// Comparison

Alice and Bob Learn Application Security vs The Pragmatic Programmer: Which Should You Read?

Two cybersecurity books on Foundations, compared honestly: who each is for, what each does best, and which to read first.

Beginner

4/52020

Alice and Bob Learn Application Security

Tanya Janca

Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.

Beginner

5/52019

The Pragmatic Programmer

Your Journey to Mastery

David Thomas, Andrew Hunt

Thomas and Hunt's career-defining set of practical heuristics for writing software professionally — orthogonality, broken-windows, DRY, tracer bullets, and the underlying argument that craftsmanship is a posture, not a process.

Read this if

Software developers, junior AppSec engineers, and security champions who need a single, friendly book that covers the AppSec lifecycle without assuming security knowledge. Excellent as the first book to hand to a developer asked to lead AppSec for their team.

Every working software engineer, regardless of years of experience. The 20th-anniversary edition is the most current version of the field's most quoted book on professional software development; security engineers benefit because most security failures are software-quality failures wearing a different name.

Skip this if

Senior AppSec professionals who already have the lifecycle internalized; the book is a primer by design. Also relatively light on cloud-native AppSec specifics (IaC scanning, supply-chain attestation), which Janca's later writing covers more deeply.

Readers wanting domain-specific (security, ML, distributed-systems) depth; the book is deliberately general. Also not a methodology book — Thomas and Hunt are anti-methodology in spirit and explicitly so in the text.

Key takeaways

AppSec is a lifecycle discipline, not a scanning discipline; Janca's structure makes that argument by walking through each stage with concrete examples.
Most AppSec wins come from secure design and developer-relations work, not from finding more bugs at the end of the SDLC.
The book's tone is its underrated strength — many developers will finish this book; very few will finish a more formal AppSec textbook.

Most security defects are software-quality defects; the book teaches the foundations that make secure code possible to write.
The list of heuristics is shorter than the book — 100 tips on a card — but the prose is what makes them stick.
The 20th-anniversary updates (concurrency, declarative thinking, observability) are the parts that justify the new edition for someone who read the original.

How they compare

We rate The Pragmatic Programmer higher (5/5 against 4/5 for Alice and Bob Learn Application Security). For most readers, that means The Pragmatic Programmer is the primary pick and Alice and Bob Learn Application Security is a useful follow-up.

Both books target beginner-level readers, so the choice is about topic, not difficulty.

Alice and Bob Learn Application Security and The Pragmatic Programmer both cover Foundations, so reading them in sequence reinforces the same material from different angles.

Keep reading