// Comparison

Alice and Bob Learn Application Security vs Social Engineering: Which Should You Read?

Two cybersecurity books on Foundations, compared honestly: who each is for, what each does best, and which to read first.

Beginner

4/52020

Alice and Bob Learn Application Security

Tanya Janca

Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.

Intermediate

4/52018

Social Engineering

The Science of Human Hacking

Christopher Hadnagy

Christopher Hadnagy's broad procedural reference on social engineering as a discipline — recon, pretexting, elicitation, microexpressions, and the structured engagement model his consultancy operationalized.

Read this if

Software developers, junior AppSec engineers, and security champions who need a single, friendly book that covers the AppSec lifecycle without assuming security knowledge. Excellent as the first book to hand to a developer asked to lead AppSec for their team.

Working SE practitioners, awareness-program leads, and people building structured social-engineering engagements who want a single reference for the discipline. Stronger on framework and process than Mitnick; the elicitation and influence chapters draw heavily on Cialdini and Ekman.

Skip this if

Senior AppSec professionals who already have the lifecycle internalized; the book is a primer by design. Also relatively light on cloud-native AppSec specifics (IaC scanning, supply-chain attestation), which Janca's later writing covers more deeply.

Readers wanting Mitnick-style war stories or modern AI-driven SE tradecraft (deepfake voice clones, LLM-assisted spearphish). Hadnagy's controversial separation from DEF CON in 2022 is also worth being aware of as context for the author rather than the book.

Key takeaways

AppSec is a lifecycle discipline, not a scanning discipline; Janca's structure makes that argument by walking through each stage with concrete examples.
Most AppSec wins come from secure design and developer-relations work, not from finding more bugs at the end of the SDLC.
The book's tone is its underrated strength — many developers will finish this book; very few will finish a more formal AppSec textbook.

SE is a structured engagement, not a stunt; the book operationalizes the kill chain in a way most practitioners can adapt directly.
Microexpression and influence material is borrowed but well-applied; the chapters on elicitation are the book's most cited.
The framework (information gathering → pretext → influence → exit) is the book's lasting contribution and the implicit syllabus for most modern SE training.

How they compare

Alice and Bob Learn Application Security and Social Engineering are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Alice and Bob Learn Application Security is pitched at beginner level. Social Engineering is pitched at intermediate level. Read the easier one first if you're not yet comfortable with the topic.

Alice and Bob Learn Application Security and Social Engineering both cover Foundations, so reading them in sequence reinforces the same material from different angles.

Keep reading