Security Engineering

Security engineering is about building systems to remain dependable in the face of malice, error, or mischance.

• Ross Anderson, "Security Engineering"

Often Security ends up taking the backseat to building out features and building out the new systems. If you squint at the quote at the beginning of the chapter it looks very close to what a distributed systems engineer would say about faults. Attacks are invalid inputs to your system and you should have reasonable measures to protect yourself. I was very highly influenced by Ross Anderson's book early in my career -- so I'll present the same framework for what constitutes for "Good Security Engineering"

• Policy - a policy on what the engineering effort is supposed to achieve
• Mechanism - how are you going to implement the policy? Ciphers, hardware?
• Assurance - how reliable is each of the mechanism?
• Incentive - motive of people writing the systems, and people attacking the systems