With the increasing deployment in mission-critical domains, it is of foremost importance to improve dependability of distributed real-time applications for cyber–physical systems (CPSs) with safety & security-critical threats. Different from existing works addressing the security or safety design separately, this article makes efforts to achieve the safety and security co-design from system-level perspective, especially considering the interplay between fault tolerance and security harden techniques. To guarantee the safety of real-time applications, fault-tolerant techniques, e.g., task re-execution and active replica, are leveraged to tolerate faults in task executions. To improve the security of distributed applications, cryptography is deployed to resist confidentiality attacks on messages delivered over the communication media. We analyze the impact of task’s fault tolerance on secure message communication, and then formulate the design problem as a multiobjective optimization problem, i.e., to minimize the failure probability and security vulnerability of the application while subject to given fault-tolerant constraints, execution constraints and deadline constraints. Since the optimization problem is NP-hard, we then propose an improved multiobjective optimization algorithm, called decomposition-based dependability co-optimization (DeDeCo) algorithm, to search for the optimal Pareto solutions of security and reliability harden assignments for messages and tasks, respectively. Extensive experiments and an industrial case evaluate the efficiency of DeDeCo, indicating that our design and optimization algorithm are suitable for improving the dependability of real-time applications running on security & safety-critical CPSs.