Modern systems are an intertwined mesh of human process, physical security, and technology. Many times, an attacker will leverage a weakness in one form of security to gain control over an otherwise protected operation.
Designing Secure Systems takes a theory-based approach to concepts underlying all forms of systems, from padlocks to phishing to enterprise software architecture. In this book, we will discuss similarities in how a weakness in one part of a process enables vulnerability to bleed into another by applying standards and frameworks used in the cybersecurity world to assess the system as a complete process including people, processes, and technology.
In Designing Secure Systems, we begin by describing the core concepts of access, authorization, authentication, and exploitation. We then break authorization down into five interrelated components and describe how these aspects apply to physical, human process, and cybersecurity.
In the second portion of the book, we discuss how to operate a secure system based on the NIST Cybersecurity Framework (CSF) concepts of identify, protect, detect, respond, and recover.
Other topics covered in this book include The NIST National Vulnerability Database (NVD), MITRE Common Vulnerability Scoring System (CVSS), Microsoft's Security Development Lifecycle (SDL), and the MITRE ATT&CK Framework.
This is an intermediate level look at designing secure computer systems. Its chief strength is that the author constantly provides both "technological" and "physical-world" examples of each concept he is explaining. This certainly helps the non-technical reader visualize and understand the more difficult concepts. The first half of the book covers five major concepts involved in a secure system design. The second half of the book looks at how these concepts interact in the protection process through an identify-protect-detect-respond-recover framework. Perhaps the best chapter for the lay reader goes through a series of examples from the movie Oceans 11. There is a LOT of terminology that gets covered, so my only recommendation for improvement would be to include a glossary of terms at the back of the book. All in all, a good primer in this area.