Cyber Shelf

// Comparison

Foundations of Information Security vs Web Security for Developers: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Beginner
4/52019
Foundations of Information Security

A Straightforward Introduction

Jason Andress

Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.

Beginner
4/52020
Web Security for Developers

Real Threats, Practical Defense

Malcolm McDonald

Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.

Read this if

Anyone new to the field who wants the entire territory mapped on a single shelf, in a single short book. Andress is the cleanest tour of CIA, IAM, network, software, operations, and crypto for newcomers.
Developers who want to understand security without security people in the loop. McDonald is the rare author who explains XSS, CSRF, SQLi, auth and sessions without offensive tooling distractions, in the language a working coder uses.

Skip this if

Anyone who already works in the field. The book is broad and shallow by design; specialists will find every chapter familiar.
Practitioners who already know OWASP cold, or readers wanting depth on modern bug classes (SSRF chains, prototype pollution, race conditions). The book is foundational, not advanced.

Key takeaways

  • Covers every major domain of security at survey-level depth, which is exactly what a beginner needs to choose a specialization.
  • The operations security chapter is unusually strong for an intro book; most authors skip it because it's unsexy, Andress doesn't.
  • Pairs naturally with one or two deep-dive books per topic from this catalog; treat it as the master index.
  • The framing "real threats, practical defense" is the book's design choice and its strongest pedagogical move; every chapter starts with the attack and ends with the defensive code pattern.
  • Web security is mostly the same dozen mistakes for two decades; once you know the taxonomy, modern variants are recognizable.
  • The chapter on session management and the chapter on third-party JS are the two highest-leverage pieces of the book for engineers who already know the basics.

How they compare

Foundations of Information Security and Web Security for Developers are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target beginner-level readers, so the choice is about topic, not difficulty.

Foundations of Information Security and Web Security for Developers both cover Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Foundations of Information Security

Alternatives to Foundations of Information SecurityWhat to read after Foundations of Information Security

Web Security for Developers

Alternatives to Web Security for DevelopersWhat to read after Web Security for Developers

Related topics

Defensive