// Comparison

Cryptography Engineering vs Designing Secure Software: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52010

Cryptography Engineering

Design Principles and Practical Applications

Niels Ferguson, Bruce Schneier, Tadayoshi Kohno

A working engineer's introduction to cryptography that takes implementation pitfalls more seriously than most.

Intermediate

5/52021

Designing Secure Software

A Guide for Developers

Loren Kohnfelder

Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

Read this if

Engineers who need to evaluate cryptographic choices in real systems and want intuition for why the standard advice exists.

Senior developers and architects who already write code well and now want to design systems that don't ship CVEs. Kohnfelder is the author who literally wrote the X.509 paper; the book is a career's worth of design wisdom in 312 pages.

Skip this if

Researchers needing rigor, for that, read Boneh/Shoup or Katz/Lindell. Also dated on TLS 1.3, modern AEAD norms, and post-quantum.

Beginners or readers wanting hands-on tooling. The book is design-level: principles, patterns, and case studies. Pair with implementation-level books for the line-of-code view.

Key takeaways

Almost every cryptographic disaster is an integration failure, not a primitive failure.
Don't roll your own, but understand enough to recognize when the library you're using is wrong.
Side channels are not exotic; they are the default mode of failure.

Secure-by-design is mostly avoided pitfalls; the book's enumeration of common-but-fatal mistakes is the cleanest mental checklist a designer can carry.
Trust boundaries are the single most useful concept in secure design; the book teaches you to see them in any architecture.
Most security debates inside engineering organizations resolve to a handful of repeated trade-offs (defense in depth vs. simplicity, blocking vs. logging, fail-open vs. fail-closed); the book names them and provides the language for the conversation.

How they compare

We rate Designing Secure Software higher (5/5 against 4/5 for Cryptography Engineering). For most readers, that means Designing Secure Software is the primary pick and Cryptography Engineering is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Cryptography Engineering and Designing Secure Software both cover Defensive, AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading