Cyber Shelf

// Comparison

Designing Secure Software vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
5/52021
Designing Secure Software

A Guide for Developers

Loren Kohnfelder

Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

Intermediate
5/52013
The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Senior developers and architects who already write code well and now want to design systems that don't ship CVEs. Kohnfelder is the author who literally wrote the X.509 paper; the book is a career's worth of design wisdom in 312 pages.
Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Beginners or readers wanting hands-on tooling. The book is design-level: principles, patterns, and case studies. Pair with implementation-level books for the line-of-code view.
Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

  • Secure-by-design is mostly avoided pitfalls; the book's enumeration of common-but-fatal mistakes is the cleanest mental checklist a designer can carry.
  • Trust boundaries are the single most useful concept in secure design; the book teaches you to see them in any architecture.
  • Most security debates inside engineering organizations resolve to a handful of repeated trade-offs (defense in depth vs. simplicity, blocking vs. logging, fail-open vs. fail-closed); the book names them and provides the language for the conversation.
  • Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
  • The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
  • Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

Designing Secure Software and The Practice of Network Security Monitoring are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Designing Secure Software and The Practice of Network Security Monitoring both cover Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Designing Secure Software

Alternatives to Designing Secure SoftwareWhat to read after Designing Secure Software

The Practice of Network Security Monitoring

Alternatives to The Practice of Network Security MonitoringWhat to read after The Practice of Network Security Monitoring

Related topics

Defensive