Security Engineering - Part 3

This page contains new material and links for part 3 of my book `Security Engineering'. These four chapters cover the management, policy and assurance aspects of security engineering. For reference, here are the table of contents and the bibliography. The errata for the print version, including for the bibliography, are at the end.

On page 521, I used reliability growth ideas to estimate that there were about three dozen errors of substance remaining in the book. By the first pass at these errate pages, in January 2003, I'd found or been told of about six. So far so good ...

New material and links

Security Disclosure Guidelines: The debate on whether vulnerabilities should be disclosed, kept secret, or kept secret for a limited period is settling in favour of the limited-period approach, as I recommended in section 23.4.3. The current proposal from a consortium of security companies is that a researcher finding a vulnerability should allow up to 67 days - 7 days for the vendor company to respond, then a further 30 days to release a patch, and publish the vulnerability 30 days after that.

Regulatory arbitrage: At p 458 (second last para), I remarked that calls made from phone boxes were `free to market', and people have asked what this means. It is slang used by signals intelligence people meaning that such calls don't need separate authorisation by warrant, merely the easily obtained consent of the phone company. In general, as legislatures enact more controls on surveillance, the agencies look for ways round. The increased use of traffic data is one example, and the principle applies in the regulatory sphere as well. For example, Commerce Undersecratary William Reinsch admitted at EPIC 1998 that export controls were neither fair nor effective, but available" (i.e. implementatable without prior scrutiny by the legislature or judiciary, being a Foreign Affairs matter in the gift of the Executive branch).

Errata

p 471 sec 21.2.5.3 line 15: `agencies' not agecies'
p 485 sec 21.6.2 second last para last line: `are' not `is'
p 487, research problems, last sentence: `What's not clear' not `It's not clear'
0 496 sec 22.3 l 4: `state' not `starte'
p 532 sec 23.3.3 line 2: `am called in' not `can called in'
p 550, bibliography item 77, should be `v 25 (1993)' not `v26 (1994)'

Return to Ross Anderson's home page

Thanks to Austin Donnelly, Mike Ellims, Sam Simpson, Stuart Wray and Stefek Zaba