Security Engineering
A Guide to Building Dependable Distributed Systems
Ross Anderson's comprehensive textbook on the design of secure systems, covering protocols, access control, side channels, economics of security, and policy.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Ross Anderson
- Published
- 2020
- Publisher
- Wiley
- Pages
- 1232
- Language
- English
Read this if
Anyone who builds, audits, or governs systems where failure has real-world consequences: banking, healthcare, voting, telecom, defence. The single most important security book ever written, and the rare textbook that improves with each edition.
Skip this if
Readers looking for a hands-on tooling guide or a quick certification primer. Anderson works at the systems and policy layer; if you need to learn how to use Burp, this is not it. The 1,200 pages also reward patient readers, not skimmers.
Key takeaways
- Most production failures are economic and organisational, not cryptographic: incentives shape outcomes far more than primitives.
- Threat models from one domain (banking, telecom, military) generalize to the next once you know what to look for, and Anderson is the best in the field at showing you.
- Side channels, supply chains, and policy are first-class engineering concerns, not footnotes.
Notes
The third edition is freely available as a PDF on Anderson's site (highly recommended to the publisher's credit). Read it slowly, in chapters, over years; pair specific chapters with the topic you're working on. Best paired with Threat Modeling (Shostack) for the design-time view and Cryptography Engineering (Ferguson, Schneier, Kohno) for the protocol view. If we could make one book required reading for the entire field, this would be it.
What to read before
What to read before Security Engineering →Intermediate · 2024
Serious Cryptography
Jean-Philippe Aumasson's working introduction to modern cryptography, written for engineers who need both intuition and enough mathematical depth to evaluate the choices a library is making for them.
Intermediate · 2010
Cryptography Engineering
A working engineer's introduction to cryptography that takes implementation pitfalls more seriously than most.
Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
What to read next
What to read after Security Engineering →Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Advanced · 2023
Security Chaos Engineering
Kelly Shortridge and Aaron Rinehart on treating security as a property of complex adaptive systems: instead of preventing failure, you continuously simulate it, and design the organization to learn from each result.
Intermediate · 2024
Serious Cryptography
Jean-Philippe Aumasson's working introduction to modern cryptography, written for engineers who need both intuition and enough mathematical depth to evaluate the choices a library is making for them.
Explore similar books
Alternatives to Security Engineering →Intermediate · 2024
Serious Cryptography
Jean-Philippe Aumasson's working introduction to modern cryptography, written for engineers who need both intuition and enough mathematical depth to evaluate the choices a library is making for them.
Advanced · 2023
Security Chaos Engineering
Kelly Shortridge and Aaron Rinehart on treating security as a property of complex adaptive systems: instead of preventing failure, you continuously simulate it, and design the organization to learn from each result.
Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.