What Is Security Engineering (archive post)

To make sure I keep a copy of this post, originally posted at the Hackbright blog, here it is.

As a Hackbright student or alumna, you probably plan to participate in building the foundation of our shiny new automated world. (Thanks for joining us! We need you.)

Software, firmware, and computing hardware underlie essentially all aspects of our society — the safety systems in our cars (and trains, and airplanes), our financial systemcritical infrastructure like energy and water purification, our healthcare system, and our culture. Even hand-crafted clothing is sold on Etsy and is made of cotton spun by a robot.

But it’s not enough that our infrastructure merely work. It has to work well and reliably under all kinds of pressure: human error (operator — and developer!), bad weather, bad luck, radio interference, hardware failure, network outages, criminal malfeasance. Even war.

Security engineering requires adopting a new mindset, at once cautious and conservative, yet also willing to calculate risks and experiment. Either perspective on its own is not enough; we must be of two minds to succeed.

Software security engineers are the professional pessimists who insist that Twitter must encrypt and authenticate all its network traffic even though it might seem less important than, say, banking. (Ironically, we then beg and plead with banks to adopt security at least as good as Twitter’s.) We worry about how impossible it is to audit the hardware which we have to assume is safeNormal people see a TV, but we see Winston Smith’s telescreen. We are those annoying friends who remind their co-workers that computers cannot, in fact, correctly add two numbers together (not without significant help, at least).

Software security engineers are the professional optimists who try to make computers work safely in spite of Murphy’s best efforts — we will try to program Satan’s computer. We dream of a world in which robot cars tell each other only the truth about their position and speed. We dream of a world in which credit card and ATM fraud is mere statistical noise. We dream of a world in which your phone is really off when you turn it off, and which keeps your communications with your doctor confidential when it is on.

We dream of a world in which books cannot be burned.

Resources

If you’re interested in security engineering (and I hope you are, even if you don’t choose to make it your specialty), you can get involved at any point in your career. One of the best ways to get started is — as always — simply getting your hands dirty.

And, as always, find a good community to learn with. Or build your own!