// Comparison
Real-World Cryptography vs Threat Modeling: Which Should You Read?
Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.
Read this if
Skip this if
Key takeaways
- Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
- TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
- Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.
- STRIDE is a forcing function for systematic thinking, not a complete model; the book teaches you when to use it and when to switch frames (attack trees, attacker personas, kill chains).
- Most "threat modeling tools" are spreadsheet-with-diagrams; the actual lift is the conversation those tools structure, not the document.
- Threat modeling fits inside agile and works at PR-review timescale once you've done it three or four times; the book makes the case repeatedly with examples.
How they compare
Real-World Cryptography and Threat Modeling are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.
Both books target intermediate-level readers, so the choice is about topic, not difficulty.
Real-World Cryptography and Threat Modeling both cover AppSec, so reading them in sequence reinforces the same material from different angles.