// Comparison

The Art of Software Security Assessment vs Threat Modeling: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Advanced

5/52006

Identifying and Preventing Software Vulnerabilities

Mark Dowd, John McDonald, Justin Schuh

The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.

Intermediate

5/52014

Threat Modeling

Designing for Security

Adam Shostack

Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.

Read this if

Auditors, vulnerability researchers, and developers of C/C++ codebases. The deepest book in print on reading code adversarially. Old, dense, and still unsurpassed.

Anyone who designs systems and wants to ship fewer bugs in production. Threat modeling is the highest-leverage security practice for developers; this is the book that finally made it teachable.

Skip this if

Web developers, anyone working in memory-safe languages exclusively, or beginners with no C/C++ exposure. The book is a 1,200-page audit primer; nothing else competes for depth.

Readers wanting a quick checklist or a one-pager. Shostack is comprehensive: STRIDE, attack trees, data-flow diagrams, the kill chain, all with extended worked examples. Skim-reading is a waste of the book.

Key takeaways

Vulnerability classes (memory corruption, integer issues, format strings, race conditions) arise from interactions between layers; the book teaches you to see the boundaries.
The chapter on integer issues is the canonical reference; most public CVEs in C/C++ codebases through 2025 still trace back to patterns Dowd/McDonald/Schuh named here.
The case studies (Apache, Postfix, Solaris, OpenSSL) make the abstractions concrete; reading them in order builds the auditor's eye nothing else does.

STRIDE is a forcing function for systematic thinking, not a complete model; the book teaches you when to use it and when to switch frames (attack trees, attacker personas, kill chains).
Most "threat modeling tools" are spreadsheet-with-diagrams; the actual lift is the conversation those tools structure, not the document.
Threat modeling fits inside agile and works at PR-review timescale once you've done it three or four times; the book makes the case repeatedly with examples.

How they compare

The Art of Software Security Assessment and Threat Modeling are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.

The Art of Software Security Assessment is pitched at advanced level. Threat Modeling is pitched at intermediate level. Read the easier one first if you're not yet comfortable with the topic.

The Art of Software Security Assessment and Threat Modeling both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

The Art of Software Security Assessment

→ Alternatives to The Art of Software Security Assessment → What to read after The Art of Software Security Assessment