à l’université de Cambridge est spécialisé dans ces domaines, et est composé d’une équipe excellente et reconnue dans le monde.

Tout cela pour dire que son ouvrage est désormais disponible en ligne, sur son site, l’éditeur Wiley ayant accepté que Ross puisse le mettre à disposition du public. Bonne lecture !