59 books like Agile Application Security

By Laura Bell, Michael Brunton-Spall, Rich Smith , Jim Bird

Here are 59 books that Agile Application Security fans have personally recommended if you like Agile Application Security. Shepherd is a community of 12,000+ authors and super readers sharing their favorite books with the world.

When you buy books, we may earn a commission that helps keep our lights on (or join the rebellion as a member).

Book cover of Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems

Adam Shostack Author Of Threat Modeling: Designing for Security

From my list on application security for builders.

Why am I passionate about this?

Being able to understand and change reality through our knowledge and skill is literal magic. We’re building systems with so many exciting and unexpected properties that can be exploited and repurposed for both good and evil. I want to keep some of that magic and help people engineer – build great systems that make people’s lives better. I’ve been securing (and breaking) systems, from operating rooms to spaceships, from banks to self-driving cars for over 25 years. The biggest lesson I’ve learned is that if security is not infused from the start, we’re forced to rely on what ought to be our last lines of defense. This list helps you infuse security into your systems.

Adam's book list on application security for builders

Adam Shostack Why did Adam love this book?

This book captures lessons from many authors at Google, some of whom I’ve worked with over the years. The chapters on availability (7, 8, 9) were a revelation to me. I had no idea how Google approaches the topic of resilience and recovery in their systems, and I now think of the whole topic very differently. The biggest takeaway is how to think about the design of systems.

By Heather Adkins, Betsy Beyer, Paul Blankinship , Ana Oprea , Adam Stubblefield

Why should I read it?

1 author picked Building Secure and Reliable Systems as one of their favorite books, and they share why you should read it.

What is this book about?

Can a system be considered truly reliable if it isn't fundamentally secure? Or can it be considered secure if it's unreliable? Security is crucial to the design and operation of scalable systems in production, as it plays an important part in product quality, performance, and availability. In this book, experts from Google share best practices to help your organization design scalable and reliable systems that are fundamentally secure.

Two previous O'Reilly books from Google-Site Reliability Engineering and The Site Reliability Workbook-demonstrated how and why a commitment to the entire service lifecycle enables organizations to successfully build, deploy, monitor, and maintain…


Book cover of Designing Secure Software: A Guide for Developers

Adam Shostack Author Of Threat Modeling: Designing for Security

From my list on application security for builders.

Why am I passionate about this?

Being able to understand and change reality through our knowledge and skill is literal magic. We’re building systems with so many exciting and unexpected properties that can be exploited and repurposed for both good and evil. I want to keep some of that magic and help people engineer – build great systems that make people’s lives better. I’ve been securing (and breaking) systems, from operating rooms to spaceships, from banks to self-driving cars for over 25 years. The biggest lesson I’ve learned is that if security is not infused from the start, we’re forced to rely on what ought to be our last lines of defense. This list helps you infuse security into your systems.

Adam's book list on application security for builders

Adam Shostack Why did Adam love this book?

Loren’s been contributing to security for over 40 years, and this book captures his hard-won wisdom in a way that’s both humble and accessible. It scales from principles and design approaches to in-depth explanations of exactly how things go wrong and how to avoid those problems. (Also, I was honored to write the foreword.)

By Loren Kohnfelder,

Why should I read it?

1 author picked Designing Secure Software as one of their favorite books, and they share why you should read it.

What is this book about?

Designing Secure Software consolidates Loren Kohnfelder's more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process. The book begins with a discussion of core concepts. The second part, perhaps this book's most important contribution, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written…


Book cover of Leading Change

Kate Vitasek Author Of Vested: How P&G, McDonald's, and Microsoft are Redefining Winning in Business Relationships

From my list on creating successful business deals.

Why am I passionate about this?

I am an international authority for my award-winning research on the Vested® business model for highly collaborative relationships. I began my research in 2003 researching what makes a difference in successful strategic business deals. My day job is being the lead faculty and researcher for the University of Tennessee’s Certified Deal Architect program; my passion is helping organizations and individuals learn the art, science, and practice of crafting highly collaborative win-win strategic business relationships. My work has led to seven books and three Harvard Business Review articles. I’ve also shared my advice on CNN International, Bloomberg, NPR, and on Fox Business News.

Kate's book list on creating successful business deals

Kate Vitasek Why did Kate love this book?

You might ask why I am recommending a book on change management for a book list on structuring business deals. It is because anytime two organizations come together in a business deal something will change within their organizations. All too often people rush to sign the deal and forget there that often hundreds of critical changes behind the scenes are needed for the deal to be a success long after the ink is dry. If you are structuring a big business deal this book will help you think two steps ahead to lay the foundation so the organization can implement the changes needed. 

By John P. Kotter,

Why should I read it?

2 authors picked Leading Change as one of their favorite books, and they share why you should read it.

What is this book about?

The international bestseller--now with a new preface by author John Kotter. Millions worldwide have read and embraced John Kotter's ideas on change management and leadership. From the ill-fated dot-com bubble to unprecedented M&A activity to scandal, greed, and ultimately, recession--we've learned that widespread and difficult change is no longer the exception. It's the rule. Now with a new preface, this refreshed edition of the global bestseller Leading Change is more relevant than ever. John Kotter's now-legendary eight-step process for managing change with positive results has become the foundation for leaders and organizations across the globe. By outlining the process every…


Book cover of Flying Blind: The 737 Max Tragedy and the Fall of Boeing

Adam Shostack Author Of Threat Modeling: Designing for Security

From my list on application security for builders.

Why am I passionate about this?

Being able to understand and change reality through our knowledge and skill is literal magic. We’re building systems with so many exciting and unexpected properties that can be exploited and repurposed for both good and evil. I want to keep some of that magic and help people engineer – build great systems that make people’s lives better. I’ve been securing (and breaking) systems, from operating rooms to spaceships, from banks to self-driving cars for over 25 years. The biggest lesson I’ve learned is that if security is not infused from the start, we’re forced to rely on what ought to be our last lines of defense. This list helps you infuse security into your systems.

Adam's book list on application security for builders

Adam Shostack Why did Adam love this book?

Boeing used to be a paragon of how engineering-driven companies could deliver amazing products and amazing profits. This book chronicles how that changed, and how Boeing lost its guiding principles. It shows how prioritizing the stock price over the business or the people who flew in its planes led to decisions that literally killed hundreds of people. Engineering concerns were regularly set aside for schedule or cost reasons. Most of us don’t work on products whose failures cause hundreds of deaths, but there’s an important lesson about being proud of the work you do and the products you deliver, and how that can make for a great business.

By Peter Robison,

Why should I read it?

1 author picked Flying Blind as one of their favorite books, and they share why you should read it.

What is this book about?

NEW YORK TIMES BUSINESS BESTSELLER • A suspenseful behind-the-scenes look at the dysfunction that contributed to one of the worst tragedies in modern aviation: the 2018 and 2019 crashes of the Boeing 737 MAX.

An "authoritative, gripping and finely detailed narrative that charts the decline of one of the great American companies" (New York Times Book Review), from the award-winning reporter for Bloomberg.

Boeing is a century-old titan of industry. It played a major role in the early days of commercial flight, World War II bombing missions, and moon landings. The planemaker remains a cornerstone of the U.S. economy, as…


Book cover of Investments Unlimited: A Novel About DevOps, Security, Audit Compliance, and Thriving in the Digital Age

Tanya Janca Author Of Alice and Bob Learn Application Security

From my list on DevSecOps (it is just like DevOps, done securely).

Why am I passionate about this?

I have worked in IT for over 25 years, creating and securing software. I am completely obsessed with ensuring that our software is more reliable, that its integrity can be trusted, and that it keeps our secrets safe. I am not only a computer scientist but an ethical hacker who works hard to create a dialogue between software developers and all of the people who work in our security industry. I am a teacher, a community leader, and a computer nerd who shares messages and lessons wherever she goes.

Tanya's book list on DevSecOps (it is just like DevOps, done securely)

Tanya Janca Why did Tanya love this book?

This book is set in the same universe as The Phoenix Project and The Unicorn Project, but it's at a new company named investments unlimited.

It's also a fictitious story, but with all brand new characters, and brand new problems! In this book they cover security much more deeply than any of the other previous books, talking about how compliance and audit can work together with the information security and DevOps teams.

They talk about common problems that I have faced in many organizations, and a lot of the stories feel so familiar I wonder if the authors have followed me around throughout my career.

Although of course they save the day in the end, there are many parts of the book where we're not quite sure if they're going to make it or not with various characters learning to see things in new ways, so that they can make…

By Helen Beal, Bill Bensing, Jason Cox , Michael Edenzon , John Willis

Why should I read it?

1 author picked Investments Unlimited as one of their favorite books, and they share why you should read it.

What is this book about?

In the vein of the bestselling The Phoenix Project and The Unicorn Project, Investments Unlimited radically rethinks how organizations can handle the audit, compliance, and security of their software systems-even in highly regulated industries. By introducing concepts, tools, and ideas to reimagine governance, Investments Unlimited catalyzes a more humane way to enable high-velocity software delivery that is inherently more secure.

Investments Unlimited, Inc. has accomplished what many other firms in their industry have failed to do: they have successfully navigated the transition from legacy ways of working to the digital frontier. With the help of DevOps practices, Investments Unlimited delivers…


Book cover of Software Security Engineering: A Guide for Project Managers

Nancy R. Mead Author Of Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

From my list on software security engineering.

Why am I passionate about this?

As a kid, I used to do all the math problems in my textbooks just for fun, even if they weren’t part of a homework assignment. My grandchildren cringe when I tell them this. I am a researcher and educator in secure software engineering and have enjoyed a productive career in software development and management, software engineering and software security research, and software and secure software engineering education.  

Nancy's book list on software security engineering

Nancy R. Mead Why did Nancy love this book?

This book is a “how-to” guide for teams developing secure software. Written by a team of experts, it covers the important issues in developing software that is better able to prevent successful attacks. The book contains many references, a strategy, and an implementation guide with cross-references. For each topic, the maturity of practice at the time of writing is provided, as well as an indication of the audience.  

By Julia H. Allen, Sean Barnum, Robert J. Ellison , Gary McGraw , Nancy R. Mead

Why should I read it?

1 author picked Software Security Engineering as one of their favorite books, and they share why you should read it.

What is this book about?

"This book's broad overview can help an organization choose a set of processes, policies, and techniques that are appropriate for its security maturity, risk tolerance, and development style. This book will help you understand how to incorporate practical security techniques into all phases of the development lifecycle."

-Steve Riley, senior security strategist, Microsoft Corporation



"There are books written on some of the topics addressed in this book, and there are other books on secure systems engineering. Few address the entire life cycle with a comprehensive overview and discussion of emerging trends and topics as well as this one."

-Ronda Henning,…


Book cover of Hacking: The Art of Exploitation

Nora Sandler Author Of Writing a C Compiler: Build a Real Programming Language from Scratch

From my list on systems and system failures for programmers.

Why am I passionate about this?

I love computers, and especially computer systems. I’m interested in how different pieces of hardware and software, like processors, operating systems, compilers, and linkers, work together to get things done. Early in my career, as a software security tester, I studied how different components interacted to find vulnerabilities. Now that I work on compilers, I focus on the systems that transform source code into a running program. I’m also interested in how computer systems are shaped by the people who build and use them—I believe that creating safer, more reliable software is a social problem as much as a technical one.

Nora's book list on systems and system failures for programmers

Nora Sandler Why did Nora love this book?

One of the best ways to understand how software works is to study how it fails. When I was just starting my career in software security, I read this book to learn about binary exploits like buffer overflows. It’s been a long time since I’ve written a binary exploit, but digging into the nitty-gritty, low-level details of how software runs on a real system has helped with everything I’ve done as an engineer since.

A lot has changed since this book was published in 2008 (and running the accompanying Live CD has gotten trickier), but the fundamental concepts are as relevant as ever.

By Jon Erickson,

Why should I read it?

1 author picked Hacking as one of their favorite books, and they share why you should read it.

What is this book about?

Hacking is the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming. Many people call themselves hackers, but few have the strong technical foundation needed to really push the envelope. Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work. To share the art and science of hacking in a way that is accessible to everyone, Hacking: The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker's perspective. The included LiveCD provides a…


Book cover of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

Eric J. Rzeszut Author Of 10 Don'ts on Your Digital Devices: The Non-Techie's Survival Guide to Cyber Security and Privacy

From my list on to help you protect your personal information.

Why am I passionate about this?

I have been an information technology and cybersecurity professional for over two decades. I’ve learned over and over again that “people are the weakest link.” You can build the most secure system in the world, with stringent password requirements. But if the user writes their password down and leaves it where someone else can see it, system security is irrelevant! The easiest way to gain access to a system is via “social engineering” – to trick a human being into giving you the access you need, rather than trying to hack the system itself. The books on this list will help the reader lower their chances of being exploited like this.

Eric's book list on to help you protect your personal information

Eric J. Rzeszut Why did Eric love this book?

Security expert Bruce Schneier wrote this excellent book, talking about the “Goliaths” who are looking to exploit individuals’ data. Focusing more on politics (specifically US politics) than the other books on this list, Schneier talks about the Edward Snowden classified information reveal. He talks about mass surveillance conducted by the US and other governments around the world, and lays out in detail why this should concern us all.

By Bruce Schneier,

Why should I read it?

1 author picked Data and Goliath as one of their favorite books, and they share why you should read it.

What is this book about?

Data is everywhere. We create it every time we go online, turn our phone on (or off) or pay with a credit card. This data is stored, studied, bought and sold by companies and governments for surveillance and for control. "Foremost security expert" (Wired) Bruce Schneier shows how this data has led to a double-edged Internet-a Web that gives power to the people but is abused by the institutions on which those people depend.

In Data and Goliath, Schneier reveals the full extent of surveillance, censorship and propaganda in society today, examining the risks of cybercrime, cyberterrorism and cyberwar. He…


Book cover of Practice of Cloud System Administration, The: DevOps and SRE Practices for Web Services, Volume 2

Yevgeniy Brikman Author Of Fundamentals of DevOps and Software Delivery: A Hands-On Guide to Deploying and Managing Software in Production

From my list on practical, hands-on books on DevOps and software delivery.

Why am I passionate about this?

I’ve spent more than a decade working on infrastructure, from my early days at LinkedIn, where we had to do a massive DevOps transformation to save the company, to co-founding Gruntwork, where I had the opportunity to work with hundreds of companies on their software delivery practices. From all of this, I can say the following with certainty: the DevOps best practices that a handful of the top tech companies have figured out are not filtering down to the rest of the industry. This is making the entire software industry slower, less effective, and less secure—and I see it as my mission to fix that.

Yevgeniy's book list on practical, hands-on books on DevOps and software delivery

Yevgeniy Brikman Why did Yevgeniy love this book?

This book felt like a chance to sit with a few experienced Ops people and hear their war stories.

The book is full of concrete, actionable learnings that are essential for running software, including operational requirements (e.g., configuration, draining, hot swaps, feature toggles, graceful degradation, etc.), software architecture (e.g., three-tier web service, four-tier web service, load balancing models etc.), scaling patterns (e.g., horizontal duplication, service splits, caching, etc.), resiliency patterns (software vs hardware resiliency, spare capacity, failure domains, etc.), and much more.

I loved being able to pick up decades of experience and hard-won knowledge by just flipping through a few pages of a book! 

By Thomas Limoncelli, Strata Chalup, Christina Hogan

Why should I read it?

1 author picked Practice of Cloud System Administration, The as one of their favorite books, and they share why you should read it.

What is this book about?

"There's an incredible amount of depth and thinking in the practices described here, and it's impressive to see it all in one place."

-Win Treese, coauthor of Designing Systems for Internet Commerce

The Practice of Cloud System Administration, Volume 2, focuses on "distributed" or "cloud" computing and brings a DevOps/SRE sensibility to the practice of system administration. Unsatisfied with books that cover either design or operations in isolation, the authors created this authoritative reference centered on a comprehensive approach.

Case studies and examples from Google, Etsy, Twitter, Facebook, Netflix, Amazon, and other industry giants are explained in practical ways that…


Book cover of Infrastructure as Code: Dynamic Systems for the Cloud Age

Yevgeniy Brikman Author Of Fundamentals of DevOps and Software Delivery: A Hands-On Guide to Deploying and Managing Software in Production

From my list on practical, hands-on books on DevOps and software delivery.

Why am I passionate about this?

I’ve spent more than a decade working on infrastructure, from my early days at LinkedIn, where we had to do a massive DevOps transformation to save the company, to co-founding Gruntwork, where I had the opportunity to work with hundreds of companies on their software delivery practices. From all of this, I can say the following with certainty: the DevOps best practices that a handful of the top tech companies have figured out are not filtering down to the rest of the industry. This is making the entire software industry slower, less effective, and less secure—and I see it as my mission to fix that.

Yevgeniy's book list on practical, hands-on books on DevOps and software delivery

Yevgeniy Brikman Why did Yevgeniy love this book?

This is a book for practitioners, by a practitioner, full of practical learnings that I was able to start using in my work immediately.

I especially appreciated the parts teaching the core principles of infrastructure as code (e.g., systems are disposable, consistent, can easily be reproduced, etc.), core practices of infrastructure as code (e.g., use definition files, self-documented systems and processes, version all the things, etc.), and the idea of antifragile systems (rather than just systems that you prevent from breaking) and autonomic systems (rather than just automated systems).

By Kief Morris,

Why should I read it?

1 author picked Infrastructure as Code as one of their favorite books, and they share why you should read it.

What is this book about?

Six years ago, Infrastructure as Code was a new concept. Today, as even banks and other conservative organizations plan moves to the cloud, development teams for companies worldwide are attempting to build large infrastructure codebases. With this practical book, Kief Morris of ThoughtWorks shows you how to effectively use principles, practices, and patterns pioneered by DevOps teams to manage cloud-age infrastructure.

Ideal for system administrators, infrastructure engineers, software developers, team leads, and architects, this updated edition demonstrates how you can exploit cloud and automation technology to make changes easily, safely, quickly, and responsibly. You'll learn how to define everything as…


Book cover of Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems
Book cover of Designing Secure Software: A Guide for Developers
Book cover of Leading Change

Share your top 3 reads of 2024!

And get a beautiful page showing off your 3 favorite reads.

1,188

readers submitted
so far, will you?

5 book lists we think you will like!

Interested in computer networks, agile software development, and computer security?