// Comparison

Alice and Bob Learn Application Security vs Real-World Cryptography: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Beginner

4/52020

Alice and Bob Learn Application Security

Tanya Janca

Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.

Intermediate

5/52021

Real-World Cryptography

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Read this if

Software developers, junior AppSec engineers, and security champions who need a single, friendly book that covers the AppSec lifecycle without assuming security knowledge. Excellent as the first book to hand to a developer asked to lead AppSec for their team.

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Skip this if

Senior AppSec professionals who already have the lifecycle internalized; the book is a primer by design. Also relatively light on cloud-native AppSec specifics (IaC scanning, supply-chain attestation), which Janca's later writing covers more deeply.

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Key takeaways

AppSec is a lifecycle discipline, not a scanning discipline; Janca's structure makes that argument by walking through each stage with concrete examples.
Most AppSec wins come from secure design and developer-relations work, not from finding more bugs at the end of the SDLC.
The book's tone is its underrated strength — many developers will finish this book; very few will finish a more formal AppSec textbook.

Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

How they compare

We rate Real-World Cryptography higher (5/5 against 4/5 for Alice and Bob Learn Application Security). For most readers, that means Real-World Cryptography is the primary pick and Alice and Bob Learn Application Security is a useful follow-up.

Alice and Bob Learn Application Security is pitched at beginner level. Real-World Cryptography is pitched at intermediate level. Read the easier one first if you're not yet comfortable with the topic.

Alice and Bob Learn Application Security and Real-World Cryptography both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading