“Tanya’s book on Secure Coding is a brilliant example of what makes her a great expert and teacher. She takes complex material and makes it human, using clear, direct, and conversational language that sets it apart from most other books on similar topics. Her direct style shows that rather than trying to look smart, she’s actually teaching! The book is a welcome inhalation of pure knowledge.”
Daniel Miessler
Founder of Unsupervised Learning
“Tanya Janca is a truly unique individual who has an incredible gift for turning complex and intimidating topics into something understandable and approachable for beginners. Her book, Alice and Bob Learn Application Security, is a perfect example of this. It’s one of the best resources out there, and I always recommend it to anyone who asks me how to get started with application security.
Tanya’s impact goes beyond her writing. As a global speaker and instructor, she has empowered countless individuals to build more secure software and take their careers to new heights. I’m incredibly proud of her accomplishments and feel so lucky to have had her as a mentor! Tanya has been a huge inspiration in my career, and I’m constantly amazed by everything she’s achieving. I can’t wait to see what she does next—she’s truly making the world a safer, better place, one application at a time.”–Rana Khalil, Distinguished Application Security Professional & Trainer
Tanya is a master at breaking down complex technical topics and making them both easily understandable and fun! I wish this book existed when I was first learning cybersecurity, as it’s an excellent resource for security fundamentals and principles, important key tips for the most popular programming languages and frameworks, and how to follow a Secure System Development Life Cycle, along with tons of fun anecdotes and examples. Highly recommended for anyone who wants to rapidly learn a ton about secure coding from an industry veteran.
–Clint Gibler, Head of Security Research at Semgrep and Founder of tl;dr sec
Tanya has always been at the forefront of application security and practical learning.
Francesco Cipollone
Alice and Bob, her first one, was a great overview of application security practices, but this one is way more in-depth. Personally, I think it’s a great piece for anyone in the new and old generation willing to understand more about code security.
Despite the subject being deeply technical, this book discusses it with fun and a different point of view while remaining relevant and specific to the subject. Only an author who masters the subject deeply is able to go so in-depth and keep it light-hearted.
CEO & Founder @ Phoenix Security
This book is hands-down one of the best resources out there for
learning how to write secure code. The author has an incredible talent
for breaking down tough security concepts and making them approachable
without watering down the details. Each topic is presented in a way
that feels thoughtful and intentional, and the examples are where the
magic happens—they’re clear, relatable, and most importantly,
actionable. These aren’t just “nice-to-see” examples; they’re the kind
of scenarios you’ll encounter in real projects, and they teach you
exactly how to handle them securely.What sets this book apart is its ability to cater to everyone, from
beginners who are just getting their feet wet to experienced
professionals looking to level up their skills. It doesn’t just teach
secure coding—it teaches you how to think about security as part of
your coding process, which is invaluable in today’s tech landscape.If you’ve ever struggled to find a resource that connects the dots
between theory and practical application, this book does that
effortlessly. It’s not just about writing code; it’s about writing
smart, secure code that stands the test of time. Whether you’re a
developer, a security enthusiast, or just someone who wants to get
security right, this book is a must-have. Honestly, it’s not just a
read—it’s a game-changer.Security Relations Leader, Founder of InfoSec Girls & InfoSec Kids, OWASP BoD and Leader
If you’re interested in learning about secure coding, this book is for you. Computer science student? Professional software engineer? Product manager for a software product? Executive at a software manufacturer? This is a book you will definitely want to read.
Tanya’s approach is refreshingly accessible and direct. She immediately addresses popular languages and frameworks before taking an in depth approach to secure coding practices as they apply to each and every phase in the software development lifecycle.
This book is your authoritative guide to secure coding. Learn and enjoy!
– Caroline Wong, Author & Cybersecurity Expert Practitioner
Tanya Janca’s latest book is a must-read for developers looking to enhance their secure coding practices. By leading step-by-step and referencing real-world examples, she not only helps developers write stronger, more resilient code but also empowers them to lead by example. This book makes it clear how simple, intentional changes can dramatically reduce vulnerabilities and make it much harder for bad actors to exploit your work. ~~ Gary Perkins, Former CISO, BC Government or ~~ Gary Perkins, CISO, CISO Global
– Gary Perkins, CISO
Alice and Bob Learn Secure Coding is almost as good as having Tanya in your office, chatting with you about application security concepts and details. You’ll have a great time reading this book, and will learn a lot along the way.
–Adam Shostack, Security Trainer, Author, Speaker, Threat modeling expert
“In all matters Security, trust is earned, not given. In this book, Tanya solidifies the trust she earned in her first book, ‘Alice And Bob Learn Application Security’, this time as a source of Secure Coding wisdom and knowledge. Teams will be well served from learning the adventures of Alice and Bob as they journey towards more secure code!”–Izar Tarandach, Author of Threat Modeling: A Practical Guide for Development Teams
I love how the author gives the big picture and context to secure coding, so the readers can be like Alice and Bob who are also learning the approach, the architecture, the framework, and the right mindset!
–Yabing Wang, VP & CISO, Justworks
If academic textbooks with stiff language aren’t your cup of tea, this is the book for you. It’s both readable and deep, and a great way to learn application security.
–Adam Shostack, Security Trainer, Author, Speaker, Threat modeling expert
“Want to stand out and take your software engineering career to the next level? You’ll need to go beyond simply “making it work” and learn how to write high-quality and secure code. Fortunately, Tanya’s unique skill and commitment to breaking down complex information, without sacrificing rich, detailed technical content, will make it easy for you to get started. This is a fantastic book for any software engineer to learn not just why, but HOW to write secure software, a skill that’s much desired and highly valued in today’s turbulent high-tech world.”
– Dustin Lehr, Co-founder, CPTO of Katilyst Security, Founder of Let’s talk Software Security, Author of the Security Champion Program Success Guide
“I remember attending a working session that Tanya was providing at a conference several years ago. The session was not only technical but included levity and storytelling. This book is an extension of that effective method of teaching and brings the full range of techniques, tools, and processes that are needed to build secure systems. This book is a must-have for anyone who is building or maintaining a secure system.”
Derek Fisher – Founder Securely Built
This book is a modern equivalent of the pragmatic programmer for secure programming, taking you all the way from beginner to journeyman secure developer. It even has Tanya’s own tales from the trenches.
Shane Murnion – Application Security Specialist
“If you want simple, easy to follow guidance about secure coding, from a verified authority on the subject, this book is for you.”
– Ted Harrington, #1 bestselling author, co-founder of both IoT Village and StartVRM, and Executive Partner at ISE
Tanya Janca’s Alice and Bob Learn Secure Coding makes security fun, practical, and easy to understand. Through relatable stories and hands-on exercises, you’ll learn how to keep your code safe from sneaky bugs and bad actors—covering essentials like input validation, least privilege, authentication, and secure defaults.
Perfect for developers of all levels, this book weaves security seamlessly into the Software Development Lifecycle (SDLC)and breaks down best practices for different languages, frameworks, and common vulnerabilities. Tanya keeps it light but informative, turning security from a headache into a habit. Want to build apps that are tough to hack and easy to trust? Start here!
–Erez Yalon, Founder of AppSec Village
Tanya’s Alice and Bob Learn Secure Coding will give you a head start on learning about secure coding practices. It covers all of the fundamentals a developer needs to know. Practicing the information in this book will allow you to start developing the experience needed to become a secure coder. I go over all this stuff with my devs.
Application Security Architect & Engineer
From a CISO’s perspective, Alice and Bob Learn Secure Coding is more than just a book—it’s a strategic tool for embedding security into the organizational culture and aligning security with value-driven FinOps principles.
Like Tanya’s other books, this drives transformation, enabling teams to move from reactive to proactive security. It underscores a critical truth: the earlier vulnerabilities are identified and fixed in the development lifecycle, the cheaper and more efficient it is to address them, saving time, conserving resources, and significantly reducing risk.
This proactive approach not only mitigates threats but also significantly increases asset value.
After all, secure and reliable code is the foundation for every stable system.
–Rajat Ravinder Varuni, CISO, SuccessKPI
This book is a modern equivalent of the pragmatic programmer for secure programming, taking you all the way from beginner to journeyman secure developer. It even has Tanya’s own tales from the trenches.
Alice and Bob Learn Secure coding had me at the edge of my seat, and I didn’t see that twist coming!
Ray Leblanc, Application Security Architect & Engineer
Reviews
Tanya Janca’s “Alice and Bob Learn Secure Coding” is an absolute triumph of technical writing.
Building on the charm and accessibility of her first book, Tanya dives deeper into the world of secure coding, tackling one of the most pressing challenges in software development today. What sets this book apart is Tanya’s ability to balance technical depth with an engaging and light-hearted tone, making complex concepts approachable for readers across all skill levels.
This book is packed with actionable insights, from detailed explanations of common vulnerabilities to practical strategies for avoiding them. Yet, it never feels overwhelming. Tanya’s narrative style—peppered with humor and real-world analogies—keeps the subject matter fresh and enjoyable. It’s rare to find a technical book that’s as fun to read as informative, but Tanya achieves this effortlessly.
For seasoned professionals, Alice and Bob Learn Secure Coding offers a comprehensive refresher and new perspectives on evolving threats and solutions. For newcomers, it’s a masterclass in the fundamentals of secure coding, presented in a way that’s both digestible and inspiring. The book’s structure ensures readers can easily navigate and revisit topics as needed, making it a valuable reference for years.
In short, this is a must-read for anyone who writes code or works in application security. Tanya Janca has once again proven why she’s at the forefront of the industry. Alice and Bob Learn Secure Coding is not just a book—it’s an investment in better, safer software for everyone.
Francesco Cipollone
CEO & Founder @ Phoenix Security
Tanya Janca has written a second book in her poignant and informative “Alice and Bob” series. This time the dynamic duo is learning secure coding. And like its predecessor, there is much wisdom to glean and stuff to learn from her years of experience.
This is not the kind of book that you start at the first chapter and read it all the way through. You are going to want to use it as a study guide, to fill in the gaps in your knowledge about secure coding practice and methods. Like her earlier book, she won’t divulge much about specific vendor tools, but something more important: how to use the application development platforms and tools to make you a better programmer and one that can identify and fix coding errors before some hacker takes advantage of your mistakes and messes up your workday by compromising your systems and stealing your data.
Here are a few words of wisdom as examples:
- “Design every system with as little implied trust as possible. Verify everything and do it multiple times. Always assume that other systems are potentially insecure.
- “Have separate secrets vaults for each app, rather than storing them in one place.”
- “Why you need to salt your password hashes and why this is critical to any potential compromise or discovery by criminals.”
- “Why you need to leave encryption to the experts and not try to grow your own.”
- “Every app should catch and handle its own errors,” and she offers numerous examples of common security errors that could indicate a potential attack.
- Why log files and rollback apps are important to secure coding techniques, and why you should ensure that restoring from backups actually works as intended. This is an example of advice that isn’t strictly part of best infosec practice, but are important underpinnings that you should know about. (Log files are absolutely essential to incident response since they can preserve how your systems were compromised, and rollbacks can avoid massive data loss.)
She makes a point of saying that all app dev should start with validating all inputs, use parameterized queries, and why you should have regular meetings with your security specialists to review your coding practices and how you label your data. Here is a simple example: when a date is input, you should check and make sure the date is prior to today but more recent than the past 150 years. You set up expectations of what makes sense. Validation is important because accepting any input without proper validation can be the start of some attack.
Each chapter ends with a series of exercises to test your retention of what she explains and highlight some common misconceptions of the content. Some of them reflect her wicked sense of humor — such as “how often should you authenticate to an SSO — only once, unless you have done a really bad job!”
And each section has an end-of-section summary about best practices. If many of them are unfamiliar to you, then take the time to read those chapters and take careful notes about how you can implement her suggestions. Indeed, a good way to browse this book is to carefully read these summaries and see if you need to bone on these techniques.
Like the first book in this series, I highly recommend this one for both beginners and experienced coders alike.
David Strom is a freelance writer with two computer books of his own along with thousands of magazine articles about technology that span a 35-year career.