Оглавление
Ross Anderson. Security Engineering
Table of Contents
List of Illustrations
Guide
Pages
Security Engineering. A Guide to Building Dependable Distributed Systems
Preface to the Third Edition
Preface to the Second Edition
Preface to the First Edition
For my daughter, and other lawyers…
Foreword
PART I
CHAPTER 1 What Is Security Engineering?
1.1 Introduction
1.2 A framework
1.3 Example 1 – a bank
1.4 Example 2 – a military base
1.5 Example 3 – a hospital
1.6 Example 4 – the home
1.7 Definitions
1.8 Summary
Note
CHAPTER 2 Who Is the Opponent?
2.1 Introduction
2.2 Spies
2.2.1 The Five Eyes
2.2.1.1 Prism
2.2.1.2 Tempora
2.2.1.3 Muscular
2.2.1.4 Special collection
2.2.1.5 Bullrun and Edgehill
2.2.1.6 Xkeyscore
2.2.1.7 Longhaul
2.2.1.8 Quantum
2.2.1.9 CNE
2.2.1.10 The analyst's viewpoint
2.2.1.11 Offensive operations
2.2.1.12 Attack scaling
2.2.2 China
2.2.3 Russia
2.2.4 The rest
2.2.5 Attribution
2.3 Crooks
2.3.1 Criminal infrastructure
2.3.1.1 Botnet herders
2.3.1.2 Malware devs
2.3.1.3 Spam senders
2.3.1.4 Bulk account compromise
2.3.1.5 Targeted attackers
2.3.1.6 Cashout gangs
2.3.1.7 Ransomware
2.3.2 Attacks on banking and payment systems
2.3.3 Sectoral cybercrime ecosystems
2.3.4 Internal attacks
2.3.5 CEO crimes
2.3.6 Whistleblowers
2.4 Geeks
2.5 The swamp
2.5.1 Hacktivism and hate campaigns
2.5.2 Child sex abuse material
2.5.3 School and workplace bullying
2.5.4 Intimate relationship abuse
2.6 Summary
Research problems
Further reading
Notes
CHAPTER 3 Psychology and Usability
3.1 Introduction
3.2 Insights from psychology research
3.2.1 Cognitive psychology
3.2.2 Gender, diversity and interpersonal variation
3.2.3 Social psychology
3.2.3.1 Authority and its abuse
3.2.3.2 The bystander effect
3.2.4 The social-brain theory of deception
3.2.5 Heuristics, biases and behavioural economics
3.2.5.1 Prospect theory and risk misperception
3.2.5.2 Present bias and hyperbolic discounting
3.2.5.3 Defaults and nudges
3.2.5.4 The default to intentionality
3.2.5.5 The affect heuristic
3.2.5.6 Cognitive dissonance
3.2.5.7 The risk thermostat
3.3 Deception in practice
3.3.1 The salesman and the scamster
3.3.2 Social engineering
3.3.3 Phishing
3.3.4 Opsec
3.3.5 Deception research
3.4 Passwords
3.4.1 Password recovery
3.4.2 Password choice
3.4.3 Difficulties with reliable password entry
3.4.4 Difficulties with remembering the password
3.4.4.1 Naïve choice
3.4.4.2 User abilities and training
3.4.4.3 Design errors
3.4.4.4 Operational failures
3.4.4.5 Social-engineering attacks
3.4.4.6 Customer education
3.4.4.7 Phishing warnings
3.4.5 System issues
3.4.6 Can you deny service?
3.4.7 Protecting oneself or others?
3.4.8 Attacks on password entry
3.4.8.1 Interface design
3.4.8.2 Trusted path, and bogus terminals
3.4.8.3 Technical defeats of password retry counters
3.4.9 Attacks on password storage
3.4.9.1 One-way encryption
3.4.9.2 Password cracking
3.4.9.3 Remote password checking
3.4.10 Absolute limits
3.4.11 Using a password manager
3.4.12 Will we ever get rid of passwords?
3.5 CAPTCHAs
3.6 Summary
Research problems
Further reading
Notes
CHAPTER 4 Protocols
4.1 Introduction
4.2 Password eavesdropping risks
4.3 Who goes there? – simple authentication
4.3.1 Challenge and response
4.3.2 Two-factor authentication
4.3.3 The MIG-in-the-middle attack
4.3.4 Reflection attacks
4.4 Manipulating the message
4.5 Changing the environment
4.6 Chosen protocol attacks
4.7 Managing encryption keys
4.7.1 The resurrecting duckling
4.7.2 Remote key management
4.7.3 The Needham-Schroeder protocol
4.7.4 Kerberos
4.7.5 Practical key management
4.8 Design assurance
4.9 Summary
Research problems
Further reading
Notes
CHAPTER 5 Cryptography
5.1 Introduction
5.2 Historical background
5.2.1 An early stream cipher – the Vigenère
5.2.2 The one-time pad
5.2.3 An early block cipher – Playfair
5.2.4 Hash functions
5.2.5 Asymmetric primitives
5.3 Security models
5.3.1 Random functions – hash functions
5.3.1.1 Properties
5.3.1.2 The birthday theorem
5.3.2 Random generators – stream ciphers
5.3.3 Random permutations – block ciphers
5.3.4 Public key encryption and trapdoor one-way permutations
5.3.5 Digital signatures
5.4 Symmetric crypto algorithms
5.4.1 SP-networks
5.4.1.1 Block size
5.4.1.2 Number of rounds
5.4.1.3 Choice of S-boxes
5.4.1.4 Linear cryptanalysis
5.4.1.5 Differential cryptanalysis
5.4.2 The Advanced Encryption Standard (AES)
5.4.3 Feistel ciphers
5.4.3.1 The Luby-Rackoff result
5.4.3.2 DES
5.5 Modes of operation
5.5.1 How not to use a block cipher
5.5.2 Cipher block chaining
5.5.3 Counter encryption
5.5.4 Legacy stream cipher modes
5.5.5 Message authentication code
5.5.6 Galois counter mode
5.5.7 XTS
5.6 Hash functions
5.6.1 Common hash functions
5.6.2 Hash function applications – HMAC, commitments and updating
5.7 Asymmetric crypto primitives
5.7.1 Cryptography based on factoring
5.7.2 Cryptography based on discrete logarithms
5.7.2.1 One-way commutative encryption
5.7.2.2 Diffie-Hellman key establishment
5.7.2.3 ElGamal digital signature and DSA
5.7.3 Elliptic curve cryptography
5.7.4 Certification authorities
5.7.5 TLS
5.7.5.1 TLS uses
5.7.5.2 TLS security
5.7.5.3 TLS 1.3
5.7.6 Other public-key protocols
5.7.6.1 Code signing
5.7.6.2 PGP/GPG
5.7.6.3 QUIC
5.7.7 Special-purpose primitives
5.7.8 How strong are asymmetric cryptographic primitives?
5.7.9 What else goes wrong
5.8 Summary
Research problems
Further reading
Notes
CHAPTER 6 Access Control
6.1 Introduction
6.2 Operating system access controls
6.2.1 Groups and roles
6.2.2 Access control lists
6.2.3 Unix operating system security
6.2.4 Capabilities
6.2.5 DAC and MAC
6.2.6 Apple's macOS
6.2.7 iOS
6.2.8 Android
6.2.9 Windows
6.2.10 Middleware
6.2.10.1 Database access controls
6.2.10.2 Browsers
6.2.11 Sandboxing
6.2.12 Virtualisation
6.3 Hardware protection
6.3.1 Intel processors
6.3.2 Arm processors
6.4 What goes wrong
6.4.1 Smashing the stack
6.4.2 Other technical attacks
6.4.3 User interface failures
6.4.4 Remedies
6.4.5 Environmental creep
6.5 Summary
Research problems
Further reading
Notes
CHAPTER 7 Distributed Systems
7.1 Introduction
7.2 Concurrency
7.2.1 Using old data versus paying to propagate state
7.2.2 Locking to prevent inconsistent updates
7.2.3 The order of updates
7.2.4 Deadlock
7.2.5 Non-convergent state
7.2.6 Secure time
7.3 Fault tolerance and failure recovery
7.3.1 Failure models
7.3.1.1 Byzantine failure
7.3.1.2 Interaction with fault tolerance
7.3.2 What is resilience for?
7.3.3 At what level is the redundancy?
7.3.4 Service-denial attacks
7.4 Naming
7.4.1 The Needham naming principles
7.4.2 What else goes wrong
7.4.2.1 Naming and identity
7.4.2.2 Cultural assumptions
7.4.2.3 Semantic content of names
7.4.2.4 Uniqueness of names
7.4.2.5 Stability of names and addresses
7.4.2.6 Restrictions on the use of names
7.4.3 Types of name
7.5 Summary
Research problems
Further reading
Notes
CHAPTER 8 Economics
8.1 Introduction
8.2 Classical economics
8.2.1 Monopoly
8.3 Information economics
8.3.1 Why information markets are different
8.3.2 The value of lock-in
8.3.3 Asymmetric information
8.3.4 Public goods
8.4 Game theory
8.4.1 The prisoners' dilemma
8.4.2 Repeated and evolutionary games
8.5 Auction theory
8.6 The economics of security and dependability
8.6.1 Why is Windows so insecure?
8.6.2 Managing the patching cycle
8.6.3 Structural models of attack and defence
8.6.4 The economics of lock-in, tying and DRM
8.6.5 Antitrust law and competition policy
8.6.6 Perversely motivated guards
8.6.7 Economics of privacy
8.6.8 Organisations and human behaviour
8.6.9 Economics of cybercrime
8.7 Summary
Research problems
Further reading
Notes
PART II
CHAPTER 9 Multilevel Security
9.1 Introduction
9.2 What is a security policy model?
Megacorp, Inc. security policy
9.3 Multilevel security policy
9.3.1 The Anderson report
9.3.2 The Bell-LaPadula model
9.3.3 The standard criticisms of Bell-LaPadula
9.3.4 The evolution of MLS policies
9.3.5 The Biba model
9.4 Historical examples of MLS systems
9.4.1 SCOMP
9.4.2 Data diodes
9.5 MAC: from MLS to IFC and integrity
9.5.1 Windows
9.5.2 SELinux
9.5.3 Embedded systems
9.6 What goes wrong
9.6.1 Composability
9.6.2 The cascade problem
9.6.3 Covert channels
9.6.4 The threat from malware
9.6.5 Polyinstantiation
9.6.6 Practical problems with MLS
9.7 Summary
Research problems
Further reading
Notes
CHAPTER 10 Boundaries
10.1 Introduction
10.2 Compartmentation and the lattice model
10.3 Privacy for tigers
10.4 Health record privacy
10.4.1 The threat model
10.4.2 The BMA security policy
10.4.3 First practical steps
10.4.4 What actually goes wrong
10.4.4.1 Emergency care
10.4.4.2 Resilience
10.4.4.3 Secondary uses
10.4.5 Confidentiality – the future
10.4.6 Ethics
10.4.7 Social care and education
10.4.8 The Chinese Wall
10.5 Summary
Research problems
Further reading
Notes
CHAPTER 11 Inference Control
11.1 Introduction
11.2 The early history of inference control
11.2.1 The basic theory of inference control
11.2.1.1 Query set size control
11.2.1.2 Trackers
11.2.1.3 Cell suppression
11.2.1.4 Other statistical disclosure control mechanisms
11.2.1.5 More sophisticated query controls
11.2.1.6 Randomization
11.2.2 Limits of classical statistical security
11.2.3 Active attacks
11.2.4 Inference control in rich medical data
11.2.5 The third wave: preferences and search
11.2.6 The fourth wave: location and social
11.3 Differential privacy
11.4 Mind the gap?
11.4.1 Tactical anonymity and its problems
11.4.2 Incentives
11.4.3 Alternatives
11.4.4 The dark side
11.5 Summary
Research problems
Further reading
Notes
CHAPTER 12 Banking and Bookkeeping
12.1 Introduction
12.2 Bookkeeping systems
12.2.1 Double-entry bookkeeping
12.2.2 Bookkeeping in banks
12.2.3 The Clark-Wilson security policy model
12.2.4 Designing internal controls
12.2.5 Insider frauds
12.2.6 Executive frauds
12.2.6.1 The post office case
12.2.6.2 Other failures
12.2.6.3 Ecological validity
12.2.6.4 Control tuning and corporate governance
12.2.7 Finding the weak spots
12.3 Interbank payment systems
12.3.1 A telegraphic history of E-commerce
12.3.2 SWIFT
12.3.3 What goes wrong
12.4 Automatic teller machines
12.4.1 ATM basics
12.4.2 What goes wrong
12.4.3 Incentives and injustices
12.5 Credit cards
12.5.1 Credit card fraud
12.5.2 Online card fraud
12.5.3 3DS
12.5.4 Fraud engines
12.6 EMV payment cards
12.6.1 Chip cards
12.6.1.1 Static data authentication
12.6.1.2 ICVVs, DDA and CDA
12.6.1.3 The No-PIN attack
12.6.2 The preplay attack
12.6.3 Contactless
12.7 Online banking
12.7.1 Phishing
12.7.2 CAP
12.7.3 Banking malware
12.7.4 Phones as second factors
12.7.5 Liability
12.7.6 Authorised push payment fraud
12.8 Nonbank payments
12.8.1 M-Pesa
12.8.2 Other phone payment systems
12.8.3 Sofort, and open banking
12.9 Summary
Research problems
Further reading
Notes
CHAPTER 13 Locks and Alarms
13.1 Introduction
13.2 Threats and barriers
13.2.1 Threat model
13.2.2 Deterrence
13.2.3 Walls and barriers
13.2.4 Mechanical locks
13.2.5 Electronic locks
13.3 Alarms
13.3.1 How not to protect a painting
13.3.2 Sensor defeats
13.3.3 Feature interactions
13.3.4 Attacks on communications
13.3.5 Lessons learned
13.4 Summary
Research problems
Further reading
Notes
CHAPTER 14 Monitoring and Metering
14.1 Introduction
14.2 Prepayment tokens
14.2.1 Utility metering
14.2.2 How the STS system works
14.2.3 What goes wrong
14.2.4 Smart meters and smart grids
14.2.5 Ticketing fraud
14.3 Taxi meters, tachographs and truck speed limiters
14.3.1 The tachograph
14.3.2 What goes wrong
14.3.2.1 How most tachograph manipulation is done
14.3.2.2 Tampering with the supply
14.3.2.3 Tampering with the instrument
14.3.2.4 High-tech attacks
14.3.3 Digital tachographs
14.3.3.1 System-level problems
14.3.3.2 Other problems
14.3.4 Sensor defeats and third-generation devices
14.3.5 The fourth generation – smart tachographs
14.4 Curfew tags: GPS as policeman
14.5 Postage meters
14.6 Summary
Research problems
Further reading
Notes
CHAPTER 15 Nuclear Command and Control
15.1 Introduction
15.2 The evolution of command and control
15.2.1 The Kennedy memorandum
15.2.2 Authorization, environment, intent
15.3 Unconditionally secure authentication
15.4 Shared control schemes
15.5 Tamper resistance and PALs
15.6 Treaty verification
15.7 What goes wrong
15.7.1 Nuclear accidents
15.7.2 Interaction with cyberwar
15.7.3 Technical failures
15.8 Secrecy or openness?
15.9 Summary
Research problems
Further reading
Notes
CHAPTER 16 Security Printing and Seals
16.1 Introduction
16.2 History
16.3 Security printing
16.3.1 Threat model
16.3.2 Security printing techniques
16.4 Packaging and seals
16.4.1 Substrate properties
16.4.2 The problems of glue
16.4.3 PIN mailers
16.5 Systemic vulnerabilities
16.5.1 Peculiarities of the threat model
16.5.2 Anti-gundecking measures
16.5.3 The effect of random failure
16.5.4 Materials control
16.5.5 Not protecting the right things
16.5.6 The cost and nature of inspection
16.6 Evaluation methodology
16.7 Summary
Research problems
Further reading
CHAPTER 17 Biometrics
17.1 Introduction
17.2 Handwritten signatures
17.3 Face recognition
17.4 Fingerprints
17.4.1 Verifying positive or negative identity claims
17.4.2 Crime scene forensics
17.5 Iris codes
17.6 Voice recognition and morphing
17.7 Other systems
17.8 What goes wrong
17.9 Summary
Research problems
Further reading
Notes
CHAPTER 18 Tamper Resistance
18.1 Introduction
18.2 History
18.3 Hardware security modules
18.4 Evaluation
18.5 Smartcards and other security chips
18.5.1 History
18.5.2 Architecture
18.5.3 Security evolution
18.5.4 Random number generators and PUFs
18.5.5 Larger chips
18.5.6 The state of the art
18.6 The residual risk
18.6.1 The trusted interface problem
18.6.2 Conflicts
18.6.3 The lemons market, risk dumping and evaluation games
18.6.4 Security-by-obscurity
18.6.5 Changing environments
18.7 So what should one protect?
18.8 Summary
Research problems
Further reading
Notes
CHAPTER 19 Side Channels
19.1 Introduction
19.2 Emission security
19.2.1 History
19.2.2 Technical surveillance and countermeasures
19.3 Passive attacks
19.3.1 Leakage through power and signal cables
19.3.2 Leakage through RF signals
19.3.3 What goes wrong
19.4 Attacks between and within computers
19.4.1 Timing analysis
19.4.2 Power analysis
19.4.3 Glitching and differential fault analysis
19.4.4 Rowhammer, CLKscrew and Plundervolt
19.4.5 Meltdown, Spectre and other enclave side channels
19.5 Environmental side channels
19.5.1 Acoustic side channels
19.5.2 Optical side channels
19.5.3 Other side-channels
19.6 Social side channels
19.7 Summary
Research problems
Further reading
CHAPTER 20 Advanced Cryptographic Engineering
20.1 Introduction
20.2 Full-disk encryption
20.3 Signal
20.4 Tor
20.5 HSMs
20.5.1 The xor-to-null-key attack
20.5.2 Attacks using backwards compatibility and time-memory tradeoffs
20.5.3 Differential protocol attacks
20.5.4 The EMV attack
20.5.5 Hacking the HSMs in CAs and clouds
20.5.6 Managing HSM risks
20.6 Enclaves
20.7 Blockchains
20.7.1 Wallets
20.7.2 Miners
20.7.3 Smart contracts
20.7.4 Off-chain payment mechanisms
20.7.5 Exchanges, cryptocrime and regulation
20.7.6 Permissioned blockchains
20.8 Crypto dreams that failed
20.9 Summary
Research problems
Further reading
Notes
CHAPTER 21 Network Attack and Defence
21.1 Introduction
21.2 Network protocols and service denial
21.2.1 BGP security
21.2.2 DNS security
21.2.3 UDP, TCP, SYN floods and SYN reflection
21.2.4 Other amplifiers
21.2.5 Other denial-of-service attacks
21.2.6 Email – from spies to spammers
21.3 The malware menagerie – Trojans, worms and RATs
21.3.1 Early history of malware
21.3.2 The Internet worm
21.3.3 Further malware evolution
21.3.4 How malware works
21.3.5 Countermeasures
21.4 Defense against network attack
21.4.1 Filtering: firewalls, censorware and wiretaps
21.4.1.1 Packet filtering
21.4.1.2 Circuit gateways
21.4.1.3 Application proxies
21.4.1.4 Ingress versus egress filtering
21.4.1.5 Architecture
21.4.2 Intrusion detection
21.4.2.1 Types of intrusion detection
21.4.2.2 General limitations of intrusion detection
21.4.2.3 Specific problems detecting network attacks
21.5 Cryptography: the ragged boundary
21.5.1 SSH
21.5.2 Wireless networking at the periphery
21.5.2.1 WiFi
21.5.2.2 Bluetooth
21.5.2.3 HomePlug
21.5.2.4 VPNs
21.6 CAs and PKI
21.7 Topology
21.8 Summary
Research problems
Further reading
Notes
CHAPTER 22 Phones
22.1 Introduction
22.2 Attacks on phone networks
22.2.1 Attacks on phone-call metering
22.2.2 Attacks on signaling
22.2.3 Attacks on switching and configuration
22.2.4 Insecure end systems
22.2.5 Feature interaction
22.2.6 VOIP
22.2.7 Frauds by phone companies
22.2.8 Security economics of telecomms
22.3 Going mobile
22.3.1 GSM
22.3.2 3G
22.3.3 4G
22.3.4 5G and beyond
22.3.5 General MNO failings
22.4 Platform security
22.4.1 The Android app ecosystem
22.4.1.1 App markets and developers
22.4.1.2 Bad Android implementations
22.4.1.3 Permissions
22.4.1.4 Android malware
22.4.1.5 Ads and third-party services
22.4.1.6 Pre-installed apps
22.4.2 Apple's app ecosystem
22.4.3 Cross-cutting issues
22.5 Summary
Research problems
Further reading
Notes
CHAPTER 23 Electronic and Information Warfare
23.1 Introduction
23.2 Basics
23.3 Communications systems
23.3.1 Signals intelligence techniques
23.3.2 Attacks on communications
23.3.3 Protection techniques
23.3.3.1 Frequency hopping
23.3.3.2 DSSS
23.3.3.3 Burst communications
23.3.3.4 Combining covertness and jam resistance
23.3.4 Interaction between civil and military uses
23.4 Surveillance and target acquisition
23.4.1 Types of radar
23.4.2 Jamming techniques
23.4.3 Advanced radars and countermeasures
23.4.4 Other sensors and multisensor issues
23.5 IFF systems
23.6 Improvised explosive devices
23.7 Directed energy weapons
23.8 Information warfare
23.8.1 Attacks on control systems
23.8.2 Attacks on other infrastructure
23.8.3 Attacks on elections and political stability
23.8.4 Doctrine
23.9 Summary
Research problems
Further reading
Note
CHAPTER 24 Copyright and DRM
24.1 Introduction
24.2 Copyright
24.2.1 Software
24.2.2 Free software, free culture?
24.2.3 Books and music
24.2.4 Video and pay-TV
24.2.4.1 Typical system architecture
24.2.4.2 Video scrambling techniques
24.2.4.3 Attacks on hybrid scrambling systems
24.2.4.4 DVB
24.2.5 DVD
24.3 DRM on general-purpose computers
24.3.1 Windows media rights management
24.3.2 FairPlay, HTML5 and other DRM systems
24.3.3 Software obfuscation
24.3.4 Gaming, cheating, and DRM
24.3.5 Peer-to-peer systems
24.3.6 Managing hardware design rights
24.4 Information hiding
24.4.1 Watermarks and copy generation management
24.4.2 General information hiding techniques
24.4.3 Attacks on copyright marking schemes
24.5 Policy
24.5.1 The IP lobby
24.5.2 Who benefits?
24.6 Accessory control
24.7 Summary
Research problems
Further reading
Notes
CHAPTER 25 New Directions?
25.1 Introduction
25.2 Autonomous and remotely-piloted vehicles
25.2.1 Drones
25.2.2 Self-driving cars
25.2.3 The levels and limits of automation
25.2.4 How to hack a self-driving car
25.3 AI / ML
25.3.1 ML and security
25.3.2 Attacks on ML systems
25.3.3 ML and society
25.4 PETS and operational security
25.4.1 Anonymous messaging devices
25.4.2 Social support
25.4.3 Living off the land
25.4.4 Putting it all together
25.4.5 The name's Bond. James Bond
25.5 Elections
25.5.1 The history of voting machines
25.5.2 Hanging chads
25.5.3 Optical scan
25.5.4 Software independence
25.5.5 Why electronic elections are hard
25.6 Summary
Research problems
Further reading
Notes
PART III
CHAPTER 26 Surveillance or Privacy?
26.1 Introduction
26.2 Surveillance
26.2.1 The history of government wiretapping
26.2.2 Call data records (CDRs)
26.2.3 Search terms and location data
26.2.4 Algorithmic processing
26.2.5 ISPs and CSPs
26.2.6 The Five Eyes' system of systems
26.2.7 The crypto wars
26.2.7.1 The back story to crypto policy
26.2.7.2 DES and crypto research
26.2.7.3 Crypto War 1 – the Clipper chip
26.2.7.4 Crypto War 2 – going spotty
26.2.8 Export control
26.3 Terrorism
26.3.1 Causes of political violence
26.3.2 The psychology of political violence
26.3.3 The role of institutions
26.3.4 The democratic response
26.4 Censorship
26.4.1 Censorship by authoritarian regimes
26.4.2 Filtering, hate speech and radicalisation
26.5 Forensics and rules of evidence
26.5.1 Forensics
26.5.2 Admissibility of evidence
26.5.3 What goes wrong
26.6 Privacy and data protection
26.6.1 European data protection
26.6.2 Privacy regulation in the USA
26.6.3 Fragmentation?
26.7 Freedom of information
26.8 Summary
Research problems
Further reading
Notes
CHAPTER 27 Secure Systems Development
27.1 Introduction
27.2 Risk management
27.3 Lessons from safety-critical systems
27.3.1 Safety engineering methodologies
27.3.2 Hazard analysis
27.3.3 Fault trees and threat trees
27.3.4 Failure modes and effects analysis
27.3.5 Threat modelling
27.3.6 Quantifying risks
27.4 Prioritising protection goals
27.5 Methodology
27.5.1 Top-down design
27.5.2 Iterative design: from spiral to agile
27.5.3 The secure development lifecycle
27.5.4 Gated development
27.5.5 Software as a Service
27.5.6 From DevOps to DevSecOps
27.5.6.1 The Azure ecosystem
27.5.6.2 The Google ecosystem
27.5.6.3 Creating a learning system
27.5.7 The vulnerability cycle
27.5.7.1 The CVE system
27.5.7.2 Coordinated disclosure
27.5.7.3 Security incident and event management
27.5.8 Organizational mismanagement of risk
27.6 Managing the team
27.6.1 Elite engineers
27.6.2 Diversity
27.6.3 Nurturing skills and attitudes
27.6.4 Emergent properties
27.6.5 Evolving your workflow
27.6.6 And finally…
27.7 Summary
Research problems
Further reading
Notes
CHAPTER 28 Assurance and Sustainability
28.1 Introduction
28.2 Evaluation
28.2.1 Alarms and locks
28.2.2 Safety evaluation regimes
28.2.3 Medical device safety
28.2.4 Aviation safety
28.2.5 The Orange book
28.2.6 FIPS 140 and HSMs
28.2.7 The common criteria
28.2.7.1 The gory details
28.2.7.2 What goes wrong with the Common Criteria
28.2.7.3 Collaborative protection profiles
28.2.8 The ‘Principle of Maximum Complacency’
28.2.9 Next steps
28.3 Metrics and dynamics of dependability
28.3.1 Reliability growth models
28.3.2 Hostile review
28.3.3 Free and open-source software
28.3.4 Process assurance
28.4 The entanglement of safety and security
28.4.1 The electronic safety and security of cars
28.4.2 Modernising safety and security regulation
28.4.3 The Cybersecurity Act 2019
28.5 Sustainability
28.5.1 The Sales of goods directive
28.5.2 New research directions
28.6 Summary
Research problems
Further reading
Notes
CHAPTER 29 Beyond “Computer Says No”
Bibliography
Index
About the Author
Acknowledgements
WILEY END USER LICENSE AGREEMENT
