All Topics  
Security engineering

 

 
   Email Print
   Bookmark   Link
 

 

Security engineering
 
 
  Topics Security engineering Topic Home

Security engineering is a specialized field of engineering
Engineering

Engineering is the discipline and profession of applying Technology and science knowledge and utilizing natural laws and physical resources in order to design and implement materials, structures, machines, devices, systems, and process that safely realize a desired objective and meet specified criteria....
 that deals with the development of detailed engineering plans and designs for security features, controls and systems. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior.






Discussion
Ask a question about 'Security engineering'
Start a new discussion about 'Security engineering'
Answer questions from other users
Full Discussion Forum



Encyclopedia


Security engineering is a specialized field of engineering
Engineering

Engineering is the discipline and profession of applying Technology and science knowledge and utilizing natural laws and physical resources in order to design and implement materials, structures, machines, devices, systems, and process that safely realize a desired objective and meet specified criteria....
 that deals with the development of detailed engineering plans and designs for security features, controls and systems. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a security policy
Security policy

Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls....
.

In one form or another, Security Engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing
Locksmithing

Locksmithing began as the science and art of making and wikt:defeating locks. A lock is a mechanism that secures buildings, rooms, cabinets, objects, or other storage facilities....
 and security printing
Security printing

Security printing is the field of the printing industry that deals with the printing of items such as banknotes, passports, tamper-evident labels, stock certificates, postage stamps and identity cards....
 have been around for many years.

Due to recent catastrophic events, most notably 9/11, Security Engineering has quickly become a rapidly growing field. In fact, in a recent report completed in 2006, it was estimated that the global security industry was valued at US$150 billion.

Security engineering involves aspects of social science, psychology
Psychology

Psychology is an academic and applied science discipline involving the science study of human mental functions and behavior. Occasionally it also relies on symbolic hermeneutics and critical theory, although these traditions are less pronounced than in other social sciences such as sociology....
 (such as designing a system to 'fail well' instead of trying to eliminate all sources of error) and economics
Economics

File:Ballard Farmers' Market - vegetables.jpgEconomics is the Social sciences that studies the Production theory basics, Distribution , and Consumption of Good and Service ....
, as well as physics
Physics

Physics is the natural science which examines basic concepts such as energy, force, and spacetime and all that derives from these, such as mass, charge, matter and its Motion ....
, chemistry
Chemistry

Chemistry is the science concerned with the composition, structure, and properties of matter, as well as the changes it undergoes during chemical reactions....
, mathematics
Mathematics

Mathematics is the study of quantity, structure, space, change, and related topics of pattern and form. Mathematicians seek out patterns whether found in numbers, space, natural science, computers, imaginary abstractions, or elsewhere....
, architecture
Architecture

The term architecture can refer to a process, a profession or documentation.As a process, architecture is the activity of designing and construction buildings and other physical structures by a person or a computer, primarily to provide shelter....
 and landscaping
Landscaping

Landscaping refers to any activity that modifies the visible features of an area of land, including but not limited to:# living organism, such as flora or fauna; or what is commonly referred to as gardening, the art and craft of growing plants with a goal of creating a beautiful environment within the landscape....
. Some of the techniques used, such as fault tree analysis
Fault tree analysis

Fault tree analysis is a failure analysis in which an undesired state of a system is analyzed using boolean logic to combine a series of lower-level events....
, are derived from safety engineering
Safety engineering

Safety engineering is an applied science strongly related to systems engineering and the subset System Safety Engineering. Safety engineering assures that a life-critical system behaves as needed even when pieces fail....
.

Other techniques such as cryptography
Cryptography

Cryptography is the practice and study of hiding information. In modern times cryptography is considered a branch of both mathematics and computer science and is affiliated closely with information theory, computer security and engineering....
 were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson
Ross Anderson

Ross John Anderson is a researcher, writer, and industry consultant in security engineering.He is Professor in security engineering at the University of Cambridge University of Cambridge Computer Laboratory, where he is engaged in the ....
.

Qualifications

Typical qualifications for a security engineer are:
  • Security+ - Entry Level
  • Professional Engineer
    Professional Engineer

    Professional Engineer is the term for registered or licensed engineers in some countries who are permitted to offer their professional services directly to the public....
    , Chartered Engineer
    Chartered engineer

    In many countries, professional engineers are called Chartered Engineers. The details of registration vary from country to country.Chartered Engineer may refer to:...
    , Chartered Professional Engineer
  • CPP
  • PSP
    Physical Security Professional

    A Physical Security Professional is a certification process for individuals involved in the physical security of organizations. This certification process is offered by ASIS International....
  • BICSI
    BICSI

    Since the official break-up of AT&T_ in 1984 in the United States, BICSI has assumed the role that AT&T's free service, BICS, fulfilled in helping with the development and design for information transport systems such as the TIA/EIA-568-B structured cabling system standard....
     RCDD
  • CISSP
However, multiple qualifications, or several qualified persons working together, may provide a more complete solution.

Security Stance

The 2 possible default positions on security matters are:

1 Default deny - "Everything, not explicitly permitted, is forbidden" Improves security at a cost in functionality. This is a good approach if you have lots of security threats. See secure computing
Secure Computing

Secure Computing Corporation, or SCC, was a public company that developed and sold computer security appliances and hosted services to protect users and data....
 for a discussion of computer security
Computer security

Computer security is a branch of technology known as information security as applied to computers. The objective of computer security can include protection of information from theft or corruption, or the preservation of availability, as defined in the security policy....
 using this approach.

2 Default permit - "Everything, not explicitly forbidden, is permitted" Allows greater functionality by sacrificing security. This is only a good approach in an environment where security threats are non-existent or negligible. See computer insecurity
Computer insecurity

Many current computer systems have only limited security precautions in place. This computer insecurity article describes the current battlefield of computer security exploit s and defenses....
 for an example of the failure of this approach in the real world.

Core Practices

  • Security Planning
  • Security Requirements Analysis
  • Security Architecture
    Security Architecture

    Security provided by IT Systems can be defined as the IT system?s ability to being able to protect confidentiality and integrity of processed data, as well as to be able to provide availability of the system and data....
  • Secure Coding
    Secure Coding

    History has proven that software defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors....
  • Security testing
    Security Testing

    Security Testing: Process to determine that an IS protects data and maintains functionality as intended.The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorization, availability and non-repudiation....
  • Security Operations and Maintenance
  • Economics of Security
    Economics of security

    The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational homo economicus as well as behavioral economics....


Sub-fields

  • Physical security
    Physical security

    Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts....
  • deter attackers from accessing a facility, resource, or information stored on physical media.


  • Information security
    Information security

    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction....
  • protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access.
  • See esp. Computer security
    Computer security

    Computer security is a branch of technology known as information security as applied to computers. The objective of computer security can include protection of information from theft or corruption, or the preservation of availability, as defined in the security policy....


  • Economics of security
    Economics of security

    The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational homo economicus as well as behavioral economics....
  • the economic aspects of economics of privacy and computer security.

Methodologies

Technological advances, principally in the field of computer
Computer

A computer is a machine that manipulates Data according to a list of Code .The first devices that resemble modern computers date to the mid-20th century , although the computer concept and various machines similar to computers existed earlier....
s, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also coercion
Coercion

Coercion is the practice of compelling a person or manipulating them to behave in an involuntary way by use of threats, intimidation, trickery, or some other form of pressure or force....
, fraud
Fraud

In the broadest sense, a fraud is a deception made for personal gain or to damage another individual. The specific legal definition varies by legal jurisdiction....
, and deception
Deception

Deception is the act of convincing another to believe information that is not true, or not the whole truth as in certain types of half-truths....
 by confidence tricksters.

Web Applications

According to the Microsoft Developer Network the consists of the following activities:
  • Security Objectives
  • Security Design Guidelines
  • Security Modeling
  • Security Architecture and Design Review
  • Security Code Review
  • Security Testing
  • Security Tuning
  • Security Deployment Review
These activities are designed to help meet security objectives in the software life cycle.

Physical

  • Understanding of a typical threat and the usual risks to people and property.
  • Understanding the incentives created both by the threat and the countermeasures.
  • Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
  • Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
  • Overview of common physical and technological methods of protection and understanding their roles in deterrence
    Deterrence

    Deterrence can refer to:* Deterrence theory, a theory of war, especially regarding nuclear weapons* Deterrence , a theory of justice* Deterrence , a psychological theory...
    , detection
    Detection

    In general, detection is the extraction of information from any clear or clouded ambient or otherwise accessible stream of information without neither support from the sender nor synchronization to the sender....
     and mitigation
    Mitigation

    Mitigate: To lower, to reduce the amount of... To make less in intensity.Mitigation may refer to:* Mitigation of global warming* Emergency_management#Mitigation_2 ...
    .
  • Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.


Target Hardening
Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorised persons. Methods include placing Jersey barrier
Jersey barrier

A Jersey barrier or Jersey wall separates lanes of traffic with a goal of minimizing vehicle crossover in the case of accidents. They have also come into use as a means to keep car bombs away from perceived targets....
s, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombings. Improving the method of Visitor management
Visitor management

Visitor management refers to tracking the usage of a public building or site. By gathering increasing amounts of information, a visitor management system can record the usage of the facilities by specific visitors and provide documentation of visitor?s whereabouts....
 and some new electronic locks
Lock (device)

A lock is a mechanical fastening device which may be used on a door, vehicle, or container, restricting access to the area or property enclosed....
 take advantage of technologies such as fingerprint
Fingerprint

A fingerprint is an impression of the friction ridges of all part of the finger. A friction ridge is a raised portion of the epidermis on the palmar or digits or plantar skin, consisting of one or more connected ridge units of friction ridge skin....
 scanning, iris or retinal scan
Retinal scan

A retinal scan is a biometric technique that uses the unique patterns on a person's retina to identify them. It is not to be confused with another ocular-based technology, iris recognition....
ning, and voiceprint
Voiceprint

Voiceprint can refer to the spectrogram of a voice. More specific uses include:* VoicePrint, Canada's broadcast reading service* Voiceprint Records, an English record label...
 identification to authenticate users.

Employers of Security Engineers

  • US Department of State, Bureau of Diplomatic Security
    Bureau of Diplomatic Security

    The Bureau of Diplomatic Security is the parent organization of the Diplomatic Security Service . However, both terms are used interchangeably within the State Department and other agencies....
     (ABET certified institution degree in engineering or physics required)


Criticisms

Some criticize this field as not being a bona fide field of engineering because the methodologies of this field are less formal or excessively ad-hoc compared to other fields
Engineering

Engineering is the discipline and profession of applying Technology and science knowledge and utilizing natural laws and physical resources in order to design and implement materials, structures, machines, devices, systems, and process that safely realize a desired objective and meet specified criteria....
 and many in the practice of security engineering have no engineering degree. Part of the problem lies in the fact that while conforming to positive requirements is well understood; conforming to negative requirements requires complex and indirect posturing to reach a closed form
Closed-form expression

In mathematics, an expression is said to be a closed-form expression if, and only if, it can be expressed analytically in terms of a bounded number of certain "well-known" function s....
 solution. In fact, some rigorous methods do exist to address these difficulties but are seldom used, partly because they are viewed as too old or too complex by many practitioners. As a result, many ad-hoc approaches simply do not succeed.

See also

Computer Related
  • Authentication
    Authentication

    Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
  • Cryptography
    Cryptography

    Cryptography is the practice and study of hiding information. In modern times cryptography is considered a branch of both mathematics and computer science and is affiliated closely with information theory, computer security and engineering....
  • Cryptanalysis
    Cryptanalysis

    Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so....
  • Computer insecurity
    Computer insecurity

    Many current computer systems have only limited security precautions in place. This computer insecurity article describes the current battlefield of computer security exploit s and defenses....
  • Data remanence
    Data remanence

    Data remanence is the residual representation of data that has been in some way nominally erased or removed. This residue may be due to data being left intact by a nominal file deletion operation, or through physical properties of the data storage device....
  • Defensive programming
    Defensive programming

    Defensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software....
     (secure coding)
  • Earthquake engineering
    Earthquake engineering

    Earthquake engineering is the study of the behavior of buildings and structures subject to seismic loading. It is a subset of both structural engineering and civil engineering....
  • Electronic underground community
  • Explosion protection
    Explosion protection

    Explosion protection is utilized to protect all sorts of buildings and civil engineering infrastructure against internal and external explosions or deflagrations....
  • Hacking
  • Information Systems Security Engineering
    Information Systems Security Engineering

    Information Systems Security Engineering is the process used to discover and meet the users' protection needs. ISSE should be part of systems engineering and the formal certification and accreditation process to ensure that security solutions are effective and efficient....
  • Password policy
    Password policy

    A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly....
  • Software cracking
    Software cracking

    Software cracking is the modification of software to remove protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, No-CD crack or software annoyances like nag screens and adware....
  • Software Security Assurance
    Software Security Assurance

    Software is itself a resource and thus must be afforded appropriate security. Software also contains and controls data and other resources. Therefore, it must be designed and implemented to protect those resources....
  • Secure computing
    Secure Computing

    Secure Computing Corporation, or SCC, was a public company that developed and sold computer security appliances and hosted services to protect users and data....
  • Security Patterns
    Security Patterns

    Design pattern can be applied to achieve goals in the area of security. Every classical design pattern has different instantiations to fulfill some of the Information security goals as confidentiality, integrity or availability....
  • Systems engineering
    Systems engineering

    Systems engineering is an interdisciplinary field of engineering that focuses on how complex engineering projects should be designed and managed....
  • Trusted system
    Trusted system

    In the security engineering subspecialty of computer science, a trusted system is a system that is relied upon to a specified extent to enforce a specified security policy....
  • Economics of Security
    Economics of security

    The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational homo economicus as well as behavioral economics....


Physical
  • Access control
    Access control

    Access control is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing physical resources , logical resources , or digital resources ....
  • Authorization
    Authorization

    Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular....
  • Critical Infrastructure Protection
    Critical Infrastructure Protection

    Critical Infrastructure Protection or CIP is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation....
  • Environmental design
    Environmental design

    Environmental design is the process of addressing Natural environment parameters when devising plans, programs, policies, buildings, or products....
     (esp. CPTED
    Crime prevention through environmental design

    Crime prevention through environmental design is a multi-disciplinary approach to deterring Crime behavior through environmental design. CPTED strategies rely upon the ability to influence offender decisions that precede criminal acts....
    )
  • Locksmithing
    Locksmithing

    Locksmithing began as the science and art of making and wikt:defeating locks. A lock is a mechanism that secures buildings, rooms, cabinets, objects, or other storage facilities....
  • Physical Security
    Physical security

    Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts....
  • Secrecy
    Secrecy

    Secrecy or furtiveness is the practice of sharing information among a group of people, which can be as small as one person, while hiding it from all others....
  • Security
    Security

    Security is the degree of protection against danger, loss, and criminals. Individuals or actions that encroach upon the condition of protection are responsible for a "breach of security."...
  • Secure cryptoprocessor
    Secure cryptoprocessor

    A secure cryptoprocessor is a dedicated computer or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....
  • Security through obscurity
    Security through obscurity

    In cryptography and computer security, security through obscurity is a principle in security engineering, which attempts to use secrecy to provide security....
  • Technical Surveillance Counter-Measures
    Technical Surveillance Counter-Measures

    TSCM is the original United States of America military abbreviation denoting the process of Covert listening device-sweeping or electronic countersurveillance....


Misc. Topics
  • Deception
    Deception

    Deception is the act of convincing another to believe information that is not true, or not the whole truth as in certain types of half-truths....
  • Fraud
    Fraud

    In the broadest sense, a fraud is a deception made for personal gain or to damage another individual. The specific legal definition varies by legal jurisdiction....
  • Full disclosure
    Full disclosure

    In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity....
  • Security awareness
    Security awareness

    Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization....
  • Security community
    Security community

    A security community is a region in which a large-scale use of violence has become very unlikely or even unthinkable. The term was coined by the prominent political scientist Karl Deutsch in 1957....
  • Steganography
    Steganography

    Steganography is the art and science of writing hidden messages in such a way that no-one apart from the sender and intended recipient suspects the existence of the message, a form of security through obscurity....
  • Social engineering
  • Kerckhoffs' principle
    Kerckhoffs' principle

    In cryptography, Kerckhoffs' principle was stated by Auguste Kerckhoffs in the 19th century: a cryptosystem should be secure even if everything about the system, except the cryptographic key, is public knowledge....


Further reading

  • Ross Anderson (2001). ""

Articles and Papers

  • from the Government of South Australia