40 Information Security Blogs You Should Be Reading
The recent Heartbleed bug that compromised two-thirds of all websites was a sharp reminder that businesses are vulnerable. The Federation of Small Businesses (FSB) reports that cybercrime costs the UK economy an estimated £27 billion a year. Such attacks not only damage business growth but they also erode customer trust.
Despite the importance of securing both confidential customer and company data, many businesses continually fail to prevent breaches.
There is a wealth of information security knowledge available on the web, but it’s difficult to know where to start. To give you a hand, we have compiled a list of 40 top information security blogs that provide you with frequent, quality content covering a full range of security issues relevant to organisations worldwide.
40 Top Information Security Blogs
(In no particular order)
The Network Security Blog is run by Martin McKeay, a Senior Security Advocate at Akami. He has over a decade of experience and has been blogging about security since August 2003, racking up in excess of 1,000 posts. Recent posts include: ‘Heartbleed vs. Juniper’, ‘Balancing digital privacy’ and ‘Russia says “Hand over your code”.
Naked Security is Sophos’ award winning blog. Authors include Lisa Vaas, Paul Ducklin, Lee Munson – who will be featured again later on – and John Zorabedian. This is one of the biggest blogs in this list with around 1.5 million pageviews per month. Recent posts cover: ‘5 excuses for doing nothing about computer security!’, ‘Microsoft pulls Patch Tuesday Kernel update – MS14-045-can cause Blue Screen of Death‘ and ‘Do Not Track – the privacy standard that’s melting away’.
Graham Cluley has been working in the security industry since the early 1990s and has been employed by companies including Sophos and McAfee. His blog has won numerous awards such as ‘Best IT Security Blog’, ‘Most Educational Blog’ and ‘Best Corporate Security Blog’. Recent posts have included: ‘Chrome web browser toughens up, blocking “deceptive” downloads’, ‘Secret app takes mere minutes to hack, revealing anyone’s secret via simple vulnerability’ and ‘Online gaming data breach affects millions in South Korea’.
Dave Shackleford is Founder of Voodoo Security, and a self described security geek. Dave’s interests lie in Malware, Virtualization security, intrusion detection, and penetration testing and vulnerability Assessment. His recent posts have included: ‘Infosec Monogamy’, ‘A Hacker Looks at 40.’, and ‘“Back to Basics”: What does this mean?’.
5) Matt Suiche
Matt Suiche is the Founder & Managing Director of MoonSols Ltd and is also Microsoft’s Most Valuable Professional (MVP) for Enterprise Security since 2009. Matt’s blog covers topics like: ‘U.S. / France cyber-security budget’, ‘La French Tech : Cyber-Security – Where is the money ?’ and ‘Hives & Trust issues’.
Dave Whitelegg’s blog provides his views on Cyber, Information & IT Security with a focus on Hacking, DDoS, Botnets, Malware, Identity Theft, Data Protection (DPA) and regulatory compliance. Recent posts have looked at: ‘Xbox One & PS4 Gamer Security’, ‘Forget Windows XP, Does Unsupported Java pose a Greater Risk to the Enterprise?’ and ‘A developer’s guide to complying with PCI DSS 3.0 Requirement 6’.
Matthew Green is a cryptographer and research professor at Johns Hopkins University. While his blog covers cryptography, his recent posts have looked at: ‘What’s the matter with PGP?’, ‘Attack of the Week: Triple Handshakes (3Shake)’ and’ Noodling about IM protocols’.
Troy Hunt is a Software Architect and Microsoft MVP who writes about security concepts and process improvement in software delivery within his blog. His recent posts have included: ‘InfoSec Insanity: Sharing the crazy for the betterment of online security’, ‘Migrating from Subversion to Git with svn2git on Windows (the tricky bits explained)’ and ‘Moving from GoDaddy to DNSimple – an illustrated journey’.
Threatpost is Kaspersky Lab’s independently run security news service. Its award-winning editorial team produces content including security news and feature reports. Threatpost’s global editorial activities are driven by veteran security journalist Dennis Fisher who has a decade of experience reporting on security industry news and issues. He is assisted by Christopher Brook and Brian Donohue. Recent posts include: ‘50 Security Flaws Fixed in Google Chrome’, ‘Bitcoin Phishing Campaign Targets 400 Organizations’ and ‘Adobe Patches Reader Zero Day Used in Targeted Attacks’.
10 ) ImperialViolet
Adam Langley is a senior software engineer at Google. Some of the recent posts on his blog have included ‘HSTS For New TLDs’, ‘Encrypting Streams’ and ‘BoringSSL’.
11) Kroll Call Blog
Kroll’s blog is authored by the Kroll team and covers a diverse array of industry content. Recent posts have included: ‘Ransomware Removal: 6 Tips to Get Your Data Back’, ‘Effective cybercrime prevention: Don’t meet your troubles half-way’ and ‘Cyber Extortion: Consider How Your Cyber Insurance Policy Can Help You Respond’.
12) Errata Security
The Errata security blog is run by Robert Graham who is a well known security researcher or ‘white-hat’ hacker. Recent posts have looked at: ‘Cliché: open-source is secure’, ‘Masscan does STARTTLS’ and ‘That Apache 0day was troll’.
Carlos Perez or ‘Darkoperator’ is a Director of Reverse Engineering for a security vendor. He has previously worked for the likes of Compaq, HP and Microsoft. His main area of interest is post exploitation, which explains the name of his blog. Recent posts have looked at: ‘PowerShell Tip: Validating IP Address as a Parameter’, ‘Sysinternals New Tool Sysmon (System Monitor)’ and ‘PowerShell Tip: Working with Systme.Enum’.
TrustedSec was founded by Dave Kennedy who is considered a thought leader in the security field. The TrustedSec blog covers topics like: ‘The eBay Breach – Woa! What response?’, ‘Microsoft to fix two major attack methods for hackers’ and ‘CHS Hacked via Heartbleed Vulnerability’.
Lee Munson – who we mentioned earlier—is in charge of BH Consulting’s blog. While Lee is self educated, he has gained a unique insight into security through his work and research. The Security Watch Blog is one of the most regularly updated blogs on this list with a new post published every couple of days. Recent posts on this blog have included ‘The Data Breach – It’s More When Rather Than If’, ‘Convenience Trumps Security For The Average Consumer’ and ‘Trading Privacy For Security In the Job Market’.
Lee Also has his own blog, where he has published posts including ‘Infosec and Diversity’, ‘SSL – Should Your Website Use It?’ and ‘Heartbleed Research Show Top Companies Are Slow to Mitigate’.
17) Securosis Blog
The Securosis blog is authored by Rich Mogull, Mike Rothman and Adrian Lane, all of whom have around 20 years of experience within the security sector. Rich specialises in data security, application security, emerging security technologies, and security management. Mike specialises in protecting networks and endpoints, security management, and compliance. Adrian specialises in database security, data security, and software development.
Recent posts have included ‘Shipping Decent Breach Notification’, ‘Security Trolling Mass Media’, and ‘Cloud File Storage and Collaboration: Additional Security Features’.
Bruce Schneier is an internationally recognised Security Guru and Author of 12 books on security. He has been writing about security issues on his blog since 2004. Recent posts have included: ‘NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide’, ‘Over a Billion Passwords Stolen?’ and ‘The Security of al Qaeda Encryption Software’.
Brian Krebs doesn’t come from a traditional security background. Much of his knowledge comes from having cultivated regular and direct access to some of the key players within the security industry. Brian spent over 14 years as a reporter for the Washington post and has produced over 1,300 blog posts for the Security Fix blog. His recent posts cover: ‘Adobe, Microsoft Push Critical Security Fixes’, ‘Q&A on the Reported Theft of 1.2B Email Accounts’, and ‘DQ Breach? HQ Says No, But Would it Know?’
Josh is an experienced cyber security analyst with over a decade of experience building, operating, and running Security Operations Centers. He currently serves as the Chief Security Strategist at FireEye. Recent posts on Josh’s blog have included ‘Not All Intrusions Involve Malware’, ‘Optimizing Security Operations for the Big Data Crush’ and ‘Is Security An Unsolvable Problem?’.
21) Andrew Hay
Andrew Hay is the Senior Security Research Lead & Evangelist at OpenDNS. He is a veteran strategist with more than a decade of experience in deep packet inspection (DPI); security analytics; vulnerability management; penetration testing; intrusion detection and prevention (IDS/IPS); firewalls; threat intelligence; application whitelisting and network and host forensics. Recent posts on his blog have included: ‘New Git Repositories That I’m Following’, ‘Gameover ZeuS Switches From P2P to DGA’ and ‘Quick fix for Ruby after Xcode 5.1 update’.
The Application & Cyber Security Blog covers software engineering, cybersecurity, and risk management. It’s authored by Edward Adams, Jason Taylor, William Whyte, Joe Basirico, Tom Bain and John Kirkwood. Recent posts have included ‘Want2Hack Open Sourced!’, ‘The Importance of Vulnerability Disclosure Programs and Bug Bounties’ and ‘Reviewing C/C++ Code for Security Vulnerabilities’.
Tom Olzak is an independent security researcher with over 38 years of experience in programming, network engineering and security. He is also the author of 3 books: ‘Just Enough Security’, ‘Microsoft Virtualization’, and ‘Enterprise Security: A Practitioner’s Guide’. Recent posts include: ‘Your apps are never safe enough’, ‘Respond to actual risk, not the threat alone’ and ‘Many organizations still don’t get infosec basics’.
Trail of Bits was founded by Dan Guido and Alexander Sotirov, who have over a decade of experience between them. Dan specialises in application security and vulnerability analysis while Alexander specialises in reverse engineering and exploitation techniques. Both of them contribute to the Trail of Bits blog.
Recent posts have included: ‘ReMASTering Applications by Obfuscating during Compilation’, ‘A Preview of McSema’ and ‘Education Initiative Spotlight: THREADS Call for Papers’.
Xavier Mertens is an information security consultant by day, security blogger and hacker at night. Recent posts on his blog have looked at: ‘Password – (noun) A Reminder for Your Dog’s Name’, ‘Offline Malware Analysis with Host-Only VirtualBox Networks’ and ‘Infosec VS. Airplane Security’.
26) Bromium Blog
The Bromium blog is authored by Dan Wolff, Bill Gardner, Rahul Kashyap, Gaurav Banga, Clinton Karr and Simon Crosby. Recent posts include ‘The Rise and Fall of Enterprise Security’, ‘In praise of seamless, small-footprint, light-weight, transparent endpoint security’ and ‘Microvisor + Hypervisor Makes Your VMs Secure by Design’.
Colin Watson is a chartered information technology professional who works as principal consultant at web security specialist consultancy Watson Hall Ltd. His blog focuses on web security, usability and design. Recent posts include ‘2014 Information Security Breaches’, ‘Application Security Verification Standard 2.0’ and ‘Cybercrime – A Growth Industry’.
Tim Rains is the man in charge of the Microsoft Security Blog. Tim has over 20 years of experience in the technology industry. His specialities include incident response (engineering and communications), threat intelligence/malware protection and security strategy.
Recent posts on the blog include: ‘What will cybersecurity look like in 2025?, ‘Part 3: How Microsoft is shaping the future of cybersecurity’, ‘How Vulnerabilities are Exploited: the Root Causes of Exploited Remote Code Execution CVEs’ and ‘Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation’.
The main contributor to Cyren’s Security Blog is Cyren’s Director of Threat Research: Avi Turiel. Recent posts include: ‘What You See Isn’t Necessarily What You Get’, ‘ 419 Scam Uses Ebola Virus Tragedy’ and ‘Trust In The Cloud: Security-as-a-service’.
The Webroot Threat blog is authored by Grayson Milbourne, Tyler Moffitt, Marcus Moreno, Brenden Vaughan and Adam McNeil. Recent posts have included ‘Cryptolocker is not dead’, ‘New Study Reveals Disparities Between Corporate Mobile Security Policies and BYOD Practice’ and ‘AV Isn’t Dead. It’s Evolving.’
31) FireEye Blog
The FireEye Blog provides information and insight on today’s advanced threats. Recent posts have included: ‘Android SSL Vulnerabilities: Lessons for CISOs’, ‘Your Locker of Information for CryptoLocker Decryption’ and ‘Pacific Ring of Fire: PlugX / Kaba’.
Matthew Pascucci is a freelance writer and information security practitioner. His recent posts have included ‘Onward Through the Cloud’, ‘Creating a Secure Guest Network’ and ‘Integrating Threat Intelligence Into Your Security Program’.
Russ McRee’s blog is: Director, Threat Intelligence & Engineering at Microsoft. His blog is dedicated to sharing information security content and resources. Recent posts have included ‘toolsmith – Threats & Indicators: A Security Intelligence Lifecycle’, ‘toolsmith: Microsoft Threat Modeling Tool 2014 – Identify & Mitigate’ and ‘toolsmith: ThreadFix – You Found It, Now Fix It’.
The Open DNS blog has multiple authors including Andrew Hay – who’s already featured on this list— , Frank Denis, Dhia Mahjoub, Thibault Reuille and Vinny Lariza. Recent posts have included: ‘Does Your Domain Have Bad Neighbours?’, ‘Cracking Pushdo and How to Bust Through Most Crypters’ and ‘Do You Have a Security Blind Spot?’.
Offence-in-depth is kept up-to-date by Victor Mata, a Penetration Tester for a security consulting company. He created his blog in order to document his pursuit and life as a penetration tester, security researcher, and security enthusiast.
Recent posts have included: ‘External Password Attacks Against Active Directory’, ‘A Better PSEXEC Module’ and ‘From Printer to Domain Admin’.
36) Security Bristo
Security Bristo is a blog where security professionals go to talk and share information on the latest cyber threats. Bloggers include: Linda and Brian Musthaler, Stephen Gates, Scott Barvick, Nirav Shah, Anthony M. Freed and Anton Ferreira. Recent posts have included: ‘Passwords Are Like Underwear—They Aren’t Meant to Be Shared’, ‘First Line of Defence Against DDoS Attacks in a Hosting Environment’ and ‘Considering Standards Security’.
37) Simon PG Edwards
Simon is Technical Director of Dennis Technology Labs with an expertise in anti-malware testing. Simon has been an IT journalist since 1995 working for some of the biggest computer magazine titles including Computer Shopper, PC Pro, Computer Active, Web User, Mac User and IT Pro. Recent posts have included ‘Aircraft hacking myths busted’, ‘Mobile phone kill switched’ and ‘Are Chromebooks insecure travel companions?’
38) Sucuri Blog
The Sucuri Blog is authored by Daniel Cid –Founder and Chief Technology Officer at Sucuri— and the rest of the Sucuri team. Recent posts have included: ‘Thoughts on WordPress Security and Vulnerabilities’, ‘Website Security Analysis: A “simple” piece of malware’ and ‘Case Study: Complexities of “simple” malware’.
Dave Piscitello is a networking and internet veteran who now focuses on security. His blog covers a wide range of internet security topics. Recent posts include: ‘Is it a Phish? Common Deceptions in Phishing URL composition’, ‘Top 5 #InfoSec Reads: August 11-18’ and ‘Suspended domains: An unprecedented data sharing opportunity’.
40) Veracode Blog
The Veracode Blog is authored by Paul Roberts and the Veracode team. Paul is spent the last decade covering hacking, cyber threats, and information technology security,and is now Founder & Editor-in-Chief of The Security Ledger (another good site to check out). Recent posts have included: ‘5 Best Practices in Data Breach Incident Response’, ‘The Rise of Application Security Requirements and What to Do About Them’, and ‘Applications are Growing Uncontrollably and Insecurely’.
Which security blogs do you recommend professionals read? Share your thoughts in the comments below.