// Comparison

Alice and Bob Learn Application Security vs Click Here to Kill Everybody: Which Should You Read?

Two cybersecurity books on Foundations, compared honestly: who each is for, what each does best, and which to read first.

Beginner

4/52020

Alice and Bob Learn Application Security

Tanya Janca

Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.

Beginner

4/52018

Click Here to Kill Everybody

Security and Survival in a Hyper-Connected World

Bruce Schneier

Bruce Schneier's policy-level argument that as everything becomes a computer (cars, medical devices, infrastructure, voting), the security failures that used to merely cost us money will start costing lives — and the regulatory shape of that future is being decided now.

Read this if

Software developers, junior AppSec engineers, and security champions who need a single, friendly book that covers the AppSec lifecycle without assuming security knowledge. Excellent as the first book to hand to a developer asked to lead AppSec for their team.

Engineers, policy people, and managers who need to brief leadership on why IoT, OT, and cyber-physical systems are categorically different from the IT security they grew up with. Also the right first Schneier book for anyone newly responsible for cyber-physical risk.

Skip this if

Senior AppSec professionals who already have the lifecycle internalized; the book is a primer by design. Also relatively light on cloud-native AppSec specifics (IaC scanning, supply-chain attestation), which Janca's later writing covers more deeply.

Readers wanting hands-on IoT-hacking technique; for that, Practical IoT Hacking (Chantzis et al.) and The Hardware Hacking Handbook are the references. Also dated on specific 2018 examples even though the structural arguments hold.

Key takeaways

AppSec is a lifecycle discipline, not a scanning discipline; Janca's structure makes that argument by walking through each stage with concrete examples.
Most AppSec wins come from secure design and developer-relations work, not from finding more bugs at the end of the SDLC.
The book's tone is its underrated strength — many developers will finish this book; very few will finish a more formal AppSec textbook.

Internet+ — Schneier's term for cyber-physical convergence — changes the consequences of security failure, not just the surface.
Markets won't fix this; the book's policy argument is that liability, regulation, and procurement standards are the only working levers.
Engineering culture and policy culture talk past each other; the book is a useful Rosetta stone in both directions.

How they compare

Alice and Bob Learn Application Security and Click Here to Kill Everybody are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target beginner-level readers, so the choice is about topic, not difficulty.

Alice and Bob Learn Application Security and Click Here to Kill Everybody both cover Foundations, so reading them in sequence reinforces the same material from different angles.

Keep reading