The best application security books for builders

Who am I?

Being able to understand and change reality through our knowledge and skill is literal magic. We’re building systems with so many exciting and unexpected properties that can be exploited and repurposed for both good and evil. I want to keep some of that magic and help people engineer – build great systems that make people’s lives better. I’ve been securing (and breaking) systems, from operating rooms to spaceships, from banks to self-driving cars for over 25 years. The biggest lesson I’ve learned is that if security is not infused from the start, we’re forced to rely on what ought to be our last lines of defense. This list helps you infuse security into your systems.


I wrote...

Threat Modeling: Designing for Security

By Adam Shostack,

Book cover of Threat Modeling: Designing for Security

What is my book about?

How to anticipate and address software threats before you’ve written a line of code. The proven tools in this book can be applied by anyone. They give you a structured and systematic approach that are be applied at any scale – from a website built with CI/CD to complex waterfall projects like spacecraft.

This book captures years of experience in a simple, accessible, and practical way.

The books I picked & why

Shepherd is reader supported. We may earn an affiliate commission when you buy through links on our website. This is how we fund this project for readers and authors (learn more).

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems

By Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Adam Stubblefield

Book cover of Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems

Why this book?

This book captures lessons from many authors at Google, some of whom I’ve worked with over the years. The chapters on availability (7, 8, 9) were a revelation to me. I had no idea how Google approaches the topic of resilience and recovery in their systems, and I now think of the whole topic very differently. The biggest takeaway is how to think about the design of systems.


Agile Application Security: Enabling Security in a Continuous Delivery Pipeline

By Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird

Book cover of Agile Application Security: Enabling Security in a Continuous Delivery Pipeline

Why this book?

When I worked in application security at Microsoft, we still had products that shipped every few years. I learned to scale application security in that world, but many people live in a different world now. AAS helped me understand which of our approaches translated well, which had to be transformed, and which needed to be discarded or replaced. I regularly refer back to it, even a few years later.


Designing Secure Software: A Guide for Developers

By Loren Kohnfelder,

Book cover of Designing Secure Software: A Guide for Developers

Why this book?

Loren’s been contributing to security for over 40 years, and this book captures his hard-won wisdom in a way that’s both humble and accessible. It scales from principles and design approaches to in-depth explanations of exactly how things go wrong and how to avoid those problems. (Also, I was honored to write the foreword.)


Leading Change

By John P. Kotter,

Book cover of Leading Change

Why this book?

As we move to a world in which security is everyone’s job, we have to understand that’s a change in what we expect of people, and change is hard. This book is short and actionable and will help security pros understand the changes that need to happen. Unlike a lot of business books, it’s not full of platitudes or repetition. Even when we’re not actively leading change, understanding the challenges leaders face enables us to plan and participate better to achieve our goals.


Flying Blind: The 737 Max Tragedy and the Fall of Boeing

By Peter Robison,

Book cover of Flying Blind: The 737 Max Tragedy and the Fall of Boeing

Why this book?

Boeing used to be a paragon of how engineering-driven companies could deliver amazing products and amazing profits. This book chronicles how that changed, and how Boeing lost its guiding principles. It shows how prioritizing the stock price over the business or the people who flew in its planes led to decisions that literally killed hundreds of people. Engineering concerns were regularly set aside for schedule or cost reasons. Most of us don’t work on products whose failures cause hundreds of deaths, but there’s an important lesson about being proud of the work you do and the products you deliver, and how that can make for a great business.


5 book lists we think you will like!

Interested in computer security, computer networks, and leadership?

5,888 authors have recommended their favorite books and what they love about them. Browse their picks for the best books about computer security, computer networks, and leadership.

Computer Security Explore 21 books about computer security
Computer Networks Explore 7 books about computer networks
Leadership Explore 58 books about leadership

And, 3 books we think you will enjoy!

We think you will like Software Security Engineering, Cybersecurity Is Everybody's Business, and Digital Fortress if you like this list.