Alice and Bob Learn Application Security
Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Tanya Janca
- Published
- 2020
- Publisher
- Wiley
- Pages
- 288
- Language
- English
Read this if
Software developers, junior AppSec engineers, and security champions who need a single, friendly book that covers the AppSec lifecycle without assuming security knowledge. Excellent as the first book to hand to a developer asked to lead AppSec for their team.
Skip this if
Senior AppSec professionals who already have the lifecycle internalized; the book is a primer by design. Also relatively light on cloud-native AppSec specifics (IaC scanning, supply-chain attestation), which Janca's later writing covers more deeply.
Key takeaways
- AppSec is a lifecycle discipline, not a scanning discipline; Janca's structure makes that argument by walking through each stage with concrete examples.
- Most AppSec wins come from secure design and developer-relations work, not from finding more bugs at the end of the SDLC.
- The book's tone is its underrated strength — many developers will finish this book; very few will finish a more formal AppSec textbook.
Notes
Pair with Designing Secure Software (Kohnfelder) for the design-pattern depth and with The Web Application Hacker's Handbook for the offensive complement. Janca's We Hack Purple community and her ongoing Cloud Penetration Testing book are the natural follow-ups. The right answer to 'what AppSec book should we put on the engineering team's reading list?' for almost any team that doesn't already have one.
What to read before
What to read before Alice and Bob Learn Application Security →Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
Beginner · 2019
The Pragmatic Programmer
Thomas and Hunt's career-defining set of practical heuristics for writing software professionally — orthogonality, broken-windows, DRY, tracer bullets, and the underlying argument that craftsmanship is a posture, not a process.
What to read next
What to read after Alice and Bob Learn Application Security →Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Intermediate · 2018
Social Engineering
Christopher Hadnagy's broad procedural reference on social engineering as a discipline — recon, pretexting, elicitation, microexpressions, and the structured engagement model his consultancy operationalized.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.
Explore similar books
Alternatives to Alice and Bob Learn Application Security →Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2019
The Pragmatic Programmer
Thomas and Hunt's career-defining set of practical heuristics for writing software professionally — orthogonality, broken-windows, DRY, tracer bullets, and the underlying argument that craftsmanship is a posture, not a process.