“Tanya knows her stuff. She has a huge depth of experience and expertise in application security, DevSecOps, and cloud security. We can all learn a ton of stuff from Tanya, so you should read her book!”
– Dafydd Stuttard, best-selling co-author of The Web Application Hacker’s Handbook, creator of Burp Suite
This book is one of the best places to start a career in application security
The book is both a crash course for newbies as well as a refresher for those that have been doing the job for a few years. I learned quite a few things and I have been writing about appsec for more than a decade. The audience is primarily for application developers, but it can be a useful organizing tool for IT managers that are looking to improve their infosec posture, especially these days when just about every business has been penetrated with malware, had various data leaks, and could become a target from the latest Internet-based threat. Everyone needs to review their application portfolio carefully for any potential vulnerabilities since many of us are working from home on insecure networks and laptops.
Alice and Bob are that dynamic duo of infosec that are often foils for good and bad practices, are used as teaching examples that reek of events drawn from Janca’s previous employers and consulting gigs.
Required reading for current and aspiring developers, and those who work with them
For all of us working in or close to code, I highly recommend reading “Alice and Bob learn Application Security” by Tanya Janca. It’s a super-easy, super-quick, super-CURRENT read, that covers the most important industry-wide practices and principles in a more concise, relevant, digestible, actionable form than any other source I have found. Just as importantly, it equips both coders and code-adjacent folks with a much-needed industry vocabulary for communicating effectively about application security within the team as well as across the organization. IMHO this should be required reading for anyone with a role in producing software on the internet. No excuses – it’s inexpensive, relatively short, and exceptionally well organized for either scanning or devouring in-depth.
“I learned so much from this book! Information security is truly everyone’s job ― this book is a fantastic overview of the vast knowledge needed by everyone, from developer, infrastructure, security professionals, and so much more. Kudos to Ms. Janca for writing such an educational and practical primer. I loved the realistic stories that frame real-world problems, spanning everything from design, migrating applications from problematic frameworks, mitigating admin risks, and things that every modern developer needs to know.”
–Gene Kim, bestselling author of The Unicorn Project, co-author of The Phoenix Project, DevOps Handbook, Accelerate
Right to the point easy to grasp flowcharts and diagrams
Hi Tanya. Application security is such an interesting topic for me being with a focus on defensive security and how to secure web applications. This book and your podcast are so useful. I did a first pass read of your entire book to first get a taste of it to see the big picture. Will probably read a second and third time to really get the meat of it and learn more about appsec. This book helped me quickly grok concepts that was until then vague in my head namely where to specifically put authentication in multi api flow. Nice and sweet right to the point diagrams and flowchart to save the snapshot in my head. Thanks for your awesome work. Willing to learn more on your other material talks and podcast. Take care and have a delightful day Tanya.
A Great Introduction to Application Security for Developers
I run a DevSecOps Book Club and this was the first book we chose to collectively read together. Tanya (the author), was incredibly gracious and even offered to join us live for one of our book club meetings — sharing some of her personal industry experiences, answering questions, and generally being an advocate for security education.
The book is well-written, to the point, and walks developers through the entire thought process behind building secure software, both culturally and technically.
If you’re looking for a book that is easy to read and will give you a good mix of practical security information (such as what HTTP security headers you should be using in your web applications) to principles and best practices (such as understanding the C-I-A model and threat modeling), you won’t go wrong with this book.
I highly recommend it to anyone new to the world of application security. It’s an accessible and fun introduction to the space — you’ll learn a lot! =)
“Practical guidance for the modern era; Tanya does a great job of communicating current day thinking around AppSec in terms we can all relate to.”
-Troy Hunt, creator of “Have I Been Pwned”
Great book: This is a great book that reminds me of all the application security foundation topics. Tanya’s advice is very wise, and sometimes I use the book as a guide on things I need to look up or things I have forgotten about.
-Ri
Clearly written and a great value! Great read for anyone interested in learning about application security; I’ll be on the lookout for more from Tanya Janca!
-Bubbles
Recomendado para personas que se inician o con conocimietos básicos sobre Seguridad de Aplicaciones
El libro que me hubiera gustado leer cuando comencé a aprender sobre seguridad de aplicaciones. Explica de una forma agradable, con tecnicismos pero sin ahondar de forma demasiado profunda, por lo que aborda una gran cantidad de temas en los que más tarde poder seguir indagando.
– Patricia
If you’re looking to learn AppSec, you’ve come to the right place!
If you want to learn Application Security, you definitely will from this book. Tanya is a Rockstar! Both as an expert and as a teacher. Tanya used real, human language and teaches with great empathy. If learning AppSec is what you want, this is a great place to do so.
– Sam Carl
A great learning resource
This is an excellent resource of anyone interested in AppSec. As a technology leader in a publicly traded company, I read plenty of technical books. This one approaches a technical subject in a way that makes it much more engaging and interesting. I looked forward to reading this book whereas other books were just necessary chores
– Tamara Arnold
Leitura essencial para um AppSec!
O que me chamou atenção nesse livro foi o fato de seguir uma linha de pensamento que permite quem está sem conhecimento algum em segurança de aplicações a conhecer todas as fases necessárias (S-SDLC) para criar uma aplicação com segurança, sendo esse, o trabalho principal de um AppSec auxiliando nestas diversas fases, promovendo o shift left nas mesmas. O livro também aborda conteúdos mais estratégicos, como iniciar um programa de maturidade de desenvolvimento seguro de software, seja com o OWASP SAMM, BSIMM ou alguma metodologia própria, por exemplo. Aborda também algumas considerações interessantes referentes a Microsserviços, Serverless e etc.
– Alisson F.