// Comparison

Threat Modeling vs Web Security for Developers: Which Should You Read?

Two cybersecurity books on Defensive, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

5/52014

Designing for Security

Adam Shostack

Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.

Beginner

4/52020

Web Security for Developers

Real Threats, Practical Defense

Malcolm McDonald

Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.

Read this if

Anyone who designs systems and wants to ship fewer bugs in production. Threat modeling is the highest-leverage security practice for developers; this is the book that finally made it teachable.

Developers who want to understand security without security people in the loop. McDonald is the rare author who explains XSS, CSRF, SQLi, auth and sessions without offensive tooling distractions, in the language a working coder uses.

Skip this if

Readers wanting a quick checklist or a one-pager. Shostack is comprehensive: STRIDE, attack trees, data-flow diagrams, the kill chain, all with extended worked examples. Skim-reading is a waste of the book.

Practitioners who already know OWASP cold, or readers wanting depth on modern bug classes (SSRF chains, prototype pollution, race conditions). The book is foundational, not advanced.

Key takeaways

STRIDE is a forcing function for systematic thinking, not a complete model; the book teaches you when to use it and when to switch frames (attack trees, attacker personas, kill chains).
Most "threat modeling tools" are spreadsheet-with-diagrams; the actual lift is the conversation those tools structure, not the document.
Threat modeling fits inside agile and works at PR-review timescale once you've done it three or four times; the book makes the case repeatedly with examples.

The framing "real threats, practical defense" is the book's design choice and its strongest pedagogical move; every chapter starts with the attack and ends with the defensive code pattern.
Web security is mostly the same dozen mistakes for two decades; once you know the taxonomy, modern variants are recognizable.
The chapter on session management and the chapter on third-party JS are the two highest-leverage pieces of the book for engineers who already know the basics.

How they compare

We rate Threat Modeling higher (5/5 against 4/5 for Web Security for Developers). For most readers, that means Threat Modeling is the primary pick and Web Security for Developers is a useful follow-up.

Threat Modeling is pitched at intermediate level. Web Security for Developers is pitched at beginner level. Read the easier one first if you're not yet comfortable with the topic.

Threat Modeling and Web Security for Developers both cover Defensive, AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Threat Modeling

→ Alternatives to Threat Modeling → What to read after Threat Modeling