# Top Books for Product Security by Domain and Role > **Intro:** This page is intentionally curated for **long-term usefulness in 2026**, not just for publication recency. Some books here are recent and cloud-native. Others are older but remain foundational because they teach the mental models that Product Security teams still use every day. > > **How to use this page** > > * start with the books that match your current role; > * pair reading with labs or review exercises; > * use older books for durable concepts and newer books for implementation detail. ## Selection principles This list prefers books that are: * repeatedly recommended by strong practitioners; * useful across multiple companies and stacks; * conceptually durable even when screenshots or tools age; * good for translation between engineering, Product Security, and leadership. ## Foundations, SDL, and Threat Modeling | Title | Author(s) | Year / edition | Why it is valuable | Amazon | | ------------------------------------------------------- | ----------------------------------------------- | -------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | | **The Security Development Lifecycle** | Michael Howard, Steve Lipner | 2006 | classic SDL framing from Microsoft; still valuable for process thinking, security culture, and engineering discipline | [Amazon](https://www.amazon.com/s?k=The+Security+Development+Lifecycle+Michael+Howard%2C+Steve+Lipner) | | **Writing Secure Code (2nd Edition)** | Michael Howard, David LeBlanc, John Viega | 2002 / 2nd ed. | foundational secure coding mindset book that still teaches durable attacker thinking | [Amazon](https://www.amazon.com/s?k=Writing+Secure+Code+%282nd+Edition%29+Michael+Howard%2C+David+LeBlanc%2C+John+Viega) | | **Threat Modeling: Designing for Security** | Adam Shostack | 2014 | still the default book for turning design conversations into structured threat models | [Amazon](https://www.amazon.com/s?k=Threat+Modeling%3A+Designing+for+Security+Adam+Shostack) | | **Secure by Design** | Loren Kohnfelder | 2021 | excellent bridge from abstract principles to engineering choices and abuse-resistant design | [Amazon](https://www.amazon.com/s?k=Secure+by+Design+Loren+Kohnfelder) | | **The Tangled Web** | Michal Zalewski | 2011 | still one of the best ways to understand browser and web platform complexity | [Amazon](https://www.amazon.com/s?k=The+Tangled+Web+Michal+Zalewski) | | **The Web Application Hacker’s Handbook (2nd Edition)** | Dafydd Stuttard, Marcus Pinto | 2011 / 2nd ed. | older but still unmatched for understanding attack mechanics that reviewers must recognize | [Amazon](https://www.amazon.com/s?k=The+Web+Application+Hacker%E2%80%99s+Handbook+%282nd+Edition%29+Dafydd+Stuttard%2C+Marcus+Pinto) | | **Real-World Cryptography** | David Wong | 2021 | best modern bridge between practical product engineering and cryptography choices | [Amazon](https://www.amazon.com/s?k=Real-World+Cryptography+David+Wong) | | **Cryptography Engineering** | Niels Ferguson, Bruce Schneier, Tadayoshi Kohno | 2010 | strong practical cryptographic design book for engineers building systems, not inventing algorithms | [Amazon](https://www.amazon.com/s?k=Cryptography+Engineering+Niels+Ferguson%2C+Bruce+Schneier%2C+Tadayoshi+Kohno) | | **Serious Cryptography** | Jean-Philippe Aumasson | 2017 | clear modern overview of cryptographic building blocks and common mistakes | [Amazon](https://www.amazon.com/s?k=Serious+Cryptography+Jean-Philippe+Aumasson) | | **Security Engineering (3rd Edition)** | Ross Anderson | 2020 / 3rd ed. | broad systems-security reference for engineers who want to think beyond narrow AppSec | [Amazon](https://www.amazon.com/s?k=Security+Engineering+%283rd+Edition%29+Ross+Anderson) | ## Application Security and Secure Coding | Title | Author(s) | Year / edition | Why it is valuable | Amazon | | -------------------------------------------- | ------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | **Alice and Bob Learn Application Security** | Tanya Janca | 2023 | strong broad AppSec primer for developers and emerging Product Security engineers | [Amazon](https://www.amazon.com/s?k=Alice+and+Bob+Learn+Application+Security+Tanya+Janca) | | **Alice and Bob Learn Secure Coding** | Tanya Janca | 2025 | excellent developer-first secure coding book with modern examples and training-friendly structure | [Amazon](https://www.amazon.com/s?k=Alice+and+Bob+Learn+Secure+Coding+Tanya+Janca) | | **Agile Application Security** | Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird | 2017 | useful for embedding security into product delivery without creating a parallel bureaucracy | [Amazon](https://www.amazon.com/s?k=Agile+Application+Security+Laura+Bell%2C+Michael+Brunton-Spall%2C+Rich+Smith%2C+Jim+Bird) | | **Iron-Clad Java** | Jim Manico | 2020 | practical secure coding guidance for Java teams | [Amazon](https://www.amazon.com/s?k=Iron-Clad+Java+Jim+Manico) | | **Secure Your Node.js Web Application** | Karl Duuna | 2016 | older but still useful for learning recurring Node.js security failure modes and secure coding instincts | [Amazon](https://www.amazon.com/s?k=Secure+Your+Node.js+Web+Application+Karl+Duuna) | | **Web Security for Developers** | Malcolm McDonald | 2021 | excellent browser and web fundamentals explained for engineers | [Amazon](https://www.amazon.com/s?k=Web+Security+for+Developers+Malcolm+McDonald) | | **Black Hat GraphQL** | Dolev Farhi, Uri Goldshtein | 2023 | focused book for GraphQL abuse patterns, review questions, and defensive thinking | [Amazon](https://www.amazon.com/s?k=Black+Hat+GraphQL+Dolev+Farhi%2C+Uri+Goldshtein) | | **API Security in Action** | Neil Madden | 2020 | one of the best practical books on API authn/authz, tokens, and security design | [Amazon](https://www.amazon.com/s?k=API+Security+in+Action+Neil+Madden) | | **Practical API Security** | Jarrett Leon | 2024 | useful complement to broader API books with product-oriented design and review patterns | [Amazon](https://www.amazon.com/s?k=Practical+API+Security+Jarrett+Leon) | | **Web Application Security** | Andrew Hoffman | 2020 | solid modern primer across major web security concepts for developers and reviewers | [Amazon](https://www.amazon.com/s?k=Web+Application+Security+Andrew+Hoffman) | ## Cloud, Containers, Kubernetes, and Runtime | Title | Author(s) | Year / edition | Why it is valuable | Amazon | | ------------------------------------------------ | --------------------------------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | | **Container Security (2nd Edition)** | Liz Rice | 2025 / 2nd ed. | best modern book for how containers actually work and how to secure them | [Amazon](https://www.amazon.com/s?k=Container+Security+%282nd+Edition%29+Liz+Rice) | | **Learn Kubernetes Security** | Kaizhe Huang, Pranjal Jumde | 2020 | good structured entry point for cluster hardening, workloads, and operations | [Amazon](https://www.amazon.com/s?k=Learn+Kubernetes+Security+Kaizhe+Huang%2C+Pranjal+Jumde) | | **Kubernetes Security and Observability** | Brendan Creane, Amit Gupta | 2022 | helpful for the overlap of runtime signals, policy, and platform operations | [Amazon](https://www.amazon.com/s?k=Kubernetes+Security+and+Observability+Brendan+Creane%2C+Amit+Gupta) | | **Hacking Kubernetes** | Andrew Martin, Michael Hausenblas | 2021 | great offensive/defensive lens for understanding Kubernetes misconfigurations and attack paths | [Amazon](https://www.amazon.com/s?k=Hacking+Kubernetes+Andrew+Martin%2C+Michael+Hausenblas) | | **Kubernetes in Action (2nd Edition)** | Marko Lukša | 2025 / 2nd ed. | not a pure security book, but still one of the best books for understanding the platform you are trying to secure | [Amazon](https://www.amazon.com/s?k=Kubernetes+in+Action+%282nd+Edition%29+Marko+Luk%C5%A1a) | | **Cloud Native Security Cookbook** | Josh Armitage | 2021 | practical patterns across Kubernetes, cloud-native controls, and delivery | [Amazon](https://www.amazon.com/s?k=Cloud+Native+Security+Cookbook+Josh+Armitage) | | **AWS Security** | Dylan Shields | 2017 | older but still useful for core AWS security building blocks and service interactions | [Amazon](https://www.amazon.com/s?k=AWS+Security+Dylan+Shields) | | **AWS Certified Security Specialty Study Guide** | Sybex / Ben Piper et al. | latest recent editions | not a perfect book, but useful as a structured map of AWS security services and concepts | [Amazon](https://www.amazon.com/s?k=AWS+Certified+Security+Specialty+Study+Guide+Sybex+%2F+Ben+Piper+et+al.) | | **Terraform in Depth** | James Turnbull | 2023 | useful for platform engineers securing IaC workflows and change control | [Amazon](https://www.amazon.com/s?k=Terraform+in+Depth+James+Turnbull) | | **Cloud Native DevOps with Kubernetes** | John Arundel, Justin Domingus | 2022 | excellent operations context for understanding the environments Product Security reviews | [Amazon](https://www.amazon.com/s?k=Cloud+Native+DevOps+with+Kubernetes+John+Arundel%2C+Justin+Domingus) | ## DevSecOps, CI/CD, and Software Supply Chain | Title | Author(s) | Year / edition | Why it is valuable | Amazon | | ---------------------------------------- | ----------------------------------------------------- | -------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | | **Practical DevSecOps** | Tony Hsiang-Chih Hsu, Mandi Walls, et al. | 2018 | good bridge from DevOps operations to practical security integration | [Amazon](https://www.amazon.com/s?k=Practical+DevSecOps+Tony+Hsiang-Chih+Hsu%2C+Mandi+Walls%2C+et+al.) | | **The DevSecOps Playbook** | Gary Hayslip, Patrick Heim, et al. | 2023 | more programmatic and organizational than code-focused; useful for transformation work | [Amazon](https://www.amazon.com/s?k=The+DevSecOps+Playbook+Gary+Hayslip%2C+Patrick+Heim%2C+et+al.) | | **DevOpsSec** | Jim Bird | 2023 | short strategic book on integrating security into delivery systems | [Amazon](https://www.amazon.com/s?k=DevOpsSec+Jim+Bird) | | **Secure by Design** | Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano | 2019 | not supply-chain specific but valuable for moving security left into engineering design | [Amazon](https://www.amazon.com/s?k=Secure+by+Design+Dan+Bergh+Johnsson%2C+Daniel+Deogun%2C+Daniel+Sawano) | | **Building Secure and Reliable Systems** | Heather Adkins, Betsy Beyer, Paul Blankinship, et al. | 2020 | one of the best books for connecting reliability and security in production systems | [Amazon](https://www.amazon.com/s?k=Building+Secure+and+Reliable+Systems+Heather+Adkins%2C+Betsy+Beyer%2C+Paul+Blankinship%2C+et+al.) | | **Software Supply Chain Security** | various emerging guides and reports | 2023-2026 era | use this slot to keep adding newer supply-chain references as the domain evolves faster than classic publishing cycles | [Amazon](https://www.amazon.com/s?k=Software+Supply+Chain+Security+various+emerging+guides+and+reports) | | **Learning DevSecOps** | Steve Suehring | 2020 | useful entry book for pipeline-security concepts and security automation framing | [Amazon](https://www.amazon.com/s?k=Learning+DevSecOps+Steve+Suehring) | | **Security Chaos Engineering** | Kelly Shortridge, Aaron Rinehart | 2020 | helps teams think about resilience and control validation beyond checklists | [Amazon](https://www.amazon.com/s?k=Security+Chaos+Engineering+Kelly+Shortridge%2C+Aaron+Rinehart) | ## Identity, APIs, and Zero Trust | Title | Author(s) | Year / edition | Why it is valuable | Amazon | | ------------------------------------------- | -------------------------------- | -------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | | **OAuth 2 in Action** | Justin Richer, Antonio Sanso | 2017 | still one of the best deep dives on OAuth 2 and modern delegated authorization | [Amazon](https://www.amazon.com/s?k=OAuth+2+in+Action+Justin+Richer%2C+Antonio+Sanso) | | **Zero Trust Security** | Jason Garbis | 2021 | pragmatic guide for translating zero trust into engineering and operating models | [Amazon](https://www.amazon.com/s?k=Zero+Trust+Security+Jason+Garbis) | | **Zero Trust Networks** | Evan Gilman, Doug Barth | 2017 | good conceptual grounding for identity-centric service-to-service security | [Amazon](https://www.amazon.com/s?k=Zero+Trust+Networks+Evan+Gilman%2C+Doug+Barth) | | **Microservices Security in Action** | Prabath Siriwardena, Nuwan Dias | 2020 | useful for authn/authz and service security patterns in distributed systems | [Amazon](https://www.amazon.com/s?k=Microservices+Security+in+Action+Prabath+Siriwardena%2C+Nuwan+Dias) | | **gRPC: Up and Running** | Kasun Indrasiri, Danesh Kuruppu | 2020 | not security-first, but valuable for understanding gRPC mechanics before trying to secure them | [Amazon](https://www.amazon.com/s?k=gRPC%3A+Up+and+Running+Kasun+Indrasiri%2C+Danesh+Kuruppu) | | **GraphQL in Action** | Samer Buna | 2021 | good GraphQL mechanics context; pair it with dedicated GraphQL security guidance | [Amazon](https://www.amazon.com/s?k=GraphQL+in+Action+Samer+Buna) | | **Designing APIs with Swagger and OpenAPI** | Joshua Ponelat, Lukas Rosenstock | 2022 | helps security reviewers reason about API contracts and design-time controls | [Amazon](https://www.amazon.com/s?k=Designing+APIs+with+Swagger+and+OpenAPI+Joshua+Ponelat%2C+Lukas+Rosenstock) | ## Management, Strategy, Metrics, and Leadership | Title | Author(s) | Year / edition | Why it is valuable | Amazon | | ----------------------------------------------------------------- | ------------------------------------------------- | -------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | **How to Measure Anything in Cybersecurity Risk** | Douglas Hubbard, Richard Seiersen | 2016 | important for leaders who need to avoid vanity metrics and reason about uncertainty | [Amazon](https://www.amazon.com/s?k=How+to+Measure+Anything+in+Cybersecurity+Risk+Douglas+Hubbard%2C+Richard+Seiersen) | | **Security Metrics: Replacing Fear, Uncertainty, and Doubt** | Andrew Jaquith | 2007 | older, but still useful for understanding why many security metrics fail | [Amazon](https://www.amazon.com/s?k=Security+Metrics%3A+Replacing+Fear%2C+Uncertainty%2C+and+Doubt+Andrew+Jaquith) | | **The Security Culture Playbook** | Perry Carpenter, Kai Roer | 2022 | useful for champions, education, and behavior change programs | [Amazon](https://www.amazon.com/s?k=The+Security+Culture+Playbook+Perry+Carpenter%2C+Kai+Roer) | | **Cybersecurity Program Development for Business** | Chris Moschovitis | 2018 | good for leaders building structure, governance, and operational consistency | [Amazon](https://www.amazon.com/s?k=Cybersecurity+Program+Development+for+Business+Chris+Moschovitis) | | **The Practice of Cloud System Administration** | Thomas Limoncelli, Strata Chalup, Christina Hogan | 2014 | not security-first, but still valuable for operational discipline and ownership models | [Amazon](https://www.amazon.com/s?k=The+Practice+of+Cloud+System+Administration+Thomas+Limoncelli%2C+Strata+Chalup%2C+Christina+Hogan) | | **An Elegant Puzzle** | Will Larson | 2019 | engineering-management book that Product Security leaders can use for org design, planning, and scaling | [Amazon](https://www.amazon.com/s?k=An+Elegant+Puzzle+Will+Larson) | | **Staff Engineer** | Will Larson | 2021 | helpful for senior individual contributors trying to influence without formal authority | [Amazon](https://www.amazon.com/s?k=Staff+Engineer+Will+Larson) | | **The Manager’s Path** | Camille Fournier | 2017 | excellent for Product Security practitioners moving from engineering into leadership | [Amazon](https://www.amazon.com/s?k=The+Manager%E2%80%99s+Path+Camille+Fournier) | | **97 Things Every Application Security Professional Should Know** | Theodore Winograd et al. | 2021 | high-signal short essays for wide-angle learning and team discussion | [Amazon](https://www.amazon.com/s?k=97+Things+Every+Application+Security+Professional+Should+Know+Theodore+Winograd+et+al.) | | **97 Things Every Cloud Engineer Should Know** | Emily Freeman, Nathen Harvey | 2020 | useful for Product Security engineers who need to understand the operator mindset they review | [Amazon](https://www.amazon.com/s?k=97+Things+Every+Cloud+Engineer+Should+Know+Emily+Freeman%2C+Nathen+Harvey) | | **The Phoenix Project** | Gene Kim, Kevin Behr, George Spafford | 2013 | not security-specific, but still one of the best empathy builders for why delivery systems work the way they do | [Amazon](https://www.amazon.com/s?k=The+Phoenix+Project+Gene+Kim%2C+Kevin+Behr%2C+George+Spafford) | ## How to read this list without getting overwhelmed ### If you are a developer moving into Product Security Start with: 1. *Alice and Bob Learn Application Security* 2. *Threat Modeling: Designing for Security* 3. *API Security in Action* 4. one platform book that matches your environment ### If you are already in cloud or platform security Start with: 1. *Container Security (2nd Edition)* 2. *Hacking Kubernetes* 3. *Building Secure and Reliable Systems* 4. *How to Measure Anything in Cybersecurity Risk* ### If you are moving into leadership Start with: 1. *The Security Development Lifecycle* 2. *Agile Application Security* 3. *How to Measure Anything in Cybersecurity Risk* 4. *The Manager’s Path* 5. *An Elegant Puzzle* ## Best companion pages in this KB * [Three-Month Product Security Self-Study Plan](/learning-labs-interview-and-templates/index-2/three-month-product-security-self-study-plan.md) * [Product Security Ecosystem Projects, Communities, and Learning Hubs](/learning-labs-interview-and-templates/index-2/product-security-ecosystem-projects-communities-and-learning-hubs.md) * [Security Review Checklists and Cheat Sheets](/learning-labs-interview-and-templates/index-2/security-review-checklists-and-cheat-sheets.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-2/top-books-for-product-security-by-domain-and-role.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.