Also, I really don't understand why this book gets so many recommendations. I can't figure out who the target audience is or how it adds value to the field. I think all that I can tell is that the target audience is not me.
To be honest, it feels like some of the Schneier books that give you a lot of those "Aha!" moments, but don't actually have a lot of information. Maybe I'm missing something.
Edit: Damn, this guy has been blogspamming HN twice a day for like a year. 5 submissions to his blog in the last 2 days.
I recommend it as a starting point for people who don't know what security is about. It is also good for people who think security is about cryptography. Its about thought process more than information.
Free is fine, but this book is worth acquiring in paper.
I have both editions and cannot recommend it enough.
If you are responsible for the security of any kind of system and have not read this book you may want to fix that asap.
I would recommend this for "non-security" software engineers. i.e. those that don't specifically work in your field, but who must (I'm sure you'll agree) have a basic overview of what comprises a secure system, and a flavour of the kind of problems security engineers face.
That's it though. It covers the essentials. It will not teach you cryptanalysis. But it may inspire a student to choose a career in security, as it is well-written and has interesting stories from history.
I particularly recommend Chapter 13: Nuclear Command and Control - it's not at all relevant to what my job is (I'm sure you couldn't say), but I found the problem of balancing "absolutely must not go off by accident" and "absolutely must go off if the president says so" quite fascinating.
So I can't recommend it to you, as you're not its target audience. But I recommend it to every other software engineer - the chapters are quite self-contained so you can easily spread the reading out over several months (as I did).
I have read the first edition, not the second yet.
There is very little good material written publicly about building secure systems rather than breaking them or fixing components. This book describes a series of systems (not just stand alone IT systems) and describes their security in their social / cultural / physical context.
It's not a patch and firewall compliance guide, it uses the systems word appropriately. There are no big methodologies or techniques, which is appropriate as these just don't exist at the scale this book discusses.
For technical 'breakers' moving into the world of building it's a useful book.
Most programmers are, I think, quite capable of designing and building software to a set of specifications. However, most would not, in the process, also try to think of all the ways in which users and attackers would try to break their software. This book provides a comprehensive introduction to security issues in general and particular ways in which systems can be broken (and protected).
It is not prescriptive by any means but reading it provides a level of security awareness that is frequently lacking.
Knuth once wrote that before he writing tests for his programs, he puts himself in the meanest, nastiest mood he is capable of. I believe that this book can a similar purpose ,in the security context, for those of us to whom deviousness and cunning do not come naturally.
Stitch those PDFs together while you grab coffee!
Run this in the directory where you just wgot the pdfs:
files=`ls | grep toc && ls | grep pref && ls | grep ack && ls | grep c && ls | grep bib && echo ls | grep index`; gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=SecurityEngineering2ndEd.pdf $files
When you get back, you should have a single file, SecurityEngineering2ndEd.pdf (edit the command to name yours whatever you like)
Edit: This assumes you're running a unix variant and have ghostscript (gs) installed
Edit: Use this instead in case toomuchtodo's dropbox link doesn't work for you (like what happened for me: "This account's public links are generating too much traffic and have been temporarily disabled!")
Thank you for posting that command! It got me to read the wget man page in order to understand what you did and now I have another useful tool I can add to my arsenal.
Was about to do this, then figured someone on HN probably had a pdf available already. And indeed ^^. Thanks anyway, saves me having to figure out the wget params.
Also, I really don't understand why this book gets so many recommendations. I can't figure out who the target audience is or how it adds value to the field. I think all that I can tell is that the target audience is not me.
To be honest, it feels like some of the Schneier books that give you a lot of those "Aha!" moments, but don't actually have a lot of information. Maybe I'm missing something.
Edit: Damn, this guy has been blogspamming HN twice a day for like a year. 5 submissions to his blog in the last 2 days.