Editing Security engineering (section)

==Methodologies==
Technological advances, principally in the field of [[computer]]s, have now allowed the creation of far more complex systems, with new and complex security problems. Because modern systems cut across many areas of human endeavor, security engineers not only need consider the mathematical and physical properties of systems; they also need to consider attacks on the people who use and form parts of those systems using [[Social engineering (computer security)|social engineering]] attacks. Secure systems have to resist not only technical attacks, but also [[coercion]], [[fraud]], and [[deception]] by [[confidence trickster]]s.

===Web applications===
{{Main|Web security}}
According to the ''[[Microsoft]] Developer Network'' the patterns and practices of security engineering consist of the following activities:<ref>{{cite web| url = http://msdn2.microsoft.com/en-us/library/ms998404.aspx| title = patterns & practices of Security Engineering}}</ref>
* Security Objectives
* Security Design Guidelines
* Security Modeling
* Security Architecture and Design Review
* Security Code Review
* Security Testing
* Security Tuning
* Security Deployment Review
These activities are designed to help meet security objectives in the [[software life cycle]].

===Physical===
{{Main|Physical security}}
[[File:Canadian Embassy DC 2007 002.jpg|thumb|Canadian Embassy in Washington, D.C. showing planters being used as vehicle barriers, and barriers and gates along the vehicle entrance]]
* Understanding of a ''typical'' threat and the usual risks to people and property.
* Understanding the incentives created both by the threat and the countermeasures.
* Understanding risk and threat analysis methodology and the benefits of an empirical study of the physical security of a facility.
* Understanding how to apply the methodology to buildings, critical infrastructure, ports, public transport and other facilities/compounds.
* Overview of common physical and technological methods of protection and understanding their roles in [[Deterrence (psychology)|deterrence]], detection and mitigation.
* Determining and prioritizing security needs and aligning them with the perceived threats and the available budget.
===Product===
Product security engineering is security engineering applied specifically to the products that an organization creates, distributes, and/or sells. Product security engineering is distinct from corporate/enterprise security,<ref>{{cite web |url=https://www.sans.org/reading-room/whitepapers/leadership/corporate-vs-product-security-34237 |title=Corporate vs. Product Security |last=Watson |first=Philip |publisher=SANS Institute |date=May 20, 2013 |website=SANS Institute Information Security Reading Room |access-date=October 13, 2020}}</ref> which focuses on securing corporate networks and systems that an organization uses to conduct business.

Product security includes security engineering applied to:
* Hardware devices such as cell phones, computers, [[Internet of things]] devices, and cameras.
* Software such as operating systems, applications, and firmware.

Such security engineers are often employed in separate teams from corporate security teams and work closely with product engineering teams.

====Target hardening====
Whatever the target, there are multiple ways of preventing penetration by unwanted or unauthorized persons. Methods include placing [[Jersey barrier]]s, stairs or other sturdy obstacles outside tall or politically sensitive buildings to prevent car and [[truck bombing]]s. Improving the method of [[visitor management]] and some new electronic [[Lock (security device)|locks]] take advantage of technologies such as [[fingerprint]] scanning, iris or [[retinal scan]]ning, and [[voice identification|voiceprint identification]] to authenticate users.