Cyber Shelf

// Comparison

Designing Secure Software vs Real-World Cryptography: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
5/52021
Designing Secure Software

A Guide for Developers

Loren Kohnfelder

Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

Intermediate
5/52021
Real-World Cryptography

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Read this if

Senior developers and architects who already write code well and now want to design systems that don't ship CVEs. Kohnfelder is the author who literally wrote the X.509 paper; the book is a career's worth of design wisdom in 312 pages.
Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Skip this if

Beginners or readers wanting hands-on tooling. The book is design-level: principles, patterns, and case studies. Pair with implementation-level books for the line-of-code view.
Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Key takeaways

  • Secure-by-design is mostly avoided pitfalls; the book's enumeration of common-but-fatal mistakes is the cleanest mental checklist a designer can carry.
  • Trust boundaries are the single most useful concept in secure design; the book teaches you to see them in any architecture.
  • Most security debates inside engineering organizations resolve to a handful of repeated trade-offs (defense in depth vs. simplicity, blocking vs. logging, fail-open vs. fail-closed); the book names them and provides the language for the conversation.
  • Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
  • TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
  • Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

How they compare

Designing Secure Software and Real-World Cryptography are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Designing Secure Software and Real-World Cryptography both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Designing Secure Software

Alternatives to Designing Secure SoftwareWhat to read after Designing Secure Software

Real-World Cryptography

Alternatives to Real-World CryptographyWhat to read after Real-World Cryptography

Related topics

AppSec