Cyber Shelf

// Comparison

How Cybersecurity Really Works vs Web Security for Developers: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Beginner
4/52021
How Cybersecurity Really Works

A Hands-On Guide for Total Beginners

Sam Grubb

Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.

Beginner
4/52020
Web Security for Developers

Real Threats, Practical Defense

Malcolm McDonald

Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.

Read this if

Non-engineers who need the field demystified. Grubb is the gentlest serious introduction in print: malware, phishing, network attacks, defenses, all explained in plain language without dumbing down.
Developers who want to understand security without security people in the loop. McDonald is the rare author who explains XSS, CSRF, SQLi, auth and sessions without offensive tooling distractions, in the language a working coder uses.

Skip this if

Engineers, IT people, or anyone who already understands how the internet works. The book assumes nothing; for technical readers it'll feel slow.
Practitioners who already know OWASP cold, or readers wanting depth on modern bug classes (SSRF chains, prototype pollution, race conditions). The book is foundational, not advanced.

Key takeaways

  • The chapter on threat modeling for individuals (not companies) is the one most teachers steal from: how to think about your own digital risk.
  • The hands-on labs at the end of each chapter make the book usable for actual classroom teaching, not just self-study.
  • Strikes the rare balance between respects-the-reader and explains-what-an-IP-address-is. Most beginner books fail one or the other.
  • The framing "real threats, practical defense" is the book's design choice and its strongest pedagogical move; every chapter starts with the attack and ends with the defensive code pattern.
  • Web security is mostly the same dozen mistakes for two decades; once you know the taxonomy, modern variants are recognizable.
  • The chapter on session management and the chapter on third-party JS are the two highest-leverage pieces of the book for engineers who already know the basics.

How they compare

How Cybersecurity Really Works and Web Security for Developers are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target beginner-level readers, so the choice is about topic, not difficulty.

How Cybersecurity Really Works and Web Security for Developers both cover Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

How Cybersecurity Really Works

Alternatives to How Cybersecurity Really WorksWhat to read after How Cybersecurity Really Works

Web Security for Developers

Alternatives to Web Security for DevelopersWhat to read after Web Security for Developers

Related topics

Defensive