Best AppSec books

Designing Secure Software

A Guide for Developers

Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

Real-World Cryptography

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Threat Modeling

Designing for Security

Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.

The Tangled Web

A Guide to Securing Modern Web Applications

The deepest book ever written on the strange, accreted security model of the web browser.

The Art of Software Security Assessment

Identifying and Preventing Software Vulnerabilities

The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.

Black Hat GraphQL

Attacking Next Generation APIs

Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.

Hacking APIs

Breaking Web Application Programming Interfaces

Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.

Alice and Bob Learn Application Security

Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.

Web Security for Developers

Real Threats, Practical Defense

Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.

The Web Application Hacker's Handbook

Finding and Exploiting Security Flaws

The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.

Cryptography Engineering

Design Principles and Practical Applications

A working engineer's introduction to cryptography that takes implementation pitfalls more seriously than most.

iOS Application Security

The Definitive Guide for Hackers and Developers

David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.

The Mobile Application Hacker's Handbook

Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.

The Database Hacker's Handbook

Defending Database Servers

Litchfield, Anley, Heasman, and Grindlay's exhaustive 2005 reference on attacking and defending Oracle, SQL Server, DB2, MySQL, PostgreSQL, Sybase, and Informix — the era when the database engine itself was the soft target.