What do you think?
Rate this book
Alice and Bob Learn Application Security
Learn application security from the very start, with this comprehensive and approachable guide!
Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.
Topics include:
Secure requirements, design, coding, and deployment Security Testing (all forms) Common Pitfalls Application Security Programs Securing Modern Applications Software Developer Security Hygiene Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.
Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.
Alice and Bob Learn Application Security is an accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development. This book covers all the basic subjects such as threat modeling and security testing, but also dives deep into more complex and advanced topics for securing modern software systems and architectures. Throughout, the book offers analogies, stories of the characters Alice and Bob, real-life examples, technical explanations and diagrams to ensure maximum clarity of the many abstract and complicated subjects.
Topics include:
Secure requirements, design, coding, and deployment Security Testing (all forms) Common Pitfalls Application Security Programs Securing Modern Applications Software Developer Security Hygiene Alice and Bob Learn Application Security is perfect for aspiring application security engineers and practicing software developers, as well as software project managers, penetration testers, and chief information security officers who seek to build or improve their application security programs.
Alice and Bob Learn Application Security illustrates all the included concepts with easy-to-understand examples and concrete practical applications, furthering the reader's ability to grasp and retain the foundational and advanced topics contained within.
288 pages, ebook
Published October 14, 2020
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 11 of 11 reviews
April 9, 2023
Excellent guide on application security with practical tips, stories, examples and links to further resources in a very readable format. Janca does not just provide a technical red team guide on hacking or pen testing but brings all that high level knowledge together to build and guide a blue team, a sound SDLC (with shift left) or a DevSecOps program, with a good mix of red and blue; hence she hacks purple. This should be a required text for all systems/software development or cybersecurity programs.
December 27, 2022
Great overview of application security. Lots of great lists, recommendations, and guidance. She touches upon the basics of infosec, starting an AppSec program, tools of the trade, getting org buy in and more.
December 20, 2020
Great readable intro to core security concepts and how to develop security program.
September 12, 2022
A fantastic introduction to the topic of Application Security. A perfect read for developers, QA team members, or those new to security.
April 10, 2024
I really enjoyed reading this book and wish I read this at the start of my infosec career, none the less it’s still proved to be a valuable resource. I don’t have an engineering background but this provides a solid foundation to understand the important concepts of what it takes to build a good appsec program. I was naive in thinking you could jump into this but this book was very humbling in explaining what’s required before you can do appsec. There’s great exercises in the book too and I know I’ll be coming back to this and using it for future references.
February 5, 2021
In attempting to make the encryption and cryptography process a bit more understandable, Dr. Ron Rivest of MIT, the R in RSA, used the characters of Alice and Bob to explain how cryptography works. Alice and Bob became so ubiquitous that they were the theme of the 2011 RSA Conference.
What Rivest started, Tanya Janca continues in Alice and Bob Learn Application Security (Wiley).
Janca is the founder of the We Hack Purple training academy that specializes in application security training. She brings her vast training experience and enjoyable style, and enthusiasm about the topic, and has written a practical and useful guide.
Rather than spending chapters on introductions, the book hits the ground running and shows application developers what they need to do to write secure code.
Rivest created Alice and Bob to help people better understand encryption concepts. The book does that via stories and diagrams. There are many author stories where Janca shares real-world scenarios to make the ideas much more real.
President Ronald Reagan brought the term trust, but verify into the security lexicon. But Janca writes that when it comes to application security, that one should never trust but always verify. This means that you should never trust anything outside of your own application. For example, if your application talks to an API, verify that it is that correct API and that it has the authority to do whatever it is trying to do.
Furthermore, on this concept, if your application accepts data; from every source, you have to perform validation on the data and ensure that it is what you are expecting and that it is appropriate. If it is not, then the application should reject it.
One of the more interesting stories is where she writes that during a threat modeling session, she asked two software developers from the same firm that if they were going to hack their own application, how they would do it.
They said that there was an admin module they write to administer the application from home. The admin module had not been on any design documents, and it turned out to be a significant security hole. If those programmers had not been at the meeting, that vulnerability would never have been known.
In 250 pages, the book covers all of the core topics around application security. From security requirements, software developer security hygiene, security fundamentals and requirements, secure design concepts, to how to build an AppSec program, and more.
Behind many security vulnerabilities are insecure code, which underscores the importance of an effective application security program, and developers who know how to write security code.
In Alice and Bob Learn Application Security, your developers will find a most accessible and readable resource that will provide them with a thorough application security overview. At 250 pages, this is far from the last word on the topic. But for those who have not started their appsec journey, this is a book that should most definitely be on their reading list.
What Rivest started, Tanya Janca continues in Alice and Bob Learn Application Security (Wiley).
Janca is the founder of the We Hack Purple training academy that specializes in application security training. She brings her vast training experience and enjoyable style, and enthusiasm about the topic, and has written a practical and useful guide.
Rather than spending chapters on introductions, the book hits the ground running and shows application developers what they need to do to write secure code.
Rivest created Alice and Bob to help people better understand encryption concepts. The book does that via stories and diagrams. There are many author stories where Janca shares real-world scenarios to make the ideas much more real.
President Ronald Reagan brought the term trust, but verify into the security lexicon. But Janca writes that when it comes to application security, that one should never trust but always verify. This means that you should never trust anything outside of your own application. For example, if your application talks to an API, verify that it is that correct API and that it has the authority to do whatever it is trying to do.
Furthermore, on this concept, if your application accepts data; from every source, you have to perform validation on the data and ensure that it is what you are expecting and that it is appropriate. If it is not, then the application should reject it.
One of the more interesting stories is where she writes that during a threat modeling session, she asked two software developers from the same firm that if they were going to hack their own application, how they would do it.
They said that there was an admin module they write to administer the application from home. The admin module had not been on any design documents, and it turned out to be a significant security hole. If those programmers had not been at the meeting, that vulnerability would never have been known.
In 250 pages, the book covers all of the core topics around application security. From security requirements, software developer security hygiene, security fundamentals and requirements, secure design concepts, to how to build an AppSec program, and more.
Behind many security vulnerabilities are insecure code, which underscores the importance of an effective application security program, and developers who know how to write security code.
In Alice and Bob Learn Application Security, your developers will find a most accessible and readable resource that will provide them with a thorough application security overview. At 250 pages, this is far from the last word on the topic. But for those who have not started their appsec journey, this is a book that should most definitely be on their reading list.
February 15, 2021
I've been excited for some time to pick up "Alice and Bob Learn Application Security" by Tanya Janca, an experienced security professional who dedicates her time to educating others about application security and information security. She's also an accomplished speaker, presenter, and of course now author.
I very much enjoyed this book. Although I've been in InfoSec for more than 20 years, my expertise is primarily in networking, infrastructure, and systems integration; my main weaknesses are programming and application security. But this book speaks to people like me who are familiar with the concepts and terminology, and people just getting started in their InfoSec careers. Frankly, it's a wonderful guide also for people new to application security plus long-time veterans of the software development trade. The way Tanya explains clearly and plainly complex issues in the world of software development is extremely helpful to all! Professionals who know all the terminology but need to delve down another few levels into the material to help make it stick will appreciate Tanya's work, too.
As Tanya points out a couple of times, the truth of the matter is that DevSecOps is still an evolving concept, and very few - if any - organizations have a fully mature, robust Application Security program that couldn't stand rounding out.
Following Alice's and Bob's real-world examples through a logical progression, readers are treated to an understanding of the basic principles of building safe and secure software. Building on these essentials, Tanya explains what it takes to build a good AppSec program, and follows that with great detail on building good habits for secure coding.
Truly, her book touches all the critical points, and in my opinion does a perfect job of striking the balance between a solid overview and a detailed explanation of each and every aspect of application security. There are tons of tips peppered throughout the text, and her footnotes, end notes, and appendix materials give you everything needed for further research.
Finally, the best feature of this book is its readability. The flow and tone of this book make it highly entertaining and a rather fun read. If you couldn't tell by this point, I highly recommend this book! Any InfoSec or AppSec professional and anyone new to the industry will benefit from the guidance Tanya's book imparts.
I very much enjoyed this book. Although I've been in InfoSec for more than 20 years, my expertise is primarily in networking, infrastructure, and systems integration; my main weaknesses are programming and application security. But this book speaks to people like me who are familiar with the concepts and terminology, and people just getting started in their InfoSec careers. Frankly, it's a wonderful guide also for people new to application security plus long-time veterans of the software development trade. The way Tanya explains clearly and plainly complex issues in the world of software development is extremely helpful to all! Professionals who know all the terminology but need to delve down another few levels into the material to help make it stick will appreciate Tanya's work, too.
As Tanya points out a couple of times, the truth of the matter is that DevSecOps is still an evolving concept, and very few - if any - organizations have a fully mature, robust Application Security program that couldn't stand rounding out.
Following Alice's and Bob's real-world examples through a logical progression, readers are treated to an understanding of the basic principles of building safe and secure software. Building on these essentials, Tanya explains what it takes to build a good AppSec program, and follows that with great detail on building good habits for secure coding.
Truly, her book touches all the critical points, and in my opinion does a perfect job of striking the balance between a solid overview and a detailed explanation of each and every aspect of application security. There are tons of tips peppered throughout the text, and her footnotes, end notes, and appendix materials give you everything needed for further research.
Finally, the best feature of this book is its readability. The flow and tone of this book make it highly entertaining and a rather fun read. If you couldn't tell by this point, I highly recommend this book! Any InfoSec or AppSec professional and anyone new to the industry will benefit from the guidance Tanya's book imparts.
December 26, 2020
Great book! It's very good for people learning (or that already know and want to reinforce some knowledge) about Application Security. It's easy to read & follow, the structure is also very easy to follow.
I highly recommend this book if you are a developer, security champion, work in application security or in any other field where application security will be useful for you to know.
I highly recommend this book if you are a developer, security champion, work in application security or in any other field where application security will be useful for you to know.
May 7, 2022
An excellent book for any budding security professionals and developers who are interested in security. This is a very down to earth book that explains the basics of security and how to get started. Cybersecurity is a huge field and this book helps demystify the application security field which in itself is very big. The first chapter is definitely one that I'll be using to explain security in my own organization, but the rest of the book is full of great advice and knowledge on application security. It is full of useful and actionable things to do but I wished there was a bit more literature to help me move onwards. One example is the mention to follow security leaders (such as the author) but no indication of who that could be. Another annoyance is the requirements and design sections in the book (that is security activities during the requirements and design phases of the software delivery life cycle) is a bit disorganized with lots of activities which I think more belongs in the coding phase.
But small annoyances aside, this is an excellent start to anyone who wants to start going into application security.
But small annoyances aside, this is an excellent start to anyone who wants to start going into application security.
November 18, 2023
Maybe this book wasn't targeted at my demographic or more likely just didn't speak to me. There are certainly gems of information in the book, but overall, I didn't enjoy the presentation much, and at times, I felt talked down too.
It's an okay read, and there are 2, maybe three chapters worth the book's cost. Chapters 2, 3, and I guess 8, but the information isn't new, and IMO can be found elsewhere in a more compelling read.
Writing any book is hard work, and I don't like giving poor reviews. No review is better in my mind, so take this review for what it is worth. I bought the print book; I will put it on the shelf and likely share what I learned in chapters 2 and 3 with my coworkers.
It's an okay read, and there are 2, maybe three chapters worth the book's cost. Chapters 2, 3, and I guess 8, but the information isn't new, and IMO can be found elsewhere in a more compelling read.
Writing any book is hard work, and I don't like giving poor reviews. No review is better in my mind, so take this review for what it is worth. I bought the print book; I will put it on the shelf and likely share what I learned in chapters 2 and 3 with my coworkers.
November 16, 2023
A great introduction to application security.
Displaying 1 - 11 of 11 reviews