๐ Top Books for Product Security by Domain and Role
Intro: This page is intentionally curated for long-term usefulness in 2026, not just for publication recency. Some books here are recent and cloud-native. Others are older but remain foundational because they teach the mental models that Product Security teams still use every day.
How to use this page
- start with the books that match your current role;
- pair reading with labs or review exercises;
- use older books for durable concepts and newer books for implementation detail.
Selection principles
This list prefers books that are:
- repeatedly recommended by strong practitioners;
- useful across multiple companies and stacks;
- conceptually durable even when screenshots or tools age;
- good for translation between engineering, Product Security, and leadership.
Foundations, SDL, and Threat Modeling
| Title | Author(s) | Year / edition | Why it is valuable | Amazon |
|---|---|---|---|---|
| The Security Development Lifecycle | Michael Howard, Steve Lipner | 2006 | classic SDL framing from Microsoft; still valuable for process thinking, security culture, and engineering discipline | Amazon |
| Writing Secure Code (2nd Edition) | Michael Howard, David LeBlanc, John Viega | 2002 / 2nd ed. | foundational secure coding mindset book that still teaches durable attacker thinking | Amazon |
| Threat Modeling: Designing for Security | Adam Shostack | 2014 | still the default book for turning design conversations into structured threat models | Amazon |
| Secure by Design | Loren Kohnfelder | 2021 | excellent bridge from abstract principles to engineering choices and abuse-resistant design | Amazon |
| The Tangled Web | Michal Zalewski | 2011 | still one of the best ways to understand browser and web platform complexity | Amazon |
| The Web Application Hackerโs Handbook (2nd Edition) | Dafydd Stuttard, Marcus Pinto | 2011 / 2nd ed. | older but still unmatched for understanding attack mechanics that reviewers must recognize | Amazon |
| Real-World Cryptography | David Wong | 2021 | best modern bridge between practical product engineering and cryptography choices | Amazon |
| Cryptography Engineering | Niels Ferguson, Bruce Schneier, Tadayoshi Kohno | 2010 | strong practical cryptographic design book for engineers building systems, not inventing algorithms | Amazon |
| Serious Cryptography | Jean-Philippe Aumasson | 2017 | clear modern overview of cryptographic building blocks and common mistakes | Amazon |
| Security Engineering (3rd Edition) | Ross Anderson | 2020 / 3rd ed. | broad systems-security reference for engineers who want to think beyond narrow AppSec | Amazon |
Application Security and Secure Coding
| Title | Author(s) | Year / edition | Why it is valuable | Amazon |
|---|---|---|---|---|
| Alice and Bob Learn Application Security | Tanya Janca | 2023 | strong broad AppSec primer for developers and emerging Product Security engineers | Amazon |
| Alice and Bob Learn Secure Coding | Tanya Janca | 2025 | excellent developer-first secure coding book with modern examples and training-friendly structure | Amazon |
| Agile Application Security | Laura Bell, Michael Brunton-Spall, Rich Smith, Jim Bird | 2017 | useful for embedding security into product delivery without creating a parallel bureaucracy | Amazon |
| Iron-Clad Java | Jim Manico | 2020 | practical secure coding guidance for Java teams | Amazon |
| Secure Your Node.js Web Application | Karl Duuna | 2016 | older but still useful for learning recurring Node.js security failure modes and secure coding instincts | Amazon |
| Web Security for Developers | Malcolm McDonald | 2021 | excellent browser and web fundamentals explained for engineers | Amazon |
| Black Hat GraphQL | Dolev Farhi, Uri Goldshtein | 2023 | focused book for GraphQL abuse patterns, review questions, and defensive thinking | Amazon |
| API Security in Action | Neil Madden | 2020 | one of the best practical books on API authn/authz, tokens, and security design | Amazon |
| Practical API Security | Jarrett Leon | 2024 | useful complement to broader API books with product-oriented design and review patterns | Amazon |
| Web Application Security | Andrew Hoffman | 2020 | solid modern primer across major web security concepts for developers and reviewers | Amazon |
Cloud, Containers, Kubernetes, and Runtime
| Title | Author(s) | Year / edition | Why it is valuable | Amazon |
|---|---|---|---|---|
| Container Security (2nd Edition) | Liz Rice | 2025 / 2nd ed. | best modern book for how containers actually work and how to secure them | Amazon |
| Learn Kubernetes Security | Kaizhe Huang, Pranjal Jumde | 2020 | good structured entry point for cluster hardening, workloads, and operations | Amazon |
| Kubernetes Security and Observability | Brendan Creane, Amit Gupta | 2022 | helpful for the overlap of runtime signals, policy, and platform operations | Amazon |
| Hacking Kubernetes | Andrew Martin, Michael Hausenblas | 2021 | great offensive/defensive lens for understanding Kubernetes misconfigurations and attack paths | Amazon |
| Kubernetes in Action (2nd Edition) | Marko Lukลกa | 2025 / 2nd ed. | not a pure security book, but still one of the best books for understanding the platform you are trying to secure | Amazon |
| Cloud Native Security Cookbook | Josh Armitage | 2021 | practical patterns across Kubernetes, cloud-native controls, and delivery | Amazon |
| AWS Security | Dylan Shields | 2017 | older but still useful for core AWS security building blocks and service interactions | Amazon |
| AWS Certified Security Specialty Study Guide | Sybex / Ben Piper et al. | latest recent editions | not a perfect book, but useful as a structured map of AWS security services and concepts | Amazon |
| Terraform in Depth | James Turnbull | 2023 | useful for platform engineers securing IaC workflows and change control | Amazon |
| Cloud Native DevOps with Kubernetes | John Arundel, Justin Domingus | 2022 | excellent operations context for understanding the environments Product Security reviews | Amazon |
DevSecOps, CI/CD, and Software Supply Chain
| Title | Author(s) | Year / edition | Why it is valuable | Amazon |
|---|---|---|---|---|
| Practical DevSecOps | Tony Hsiang-Chih Hsu, Mandi Walls, et al. | 2018 | good bridge from DevOps operations to practical security integration | Amazon |
| The DevSecOps Playbook | Gary Hayslip, Patrick Heim, et al. | 2023 | more programmatic and organizational than code-focused; useful for transformation work | Amazon |
| DevOpsSec | Jim Bird | 2023 | short strategic book on integrating security into delivery systems | Amazon |
| Secure by Design | Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano | 2019 | not supply-chain specific but valuable for moving security left into engineering design | Amazon |
| Building Secure and Reliable Systems | Heather Adkins, Betsy Beyer, Paul Blankinship, et al. | 2020 | one of the best books for connecting reliability and security in production systems | Amazon |
| Software Supply Chain Security | various emerging guides and reports | 2023-2026 era | use this slot to keep adding newer supply-chain references as the domain evolves faster than classic publishing cycles | Amazon |
| Learning DevSecOps | Steve Suehring | 2020 | useful entry book for pipeline-security concepts and security automation framing | Amazon |
| Security Chaos Engineering | Kelly Shortridge, Aaron Rinehart | 2020 | helps teams think about resilience and control validation beyond checklists | Amazon |
Identity, APIs, and Zero Trust
| Title | Author(s) | Year / edition | Why it is valuable | Amazon |
|---|---|---|---|---|
| OAuth 2 in Action | Justin Richer, Antonio Sanso | 2017 | still one of the best deep dives on OAuth 2 and modern delegated authorization | Amazon |
| Zero Trust Security | Jason Garbis | 2021 | pragmatic guide for translating zero trust into engineering and operating models | Amazon |
| Zero Trust Networks | Evan Gilman, Doug Barth | 2017 | good conceptual grounding for identity-centric service-to-service security | Amazon |
| Microservices Security in Action | Prabath Siriwardena, Nuwan Dias | 2020 | useful for authn/authz and service security patterns in distributed systems | Amazon |
| gRPC: Up and Running | Kasun Indrasiri, Danesh Kuruppu | 2020 | not security-first, but valuable for understanding gRPC mechanics before trying to secure them | Amazon |
| GraphQL in Action | Samer Buna | 2021 | good GraphQL mechanics context; pair it with dedicated GraphQL security guidance | Amazon |
| Designing APIs with Swagger and OpenAPI | Joshua Ponelat, Lukas Rosenstock | 2022 | helps security reviewers reason about API contracts and design-time controls | Amazon |
Management, Strategy, Metrics, and Leadership
| Title | Author(s) | Year / edition | Why it is valuable | Amazon |
|---|---|---|---|---|
| How to Measure Anything in Cybersecurity Risk | Douglas Hubbard, Richard Seiersen | 2016 | important for leaders who need to avoid vanity metrics and reason about uncertainty | Amazon |
| Security Metrics: Replacing Fear, Uncertainty, and Doubt | Andrew Jaquith | 2007 | older, but still useful for understanding why many security metrics fail | Amazon |
| The Security Culture Playbook | Perry Carpenter, Kai Roer | 2022 | useful for champions, education, and behavior change programs | Amazon |
| Cybersecurity Program Development for Business | Chris Moschovitis | 2018 | good for leaders building structure, governance, and operational consistency | Amazon |
| The Practice of Cloud System Administration | Thomas Limoncelli, Strata Chalup, Christina Hogan | 2014 | not security-first, but still valuable for operational discipline and ownership models | Amazon |
| An Elegant Puzzle | Will Larson | 2019 | engineering-management book that Product Security leaders can use for org design, planning, and scaling | Amazon |
| Staff Engineer | Will Larson | 2021 | helpful for senior individual contributors trying to influence without formal authority | Amazon |
| The Managerโs Path | Camille Fournier | 2017 | excellent for Product Security practitioners moving from engineering into leadership | Amazon |
| 97 Things Every Application Security Professional Should Know | Theodore Winograd et al. | 2021 | high-signal short essays for wide-angle learning and team discussion | Amazon |
| 97 Things Every Cloud Engineer Should Know | Emily Freeman, Nathen Harvey | 2020 | useful for Product Security engineers who need to understand the operator mindset they review | Amazon |
| The Phoenix Project | Gene Kim, Kevin Behr, George Spafford | 2013 | not security-specific, but still one of the best empathy builders for why delivery systems work the way they do | Amazon |
How to read this list without getting overwhelmed
If you are a developer moving into Product Security
Start with:
- Alice and Bob Learn Application Security
- Threat Modeling: Designing for Security
- API Security in Action
- one platform book that matches your environment
If you are already in cloud or platform security
Start with:
- Container Security (2nd Edition)
- Hacking Kubernetes
- Building Secure and Reliable Systems
- How to Measure Anything in Cybersecurity Risk
If you are moving into leadership
Start with:
- The Security Development Lifecycle
- Agile Application Security
- How to Measure Anything in Cybersecurity Risk
- The Managerโs Path
- An Elegant Puzzle