Security engineering

Security engineering

Security engineering is a specialized field of engineering that deals with the development of detailed engineering plans and designs for security features, controls and systems. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a security policy.

In one form or another, Security Engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing and security printing have been around for many years.

Due to recent catastrophic events, most notably 911, Security Engineering has quickly become a rapidly growing field. In fact, in a recent report completed in 2006, it was estimated that the global security industry was valued at US$150 billion.[1]

Security engineering involves aspects of social science, psychology and economics, as well as physics, chemistry, mathematics and Landscaping.[1] Some of the techniques used, such as fault tree analysis, are derived from safety engineering.

Other techniques such as cryptography were previously restricted to military applications. One of the pioneers of security engineering as a formal field of study is Ross Anderson.


  • 1 Qualifications
  • 2 Security Stance
  • 3 Core Practices
  • 4 Sub-fields
  • 5 Methodologies
    • 5.1 Web Applications
    • 5.2 Physical
      • 5.2.1 Target Hardening
  • 6 Employers of Security Engineers
  • 7 Criticisms
  • 8 See also
    • 8.1 Further reading
    • 8.2 Articles and Papers
  • 9 References


Typical qualifications for a security engineer are:

  • Chartered Professional Engineer
  • CPP
  • PSP

However, multiple qualifications, or several qualified persons working together, may provide a more complete solution.[2]

Security Stance

The 2 possible default positions on security matters are:

1 Default deny - "Everything, not explicitly permitted, is forbidden"

Improves security at a cost in functionality.
This is a good approach if you have lots of security threats.
See secure computing for a discussion of computer security using this approach.

2 Default permit - "Everything, not explicitly forbidden, is permitted"

Allows greater functionality by sacrificing security.
This is only a good approach in an environment where security threats are non-existent or negligible.
See computer insecurity for an example of the failure of this approach in the real world.

No comments: