Security engineering

Security engineeringis the process of incorporatingsecurity controlsinto aninformation systemso that the controls become an integral part of the system’s operational capabilities.^[1]It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and userrequirements,but it has the added dimension of preventing misuse and malicious behavior. Those constraints and restrictions are often asserted as asecurity policy.

In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields oflocksmithingandsecurity printinghave been around for many years. The concerns for modern security engineering and computer systems were first solidified in a RAND paper from 1967, "Security and Privacy in Computer Systems" by Willis H. Ware.^[2]This paper, later expanded in 1979,^[3]provided many of the fundamental information security concepts, labelled today as Cybersecurity, that impact modern computer systems, from cloud implementations to embedded IoT.

Recent catastrophic events, most notably9/11,have made security engineering quickly become a rapidly-growing field. In fact, in a report completed in 2006, it was estimated that the global security industry was valued at US $150 billion.

Security engineering involves aspects ofsocial science,psychology(such as designing a system to "fail well",instead of trying to eliminate all sources of error), andeconomicsas well asphysics,chemistry,mathematics,criminologyarchitecture,andlandscaping.^[4] Some of the techniques used, such asfault tree analysis,are derived fromsafety engineering.

Other techniques such ascryptographywere previously restricted to military applications. One of the pioneers of establishing security engineering as a formal field of study isRoss Anderson.

Qualifications[edit]

No single qualification exists to become a security engineer.

However, an undergraduate and/or graduate degree, often incomputer science,computer engineering,or physical protection focused degrees such as Security Science, in combination with practical work experience (systems, network engineering,software development,physical protection system modelling etc.) most qualifies an individual to succeed in the field. Other degree qualifications with a security focus exist. Multiplecertifications,such as theCertified Information Systems Security Professional,or Certified Physical Security Professional are available that may demonstrate expertise in the field. Regardless of the qualification, the course must include a knowledge base to diagnose the security system drivers, security theory and principles including defense in depth, protection in depth, situational crime prevention and crime prevention through environmental design to set the protection strategy (professional inference), and technical knowledge including physics and mathematics to design and commission the engineering treatment solution. A security engineer can also benefit from having knowledge in cyber security and information security. Any previous work experience related to privacy and computer science is also valued.

All of this knowledge must be braced by professional attributes including strong communication skills and high levels of literacy for engineering report writing. Security engineering also goes by the label Security Science.

Related-fields[edit]

Information security

See esp.Computer security
protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access.

Physical security

deter attackers from accessing a facility, resource, or information stored on physical media.

the economic aspects of economics of privacy and computer security.

Methodologies[edit]

Technological advances, principally in the field ofcomputers,have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems usingsocial engineeringattacks. Secure systems have to resist not only technical attacks, but alsocoercion,fraud,anddeceptionbyconfidence tricksters.

Web applications[edit]

According to theMicrosoftDeveloper Networkthe patterns and practices of security engineering consist of the following activities:^[5]

Security Objectives
Security Design Guidelines
Security Modeling
Security Architecture and Design Review
Security Code Review
Security Testing
Security Tuning
Security Deployment Review

These activities are designed to help meet security objectives in thesoftware life cycle.

Physical[edit]

Understanding of atypicalthreat and the usual risks to people and property.
Understanding the incentives created both by the threat and the countermeasures.
Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
Overview of common physical and technological methods of protection and understanding their roles indeterrence,detection and mitigation.
Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.

Product[edit]

Product security engineering is security engineering applied specifically to the products that an organization creates, distributes, and/or sells. Product security engineering is distinct from corporate/enterprise security,^[6]which focuses on securing corporate networks and systems that an organization uses to conduct business.

Product security includes security engineering applied to:

Hardware devices such as cell phones, computers,Internet of thingsdevices, and cameras.
Software such as operating systems, applications, and firmware.

Such security engineers are often employed in separate teams from corporate security teams and work closely with product engineering teams.

Target hardening[edit]

Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorized persons. Methods include placingJersey barriers,stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car andtruck bombings.Improving the method ofvisitor managementand some new electroniclockstake advantage of technologies such asfingerprintscanning, iris orretinal scanning,andvoiceprint identificationto authenticate users.

References[edit]

^"Security Engineering - an overview | ScienceDirect Topics".sciencedirect.Retrieved2020-10-27.
^Ware, Willis H. (January 1967)."Security and Privacy in Computer Systems".
^Ware, Willis H. (January 1979)."Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security".
^"Landscaping for security".Sunset.1988. Archived fromthe originalon 2012-07-18.
^"patterns & practices of Security Engineering".
^Watson, Philip (May 20, 2013)."Corporate vs. Product Security".SANS Institute Information Security Reading Room.SANS Institute.RetrievedOctober 13,2020.