Our collection of the most insightful and informative InfoSec blogs from the industry’s foremost thought leaders.
There are hundreds of InfoSec blogs in the webosphere. Some are clear leaders in the industry, widely regarded as thought leaders and earning recognition from just about everyone in the security field as being among the best of the best. Some started out strong but fizzled out after a few short months, while others have compiled hundreds – thousands, even – of in-depth perspectives on a variety of security topics (from general cyber security to specific topics like data loss prevention (DLP)) over the course of nearly a decade.
We scoured the far corners of the web to dig up some of the best, most insightful and informative InfoSec blogs in existence for our newly-updated list for 2018. Not only the blogs you’ve seen named time and time again in best-InfoSec-blogger lists, but also some hidden gems you may not have known existed but will be glad you’ve finally discovered. These blogs provide deep insights from some of the leading information security professionals; in-the-trenches viewpoints from security experts who have spent decades working in the field and consulting with the world’s largest enterprises, universities, the U.S. Government, startups, and other entities.
These bloggers tackle major security news, InfoSec hacks, tricks, and discoveries, offer tutorials and solutions for problems they’ve encountered in their day-to-day work, and sometimes bring a little humor to the fascinatingly complex world of information security. Note: These blogs are categorized, and listed alphabetically within each category – they aren’t ranked or rated in any other way.
SECURITY RESEARCHER BLOGS
Formerly Emergent Chaos, Adam Shostack and Friends is a blog that’s been covering security, privacy, and economics (among other unrelated topics) since 2005. Shostack is also the author of author of Threat Modeling: Designing for Security and co-author of The New School of Information Security.
Three posts we like from Adam Shostack and Friends:
- Jonathan Marcil’s Threat Modeling Toolkit talk
- Doing Science With Near Misses
- The Security Principles of Saltzer and Schroeder
Andrew Hay is the Co-Founder & Chief Technology Officer (CTO) for LEO Cyber Security, where he’s responsible for driving of the strategic vision for the company, as well as the development and delivery of the company’s cyber security, digital forensics, incident response, cloud architecture, and advanced research centers of excellence. Hay has held roles for companies such as 451 Research, DataGravity, and Open DNS, where he served as Senior Security Research Lead & Evangelist. He’s often approached to provide expert commentary on security-industry events in the media, including both mainstream publications such as USA Today and niche publications such as TechTarget and Network World. We also have a podcast episode with Hay discussing the rise of the virtual CISO. You can access Hay’s insights directly at his personal blog, where he covers topics he hand-picks based on personal interest and importance to the field.
Three posts we like from Andrew Hay:
- Security Beyond The Perimeter
- Petya Ransomware: What You Need to Know and Do
- Diving into the Issues: Observations from SOURCE and AtlSecCon
A Pulitzer prize-winning journalist, Byron Acohido is the founder and executive editor of The Last Watchdog on Privacy & Security. Cybersecurity first gained Acohido’s attention in 2000 when he joined the Money section of USA TODAY to cover Microsoft. Since that time, Acohido has authored several books and covered the cybersecurity space through articles, podcasts, and videos, all of which you can access at The Last Watchdog.
Three posts we like from The Last Watchdog:
- MY TAKE: Turning a blind eye: 73% of companies are ill-prepared to defend cyber attacks
- MY TAKE: Here’s how the U.S. economy would lose $15 billion from a 3-day cloud outage
- NEWS WRAP-UP: Meltdown, Spectre discovered in the wild – live hardware attacks one step closer
Dan Kaminsky has advised Fortune 500 companies like Cisco, Avaya, and Microsoft, and he’s been a well-known security researcher for more than a decade. His blog, formerly known as DoxPara Research, features in-depth posts with insights on the most pressing security issues facing the industry, such as Heartbleed. It’s kind of like picking Kaminsky’s brain from the comfort of your desk.
Three posts we like from Dan Kaminsky’s Blog:
- Hacking the Universe with Quantum Encraption
- The Cryptographically Provable Con Man
- Read My Lips: Let’s Kill 0Day
Elie Bursztein leads Google’s anti-abuse research efforts, sharing his insights on topics relevant to the world of InfoSec on his personal blog. Bursztein has some impressive achievements under his belt, such as the re-design of Google’s CAPTCHA to make it easier (an effort much-appreciated by Internet users everywhere), implementing faster cryptography to make Chrome safer, and identifying and reporting more than 100 security vulnerabilities to companies like Apple, Microsoft, Twitter, and Facebook.
Three posts we like from Elie Bursztein:
- Inside Mirai the infamous IoT Botnet: A Retrospective Analysis
- Unmasking the ransomware kingpins
- Exposing the inner-workings of the ransomware economy
Graham Cluley has more than 70,000 followers on Twitter alone, and it’s no surprise given his impressive coverage of InfoSec news and developments. He’s an independent computer security analyst who’s been working in the field since the 1990’s, giving him plenty of background and expertise to offer expert commentary on the latest happenings in information security and related topics. In addition to Cluley’s expertise, you can gain insights from a panel of regular contributors featuring several highly-regarded experts in the field. You’ll find plenty of tips for everyday users, along with deep insights into critical security developments.
Three posts we like from Graham Cluley:
- “Killer text bomb” crashed iPhones, iPads, Macs, and Apple Watches
- 12 Common Threat Intelligence Use Cases
- Government websites hijacked by cryptomining plugin
Founded and authored by Raj Chandel, Hacking Articles is a comprehensive source of information on cyber security, ethical hacking, penetration testing, and other topics of interest to information security professionals. Chandel’s primary interests lie in system exploitation and vulnerability research, but you’ll find tools, resources, and tutorials on everything from social engineering to footprinting, Google hacking, and more.
Three posts we like from Hacking Articles:
- Hack the Game of Thrones VM (CTF Challenge)
- Bind Payload using SFX archive with Trojanizer
- Hack the Bsides London VM 2017(Boot2Root)
Russ McRee has spoken at leading security conferences, such as Defcon, BlackHat, RSA, and others, and he leads the Blue Team for Microsoft’s Windows and Devices Group (WDG). He also writes toolsmith, a monthly column in ISSA Journal, but shares many of his views and perspectives on his belief in a holistic approach to information security at Holistic InfoSec.
Three posts from Holistic InfoSec:
- toolsmith #131 – The HELK vs APTSimulator – Part 1
- toolsmith #128 – DFIR Redefined: Deeper Functionality for Investigators with R – Part 1
- Toolsmith Tidbit: Windows Auditing with WINspect
Jeff Soh began blogging in 2007, and continues to share suggestions for intrusion analysts and other miscellaneous news on information security. Soh also offers book recommendations, product recommendations, and useful tips for information security professionals and everyday users.
Three posts we like from JeffSoh on NetSec:
Brian Krebs is a household name in information security, and his blog is among the most well known and respected in the space. An investigative reporter at heart, Krebs comes from a journalist background and has honed his self-taught expertise through over a decade of dedicated interest in security. He is credited with discovering the Target data breach a few years ago and being the first to report on the Stuxnet worm in 2010.
Three posts we like from Krebs on Security: