// Comparison

Designing Secure Software vs Web Security for Developers: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

5/52021

A Guide for Developers

Loren Kohnfelder

Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

Beginner

4/52020

Web Security for Developers

Real Threats, Practical Defense

Malcolm McDonald

Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.

Read this if

Senior developers and architects who already write code well and now want to design systems that don't ship CVEs. Kohnfelder is the author who literally wrote the X.509 paper; the book is a career's worth of design wisdom in 312 pages.

Developers who want to understand security without security people in the loop. McDonald is the rare author who explains XSS, CSRF, SQLi, auth and sessions without offensive tooling distractions, in the language a working coder uses.

Skip this if

Beginners or readers wanting hands-on tooling. The book is design-level: principles, patterns, and case studies. Pair with implementation-level books for the line-of-code view.

Practitioners who already know OWASP cold, or readers wanting depth on modern bug classes (SSRF chains, prototype pollution, race conditions). The book is foundational, not advanced.

Key takeaways

Secure-by-design is mostly avoided pitfalls; the book's enumeration of common-but-fatal mistakes is the cleanest mental checklist a designer can carry.
Trust boundaries are the single most useful concept in secure design; the book teaches you to see them in any architecture.
Most security debates inside engineering organizations resolve to a handful of repeated trade-offs (defense in depth vs. simplicity, blocking vs. logging, fail-open vs. fail-closed); the book names them and provides the language for the conversation.

The framing "real threats, practical defense" is the book's design choice and its strongest pedagogical move; every chapter starts with the attack and ends with the defensive code pattern.
Web security is mostly the same dozen mistakes for two decades; once you know the taxonomy, modern variants are recognizable.
The chapter on session management and the chapter on third-party JS are the two highest-leverage pieces of the book for engineers who already know the basics.

How they compare

We rate Designing Secure Software higher (5/5 against 4/5 for Web Security for Developers). For most readers, that means Designing Secure Software is the primary pick and Web Security for Developers is a useful follow-up.

Designing Secure Software is pitched at intermediate level. Web Security for Developers is pitched at beginner level. Read the easier one first if you're not yet comfortable with the topic.

Designing Secure Software and Web Security for Developers both cover AppSec, Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Designing Secure Software

→ Alternatives to Designing Secure Software → What to read after Designing Secure Software