// Comparison

Real-World Cryptography vs The Database Hacker's Handbook: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

5/52021

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Advanced

3/52005

The Database Hacker's Handbook

Defending Database Servers

David Litchfield, Chris Anley, John Heasman, Bill Grindlay

Litchfield, Anley, Heasman, and Grindlay's exhaustive 2005 reference on attacking and defending Oracle, SQL Server, DB2, MySQL, PostgreSQL, Sybase, and Informix — the era when the database engine itself was the soft target.

Read this if

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Vulnerability researchers and DBAs interested in the genealogy of database security. The Oracle and SQL Server chapters are still the most thorough printed references on the engines' internal attack surface and the patterns Litchfield made famous.

Skip this if

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Anyone needing current cloud-database (RDS, Aurora, Cosmos, BigQuery) tradecraft, modern application-layer SQLi (handled by The Web Application Hacker's Handbook), or NoSQL-injection techniques. The book pre-dates almost everything load-bearing in 2026 database security.

Key takeaways

Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

Database engines were once routinely RCE-able from a low-privileged session; the chapters document why the discipline shifted toward managed cloud databases.
The Oracle PL/SQL injection material is still the canonical reference and influenced a generation of vulnerability research.
The book's structural argument — every database is a different OS — explains why per-engine deep knowledge is still required for serious database security work.

How they compare

We rate Real-World Cryptography higher (5/5 against 3/5 for The Database Hacker's Handbook). For most readers, that means Real-World Cryptography is the primary pick and The Database Hacker's Handbook is a useful follow-up.

Real-World Cryptography is pitched at intermediate level. The Database Hacker's Handbook is pitched at advanced level. Read the easier one first if you're not yet comfortable with the topic.

Real-World Cryptography and The Database Hacker's Handbook both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Real-World Cryptography

→ Alternatives to Real-World Cryptography → What to read after Real-World Cryptography