Sponsored Links
-->

Friday, June 1, 2018

Software Engineer Touching SECURITY ENGINEERING Stock Photo ...
src: thumbs.dreamstime.com

Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a security policy.

In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing and security printing have been around for many years.

Due to recent catastrophic events, most notably 9/11, Security Engineering has quickly become a rapidly growing field. In fact, in a recent report completed in 2006, it was estimated that the global security industry was valued at US$150 billion.

Security engineering involves aspects of social science, psychology (such as designing a system to 'fail well' instead of trying to eliminate all sources of error) and economics, as well as physics, chemistry, mathematics, architecture and landscaping. Some of the techniques used, such as fault tree analysis, are derived from safety engineering.

Other techniques such as cryptography were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson.


Video Security engineering



Qualifications

No single qualification exists to become a security engineer.

However, an undergraduate and/or graduate degree, often in computer science, computer engineering, or information assurance, in combination with practical work experience (systems, network engineering, software development, etc.) most qualifies an individual to succeed in the field. Multiple certifications, such as the Certified Information Systems Security Professional, are available that may demonstrate expertise in the field. Other degree qualifications include a Bachelor of Science (Security) or Masters of Science (Security Science) such as offered by Edith Cowan University in Perth, Western Australia. Graduates from these programs have a long history in the security engineering occupational space. Regardless of the qualification, the course must include a knowledge base to diagnose the security system drivers, security theory and principles including defense in depth, protection in depth, situational crime prevention and crime prevention through environmental design to set the protection strategy (professional inference), and technical knowledge including physics and mathematics to design and commission the engineering treatment solution.

All this knowledge must be braced by professional attributes including strong communication skills and high levels of literacy for engineering report writing. Guidance on security engineering can be drawn from Marry Lynn Garcia's book the design and evaluation of physical protection systems. Security engineering also goes by the label Security Science.

Employers of security engineers

  • US Department of State, [[Bureau of Diplomatic Security]] (ABET certified institution degree in engineering or physics required)<ref>http://careers.state.gov/specialist/opportunities/seceng.html</ref>
  • Security Engineering Sal, <ref>http://www.securityeng.com</ref>
  • Google<ref>http://googleonlinesecurity.blogspot.com/2012/06/security-warnings-for-suspected-state.html</ref>
  • Financial Services Industry, Health Care Industry,<ref>{{cite web|title=Senior Healthcare Security Engineer Jobs|url=http://www.indeed.com/q-Senior-Healthcare-Security-Engineer-jobs.html|publisher=Indeed.com|accessdate=23 April 2014}}</ref> Energy Sector<ref>{{cite web|title=Network Security Engineer - Information Technology Jobs at Duke Energy Corporation|url=http://www.jobs.net/jobs/duke-energy/en-us/search/united-states/category/information-technology/network-security-engineer/|publisher=Jobs.com|accessdate=23 April 2014}}</ref>

Maps Security engineering



Security stance

The two possible default positions on security matters are:

  • Default deny - everything not explicitly permitted is forbidden
Improves security at a cost in functionality.
This is a good approach if you have lots of security threats.
  • Default permit - everything not explicitly forbidden is permitted
Allows greater functionality by sacrificing security.
This is only a good approach in an environment where security threats are non-existent or negligible.
See computer insecurity for an example of the failure of this approach in the real world.

Working as an Information Security Engineer | What Next? - YouTube
src: i.ytimg.com


Core practices

  • Security Requirements Analysis
  • Secure coding
  • Security testing
  • Engineering Product Lifecycle
  • Economics of security

In.Security Home » SECURITY ENGINEERING LAB at The University Of ...
src: www.thesidebar.org


Sub-fields

  • Information security
  • protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption to access.
  • See esp. Computer security
  • Physical security
  • deter attackers from accessing a facility, resource, or information stored on physical media.
  • Technical surveillance counter-measures
  • Economics of security
  • the economic aspects of economics of privacy and computer security.

Identity and Access Management: The Quiet Disruption in Security ...
src: www.uscybersecurity.net


Methodologies

Technological advances, principally in the field of computers, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using social engineering attacks. Secure systems have to resist not only technical attacks, but also coercion, fraud, and deception by confidence tricksters.

Web applications

According to the Microsoft Developer Network the patterns and practices of security engineering consist of the following activities:

  • Security Objectives
  • Security Design Guidelines
  • Security Modeling
  • Security Architecture and Design Review
  • Security Code Review
  • Security Testing
  • Security Tuning
  • Security Deployment Review

These activities are designed to help meet security objectives in the software life cycle.

Physical

  • Understanding of a typical threat and the usual risks to people and property.
  • Understanding the incentives created both by the threat and the countermeasures.
  • Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
  • Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
  • Overview of common physical and technological methods of protection and understanding their roles in deterrence, detection and mitigation.
  • Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.

Target hardening

Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorised persons. Methods include placing Jersey barriers, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and truck bombings. Improving the method of visitor management and some new electronic locks take advantage of technologies such as fingerprint scanning, iris or retinal scanning, and voiceprint identification to authenticate users.


CA API Security Gateway | Layer 7 Security | Velociters
src: www.velociters.com


See also


Beyond Thin Clients: Limiting Cybersecurity Vulnerabilities | The ...
src: www.mitre.org


References


The Waves Platform Code Audit: “Shows good security engineering ...
src: s-media-cache-ak0.pinimg.com


Further reading

  • Ross Anderson (2001). Security Engineering. Wiley. ISBN 0-471-38922-6. 
  • Ross Anderson (2008). Security Engineering - A Guide to Building Dependable Distributed Systems. Wiley. ISBN 0-470-06852-3. 
  • Ross Anderson (2001). "Why Information Security is Hard - An Economic Perspective"
  • Bruce Schneier (1995). Applied Cryptography (2nd ed.). Wiley. ISBN 0-471-11709-9. 
  • Bruce Schneier (2000). Secrets and Lies: Digital Security in a Networked World. Wiley. ISBN 0-471-25311-1. 
  • David A. Wheeler (2003). "Secure Programming for Linux and Unix HOWTO". Linux Documentation Project. Retrieved 2005-12-19. 
  • Ron Ross, Michael McEvilley, Janet Carrier Oren (2016). "Systems Security Engineering" (PDF). Internet of Things. Retrieved 2016-11-22. CS1 maint: Multiple names: authors list (link)

Articles and papers

  • patterns & practices Security Engineering on Channel9
  • patterns & practices Security Engineering on MSDN
  • patterns & practices Security Engineering Explained
  • Basic Target Hardening from the Government of South Australia

Source of article : Wikipedia