Cyber Shelf

// Comparison

Alice and Bob Learn Application Security vs How Cybersecurity Really Works: Which Should You Read?

Two cybersecurity books on Foundations, compared honestly: who each is for, what each does best, and which to read first.

Beginner
4/52020
Alice and Bob Learn Application Security

Tanya Janca

Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.

Beginner
4/52021
How Cybersecurity Really Works

A Hands-On Guide for Total Beginners

Sam Grubb

Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.

Read this if

Software developers, junior AppSec engineers, and security champions who need a single, friendly book that covers the AppSec lifecycle without assuming security knowledge. Excellent as the first book to hand to a developer asked to lead AppSec for their team.
Non-engineers who need the field demystified. Grubb is the gentlest serious introduction in print: malware, phishing, network attacks, defenses, all explained in plain language without dumbing down.

Skip this if

Senior AppSec professionals who already have the lifecycle internalized; the book is a primer by design. Also relatively light on cloud-native AppSec specifics (IaC scanning, supply-chain attestation), which Janca's later writing covers more deeply.
Engineers, IT people, or anyone who already understands how the internet works. The book assumes nothing; for technical readers it'll feel slow.

Key takeaways

  • AppSec is a lifecycle discipline, not a scanning discipline; Janca's structure makes that argument by walking through each stage with concrete examples.
  • Most AppSec wins come from secure design and developer-relations work, not from finding more bugs at the end of the SDLC.
  • The book's tone is its underrated strength — many developers will finish this book; very few will finish a more formal AppSec textbook.
  • The chapter on threat modeling for individuals (not companies) is the one most teachers steal from: how to think about your own digital risk.
  • The hands-on labs at the end of each chapter make the book usable for actual classroom teaching, not just self-study.
  • Strikes the rare balance between respects-the-reader and explains-what-an-IP-address-is. Most beginner books fail one or the other.

How they compare

Alice and Bob Learn Application Security and How Cybersecurity Really Works are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target beginner-level readers, so the choice is about topic, not difficulty.

Alice and Bob Learn Application Security and How Cybersecurity Really Works both cover Foundations, so reading them in sequence reinforces the same material from different angles.

Keep reading

Alice and Bob Learn Application Security

Alternatives to Alice and Bob Learn Application SecurityWhat to read after Alice and Bob Learn Application Security

How Cybersecurity Really Works

Alternatives to How Cybersecurity Really WorksWhat to read after How Cybersecurity Really Works

Related topics

Foundations