Security engineering
Security engineering is a specialized field of engineering that deals with the development of detailed engineering often asserted as a security policy.
In one form or another, Security Engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing and security printing have been around for many years. at US$150 billion.[1]
Security engineering involves /p/articles/mi_m1216/is_n5_v181/ai_6730246] Some of the techniques used, such as fault tree analysis, are derived from safety engineering.
Other techniques such as cryptography were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson.
Qualifications
Typical qualifications for a security engineer are:
- Security+ - Entry Level
- Professional Engineer, Chartered Engineer, Chartered Professional Engineer
- CPP
- PSP
- BICSI RCDD
- CISSP
However, multiple qualifications, or several qualified persons working together, may provide a more complete solution.[1] 1 Default deny - "Everything, not explicitly permitted, is forbidden"
- Improves security at a cost in functionality.
- This is a good approach if you have lots of security threats.
- See secure computing for a discussion of computer security using this approach.
2 Default permit - "Everything, not explicitly forbidden, is permitted"
- Allows greater functionality by sacrificing security.
- This is only a good approach in an environment where security threats are non-existent or negligible.
- See computer insecurity * Secure Coding ==Sub-fields==
- deter attackers from accessing a facility, resource, or information stored on physical media.
- protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access.
- See esp. Computer security
- the economic aspects of economics of privacy and computer security.
Methodologies
Technological advances, principally in the field of computers, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts According to the Microsoft Developer Network the patterns & practices of Security Engineering consists of the following activities:
- Security Objectives
- Security Design Guidelines
- Security Modeling
- Security Architecture and Design Review
- Security Code Review
- Security Testing
- Security Tuning
- Security Deployment Review
These activities are designed to help meet security objectives in the software life cycle.
Physical
- Understanding of a to buildings, critical infrastructure, ports, public transport and other facilities/compounds.====Target Hardening====
Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorised persons. Methods include placing Jersey barriers, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombings. Improving the method of Visitor management and some new electronic locks take advantage of technologies such as fingerprint scanning, iris or retinal scanning, and voiceprint identification to authenticate users.
Employers of Security Engineers
- US Department of State, Bureau of Diplomatic Security (ABET certified institution degree in engineering or physics required)[2]
==Criticisms==practice of security engineering have no engineering degree. Part of the problem lies in the fact that while conforming to positive requirements is well understood; conforming to negative requirements requires complex and indirect posturing to reach a closed form solution. In fact, some rigorous methods do exist to address these difficulties but are seldom used, partly because they are viewed as too old or too complex by many practitioners. As a result, many ad-hoc approaches simply do not succeed.
See also
Further reading
- Ross Anderson (2001). Security Engineering. Wiley. ISBN 0-471-38922-6.
- {{cite book.acsa-admin.org/2001/papers/110.pdf Why Information Security is Hard - An Economic Perspective]"
- Bruce Schneier (1995). Applied Cryptography (2nd edition ed.). Wiley. ISBN 0-471-11709-9.
{{cite book}}:|edition=has extra text (help) - David A. Wheeler (2003). Secure Programming for Linux and Unix HOWTO. Wiley. Retrieved 2005-12-19.
{{cite book}}:|work=ignored (help)
Articles and Papers
- patterns & practices Security /en-us/dnpag2/html/SecEngExplained.asp patterns & practices Security Engineering Explained
- Basic Target Hardening from the Government of South Australia
References
- ^ "Data analytics, networked video lead trends for 2008". SP&T News. CLB MEDIA INC. Retrieved 2008-01-05.
- ^ http://careers.state.gov/specialist/opportunities/seceng.html