Cyber Shelf

// Alternatives

Alternatives to The Art of Software Security Assessment

Books in our catalog with overlapping topics and a similar reading level to The Art of Software Security Assessment. If The Art of Software Security Assessment is the wrong fit at advanced level, start here.

AppSecCode AuditingVulnerability Research

  1. 01 · 2024

    Windows Security Internals

    Forshaw takes apart the Windows security model from the SRM and access tokens up through Kerberos, with live PowerShell you can run against your own machine. The most authoritative single source on how Windows actually decides who can do what.

    Advanced
    5/5James Forshaw

  2. 02 · 2021

    Real-World Cryptography

    David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

    Intermediate
    5/5David Wong

  3. 03 · 2011

    The Tangled Web

    The deepest book ever written on the strange, accreted security model of the web browser.

    Advanced
    5/5Michal Zalewski

  4. 04 · 2005

    The Database Hacker's Handbook

    Litchfield, Anley, Heasman, and Grindlay's exhaustive 2005 reference on attacking and defending Oracle, SQL Server, DB2, MySQL, PostgreSQL, Sybase, and Informix — the era when the database engine itself was the soft target.

    Advanced
    3/5David Litchfield, Chris Anley, John Heasman, Bill Grindlay

  5. 05 · 2021

    Designing Secure Software

    Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

    Intermediate
    5/5Loren Kohnfelder

  6. 06 · 2014

    Threat Modeling

    Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.

    Intermediate
    5/5Adam Shostack

  7. 07 · 2023

    Black Hat GraphQL

    Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.

    Intermediate
    4/5Nick Aleks, Dolev Farhi

  8. 08 · 2022

    Hacking APIs

    Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.

    Intermediate
    4/5Corey J. Ball

  9. 09 · 2011

    A Bug Hunter's Diary

    Tobias Klein walks through seven real vulnerabilities he found and exploited, in the form of personal lab notes, what he tried, what failed, and what eventually shipped to vendors.

    Intermediate
    4/5Tobias Klein

  10. 10 · 2011

    The Web Application Hacker's Handbook

    The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.

    Intermediate
    4/5Dafydd Stuttard, Marcus Pinto
Back to The Art of Software Security AssessmentWhat to read after The Art of Software Security Assessment