Cyber Shelf

// Comparison

Real-World Cryptography vs The Web Application Hacker's Handbook: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
5/52021
Real-World Cryptography

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Intermediate
4/52011
The Web Application Hacker's Handbook

Finding and Exploiting Security Flaws

Dafydd Stuttard, Marcus Pinto

The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.

Read this if

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.
Anyone moving from CTF web challenges into real engagements who needs a systematic mental model of attack surface.

Skip this if

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.
Frontend-heavy apps in 2024. SPA-specific bugs, JWT pitfalls, GraphQL, and modern CSP are barely covered or absent entirely.

Key takeaways

  • Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
  • TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
  • Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.
  • Authentication, session management, and access control are still where most real bugs live.
  • Methodology beats tooling, the structure of how you map an app matters more than which scanner you run.
  • Use it as a reference for the classes of bug, then cross-check with PortSwigger Academy for the modern exploitation details.

How they compare

We rate Real-World Cryptography higher (5/5 against 4/5 for The Web Application Hacker's Handbook). For most readers, that means Real-World Cryptography is the primary pick and The Web Application Hacker's Handbook is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Real-World Cryptography and The Web Application Hacker's Handbook both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Real-World Cryptography

Alternatives to Real-World CryptographyWhat to read after Real-World Cryptography

The Web Application Hacker's Handbook

Alternatives to The Web Application Hacker's HandbookWhat to read after The Web Application Hacker's Handbook

Related topics

AppSec