// Comparison

Building Secure and Reliable Systems vs Evasive Malware: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Advanced

5/52020

Best Practices for Designing, Implementing, and Maintaining Systems

Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield

Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.

Advanced

4/52024

Evasive Malware

A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats

Kyle Cucci

Kyle Cucci on the anti-analysis arms race: sandbox detection, anti-debug, anti-VM, packing, and the analyst-side tooling and tradecraft that get past those layers.

Read this if

Staff-and-up engineers, SREs, and security leads designing or operating systems where reliability and security must be argued for in the same room. The book treats safety and security as the same engineering discipline, which is the right model and almost nobody else publishes it.

Malware analysts who finished Practical Malware Analysis and keep getting beaten by samples that detect their sandbox. The current reference on anti-analysis tradecraft, by a respected sandbox-and-detection practitioner.

Skip this if

Readers who want a tooling tutorial or vendor-neutral checklists. The case studies are Google-shaped, and the patterns assume you have the discipline (postmortems, code review, paved roads) to execute them. If your org cannot stop a deploy, half the book will read as aspirational.

Beginners. Cucci assumes you already know how to set up a sandbox, run static and dynamic analysis, and read assembly; the book picks up where PMA leaves off.

Key takeaways

Reliability and security share a common substrate: both are about designing for failure modes you cannot fully predict, and both decay if not exercised.
Recovery, not prevention, is the core skill of mature security organizations; the rollback, response, and recovery chapters are the heart of the book.
Most security wins come from boring infrastructure (paved roads, default-secure libraries, code review, sandboxing) rather than detection magic.

Anti-VM and anti-sandbox checks now run as the first instructions of most samples; the book catalogues the dominant patterns and how to neutralise them.
Modern packers are conceptually simple but operationally demanding; Cucci's framing of unpacking-as-staged-emulation is the cleanest in print.
Control-flow obfuscation (opaque predicates, virtualization-based protections) is the analyst's hardest current problem; the chapters on it justify the book on their own.

How they compare

We rate Building Secure and Reliable Systems higher (5/5 against 4/5 for Evasive Malware). For most readers, that means Building Secure and Reliable Systems is the primary pick and Evasive Malware is a useful follow-up.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Building Secure and Reliable Systems and Evasive Malware both cover Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Building Secure and Reliable Systems

→ Alternatives to Building Secure and Reliable Systems → What to read after Building Secure and Reliable Systems