Cyber Shelf

// Comparison

Alice and Bob Learn Application Security vs Foundations of Information Security: Which Should You Read?

Two cybersecurity books on Foundations, compared honestly: who each is for, what each does best, and which to read first.

Beginner
4/52020
Alice and Bob Learn Application Security

Tanya Janca

Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.

Beginner
4/52019
Foundations of Information Security

A Straightforward Introduction

Jason Andress

Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.

Read this if

Software developers, junior AppSec engineers, and security champions who need a single, friendly book that covers the AppSec lifecycle without assuming security knowledge. Excellent as the first book to hand to a developer asked to lead AppSec for their team.
Anyone new to the field who wants the entire territory mapped on a single shelf, in a single short book. Andress is the cleanest tour of CIA, IAM, network, software, operations, and crypto for newcomers.

Skip this if

Senior AppSec professionals who already have the lifecycle internalized; the book is a primer by design. Also relatively light on cloud-native AppSec specifics (IaC scanning, supply-chain attestation), which Janca's later writing covers more deeply.
Anyone who already works in the field. The book is broad and shallow by design; specialists will find every chapter familiar.

Key takeaways

  • AppSec is a lifecycle discipline, not a scanning discipline; Janca's structure makes that argument by walking through each stage with concrete examples.
  • Most AppSec wins come from secure design and developer-relations work, not from finding more bugs at the end of the SDLC.
  • The book's tone is its underrated strength — many developers will finish this book; very few will finish a more formal AppSec textbook.
  • Covers every major domain of security at survey-level depth, which is exactly what a beginner needs to choose a specialization.
  • The operations security chapter is unusually strong for an intro book; most authors skip it because it's unsexy, Andress doesn't.
  • Pairs naturally with one or two deep-dive books per topic from this catalog; treat it as the master index.

How they compare

Alice and Bob Learn Application Security and Foundations of Information Security are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target beginner-level readers, so the choice is about topic, not difficulty.

Alice and Bob Learn Application Security and Foundations of Information Security both cover Foundations, so reading them in sequence reinforces the same material from different angles.

Keep reading

Alice and Bob Learn Application Security

Alternatives to Alice and Bob Learn Application SecurityWhat to read after Alice and Bob Learn Application Security

Foundations of Information Security

Alternatives to Foundations of Information SecurityWhat to read after Foundations of Information Security

Related topics

Foundations