// Comparison

The Art of Software Security Assessment vs Real-World Cryptography: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Advanced

5/52006

Identifying and Preventing Software Vulnerabilities

Mark Dowd, John McDonald, Justin Schuh

The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.

Intermediate

5/52021

Real-World Cryptography

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Read this if

Auditors, vulnerability researchers, and developers of C/C++ codebases. The deepest book in print on reading code adversarially. Old, dense, and still unsurpassed.

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Skip this if

Web developers, anyone working in memory-safe languages exclusively, or beginners with no C/C++ exposure. The book is a 1,200-page audit primer; nothing else competes for depth.

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Key takeaways

Vulnerability classes (memory corruption, integer issues, format strings, race conditions) arise from interactions between layers; the book teaches you to see the boundaries.
The chapter on integer issues is the canonical reference; most public CVEs in C/C++ codebases through 2025 still trace back to patterns Dowd/McDonald/Schuh named here.
The case studies (Apache, Postfix, Solaris, OpenSSL) make the abstractions concrete; reading them in order builds the auditor's eye nothing else does.

Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

How they compare

The Art of Software Security Assessment and Real-World Cryptography are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.

The Art of Software Security Assessment is pitched at advanced level. Real-World Cryptography is pitched at intermediate level. Read the easier one first if you're not yet comfortable with the topic.

The Art of Software Security Assessment and Real-World Cryptography both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

The Art of Software Security Assessment

→ Alternatives to The Art of Software Security Assessment → What to read after The Art of Software Security Assessment