// Comparison
The Database Hacker's Handbook vs The Tangled Web: Which Should You Read?
Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.
Defending Database Servers
David Litchfield, Chris Anley, John Heasman, Bill Grindlay
Litchfield, Anley, Heasman, and Grindlay's exhaustive 2005 reference on attacking and defending Oracle, SQL Server, DB2, MySQL, PostgreSQL, Sybase, and Informix — the era when the database engine itself was the soft target.
The deepest book ever written on the strange, accreted security model of the web browser.
Read this if
Skip this if
Key takeaways
- Database engines were once routinely RCE-able from a low-privileged session; the chapters document why the discipline shifted toward managed cloud databases.
- The Oracle PL/SQL injection material is still the canonical reference and influenced a generation of vulnerability research.
- The book's structural argument — every database is a different OS — explains why per-engine deep knowledge is still required for serious database security work.
- The web's security model is not designed; it is excavated.
- Origins, schemes, and trust boundaries are the only real abstractions; everything else is a leaky negotiation.
- Specifications and reality diverge constantly, and the divergence is where bugs live.
How they compare
We rate The Tangled Web higher (5/5 against 3/5 for The Database Hacker's Handbook). For most readers, that means The Tangled Web is the primary pick and The Database Hacker's Handbook is a useful follow-up.
Both books target advanced-level readers, so the choice is about topic, not difficulty.
The Database Hacker's Handbook and The Tangled Web both cover AppSec, so reading them in sequence reinforces the same material from different angles.
Keep reading
The Database Hacker's Handbook
→ Alternatives to The Database Hacker's Handbook→ What to read after The Database Hacker's Handbook