// Comparison

Security Chaos Engineering vs Security Engineering: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Advanced

5/52023

Sustaining Resilience in Software and Systems

Kelly Shortridge, Aaron Rinehart

Kelly Shortridge and Aaron Rinehart on treating security as a property of complex adaptive systems: instead of preventing failure, you continuously simulate it, and design the organization to learn from each result.

Advanced

5/52020

Security Engineering

A Guide to Building Dependable Distributed Systems

Ross Anderson

Ross Anderson's comprehensive textbook on the design of secure systems, covering protocols, access control, side channels, economics of security, and policy.

Read this if

Security architects, SREs, and platform engineers ready to abandon the prevention-first frame. Particularly strong for organizations that already practice chaos engineering for reliability and want to extend the discipline to security; the book is the bridge.

Anyone who builds, audits, or governs systems where failure has real-world consequences: banking, healthcare, voting, telecom, defence. The single most important security book ever written, and the rare textbook that improves with each edition.

Skip this if

Practitioners working in heavily regulated environments where intentional production faults are not legal, or smaller organizations without the operational maturity to run game days safely. Also a poor first security book: it assumes you know what threat models, blast radius, and feedback loops are.

Readers looking for a hands-on tooling guide or a quick certification primer. Anderson works at the systems and policy layer; if you need to learn how to use Burp, this is not it. The 1,200 pages also reward patient readers, not skimmers.

Key takeaways

Security and reliability share the same root engineering problem: how to keep complex systems within tolerable bounds when the failure surface is unbounded.
Decision trees and effort-vs-impact analysis are operationalizable artifacts, not just blog material; the book teaches you to actually use them.
Continuous experimentation is more honest than tabletop exercises: production tells you what is true, runbooks tell you what someone wished were true.

Most production failures are economic and organisational, not cryptographic: incentives shape outcomes far more than primitives.
Threat models from one domain (banking, telecom, military) generalize to the next once you know what to look for, and Anderson is the best in the field at showing you.
Side channels, supply chains, and policy are first-class engineering concerns, not footnotes.

How they compare

Security Chaos Engineering and Security Engineering are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Security Chaos Engineering and Security Engineering both cover Defensive, Security Architecture, so reading them in sequence reinforces the same material from different angles.

Keep reading

Security Chaos Engineering

→ Alternatives to Security Chaos Engineering → What to read after Security Chaos Engineering