Top 50 InfoSec Blogs You Should Be Reading
Our collection of the most insightful and informative InfoSec blogs from the industry’s foremost thought leaders.
There are hundreds of InfoSec blogs in the webosphere. Some are clear leaders in the industry, widely regarded as thought leaders and earning recognition from just about everyone in the security field as being among the best of the best. Some started out strong but fizzled out after a few short months, while others have compiled hundreds – thousands, even – of in-depth perspectives on a variety of security topics (from general cyber security to specific topics like data loss prevention (DLP)) over the course of nearly a decade.
We scoured the far corners of the web to dig up some of the best, most insightful and informative InfoSec blogs in existence. Not only the blogs you’ve seen named time and time again in best-InfoSec-blogger lists, but also some hidden gems you may not have known existed but will be glad you’ve finally discovered. These blogs provide deep insights from some of the leading information security professionals; in-the-trenches viewpoints from security experts who have spent decades working in the field and consulting with the world’s largest enterprises, universities, the U.S. Government, startups, and other entities.
These bloggers tackle major security news, InfoSec hacks, tricks, and discoveries, offer tutorials and solutions for problems they’ve encountered in their day-to-day work, and sometimes bring a little humor to the fascinatingly complex world of information security. Note: These blogs aren’t listed in any particular order. Rather, they make up a collection of 50 awesome InfoSec blogs that we think stand out among the pack but might not already be on your must-read list. The numerical system is used to make it easy to reference a specific blog, but aren’t intended to imply that #1 is better than #50.
Wired is an established digital publication focused on technology and gear, but it’s not as widely recognized for its impressive coverage of the InfoSec realm, though it should be. Wired talks privacy, crime, and security online, delving into clever hacks and workarounds and reporting on the latest security news impacting consumers and professionals in the field.
Three posts we like from Wired’s Threat Level:
Roger McClinton started his blog back in 2004, primarily as a means to collect links and research he wanted to be able to easily refer to later. But as time went on, he started adding commentary and to his surprise, his blog developed a substantial readership. After a brief hiatus in the second half of 2013, Roger is again offering news and commentary on all things InfoSec, musings about his current employment situation, and the occasional personal anecdote.
Three posts we like from Roger’s Information Security Blog:
Every InfoSec pro has likely visited Dark Reading at least once, a blog that has done a fine job of solidifying its position as a leading resource for the latest security news and information. With a goal of “helping security pros manage the balance between data protection and user access,” and a panel of contributors including some of the most prestigious names in the industry, Dark Reading is clearly a must-read.
Three posts we like from Dark Reading:
Brian Krebs is a household name in information security, and his blog is among the most well known and respected in the space. An investigative reporter at heart, Krebs comes from a journalist background and has honed his self-taught expertise through over a decade of dedicated interest in security. He is credited with discovering the Target data breach last year and being the first to report on the Stuxnet worm in 2010.
Three posts we like from Krebs on Security:
You’d be hard pressed to find a “Best of InfoSec” blog list that doesn’t include ThreatPost. Billed as “Kaspersky Labs’ Security News Service,” ThreatPost is run by a team of recognized infosec experts with a focus on topics such as privacy, web security, vulnerabilities, and more.
Three posts we like from ThreatPost:
All the breaking IT security news you need to stay abreast of the latest happenings in the industry are found at IT Security Guru – first thing in the morning. With the goal of compiling all the most pressing industry news in one spot, IT Security Guru makes it easy for you to keep your finger on the pulse of the InfoSec world without spending hours searching the Internet or scrolling through dozens of blogs and news sites.
Three posts we like from IT Security Guru:
Dan Kaminsky has advised Fortune 500 companies like Cisco, Avaya, and Microsoft, and he’s been a well-known security researcher for more than a decade. His blog, formerly known as DoxPara Research, features in-depth posts with insights on the most pressing security issues facing the industry, such as Heartbleed. It’s kind of like picking Kaminsky’s brain from the comfort of your desk.
Three posts we like from Dan Kaminsky’s Blog:
Paul Asadoorian’s Security Weekly features a weekly live video broadcast, along with written posts, covering the latest InfoSec news, hacker techniques, tutorials, InfoSec research, and more. With a mix of technical content and entertainment, Security Weekly’s objective is to “use new technologies to reach a wider audience across the globe to teach people how to grow, learn, and be security ninjas.”
Three episodes we like from Security Weekly:
Kevin Townsend’s IT Security blog aims to present and discuss information security in a “new and challenging manner.” A panel of leading information security experts contribute regularly, offering an expert perspective on many of the pressing news stories and incidents impacting the field of information security today. Contributors include Dr. Brian Bandey, David Harley, Bev Robb, and other thought leaders, as well as, of course, Townsend himself.
Three posts we like from IT Security:
Run by Brian Honan and Lee Munson, BH Consulting IT Security Watch covers security news and major data breach news that impacts both consumers and enterprises. The blog is a monthly digital publication highlighting the most interesting news and articles related to the security field. Much of the coverage is relevant worldwide, with some BH Consulting-specific news and updates and stories of relevance to the company’s native Ireland.
Three posts we like from BH Consulting IT Security Watch:
Liquidmatrix is committed to providing long-form articles and in-depth coverage of information security news and information, rebelling against the trend towards superficial coverage without added value. The brainchild of Dave Lewis, a self-professed “jack of all trades and master of none” who holds a day job at Akamai and has been working in the InfoSec field for two decades, Liquidmatrix has been up and running since 1998, making it one of the oldest, established InfoSec blogs remaining current.
Three posts we like from Liquidmatrix Security Digest:
Adrian Hayter is a CHECK Team Leader and Senior Penetration Tester at CNS Hut3 and blogger behind Cryptogasm, where he covers pretty much everything of interest to the InfoSec community, including privacy and ethical hacking. He takes the approach of explaining complex security concepts in layman’s terms in effort to make his blog a fun and interesting read. Cryptogasm began back in December 2010.
Three posts we like from Cryptogasm:
Dr. Eric Cole’s Computer Security Specialist blog is a source of news and information related to expert witness services. A leading, industry-recognized computer security expert, Cole has more than 20 years of experience working on complex security challenges, founding and building new companies, products, and services, in addition to his role as a network security expert. Cole has more than 20 patents in technology and cyber security and has been awarded numerous industry honors and recognitions. Currently, he performs leading-edge security consulting and works in research and development as a security expert “to advance the state of the art in information systems security.” His blog provides insights based on his wealth of experience in the field.
Three posts we like from Dr. Eric Cole:
Andrew Hay leads research efforts for Open DNS, where he serves as Senior Security Research Lead & Evangelist. He’s often approached to provide expert commentary on security-industry events in the media, including both mainstream publications such as USA Today and niche publications such as TechTarget and Network World. But you can access Hay’s insights directly at his personal blog, where he covers topics he hand-picks based on personal interest and importance to the field.
Three posts we like from Andrew Hay:
Wesley McGrew is an assistant research professor at Mississippi State University in the Department of Computer Science and Engineering. His blog, McGrew Security, is a reflection of his research interests as well as other information security news and events, including vulnerability analysis, reverse engineering, offensive cyber operations, digital forensics, and other topics of interest to security professionals.
Three posts we like from McGrew Security:
Bruce Schneier’s blog is another one of those must-haves for a list like this. Schneier on Security is in its 10th year of information security thought leadership, focusing on topics like cryptography, privacy, and government. A renowned cryptography expert, Bruce is also a leading author and speaker in the space.
Three posts we like from Schneier on Security:
Gary Hinson is the blogger behind NoticeBored, where he covers information security topics that catch his eye. Hinson was born and studied in the U.K., and worked in London, Swindon, Bristol, and Brussels before moving to New Zealand in 2005. Hinson covers topics of interest to both consumers and security professionals, with a casual style that allows him to talk about complex security happenings in language everyone can understand.
Three posts we like from NoticeBored:
Run by a group of expert contributors, Emergent Chaos focuses on security, privacy, liberty, economics, and similar topics. The blog was founded by Adam Shostack, author of Threat Modeling: Designing for Security and co-author of The New School of Information Security. Started back in 2004, Emergent Chaos is home to hundreds of insightful posts with insights on just about everything pertaining to security and privacy, along with some random musings, all making for an informative and entertaining read.
Three posts we like from Emergent Chaos:
Davi Ottenheimer, David Willson, Matthew Wallace, and Bryan Zimmer comprise the team behind security consultancy flyingpenguin. Davi Ottenheimer is the chief blogger behind the flyingpenguin blog, offering in-depth analysis of information security news, events, and developments.
Three posts we like from flyingpenguin:
20. Elie Bursztein
Elie Bursztein leads Google’s anti-abuse research efforts, sharing his insights on topics relevant to the world of InfoSec on his personal blog. Bursztein has some impressive achievements under his belt, such as the re-design of Google’s CAPTCHA to make it easier (an effort much-appreciated by Internet users everywhere), implementing faster cryptography to make Chrome safer, and identifying and reporting more than 100 security vulnerabilities to companies like Apple, Microsoft, Twitter, and Facebook.
Three posts we like from Elie Bursztein:
Graham Cluley has more than 30,000 followers on Twitter alone, and it’s no surprise given his impressive coverage of InfoSec news and developments. He’s an independent computer security analyst who’s been working in the field since the 1990’s, giving him plenty of background and expertise to offer expert commentary on the latest happenings in information security and related topics. But it’s not just Cluley’s expertise you can gain here, but insights from a panel of regular contributors featuring several highly-regarded experts in the field. You’ll find plenty of tips for everyday users, along with deep insights into critical security developments.
Three posts we like from Graham Cluley:
Tony Perez was introduced to information security back in 2009 in his role as Defense Contractor for the Marine Corps and Army headquarters, as a technical architect for small and large-scale enterprise applications and tools. Today, he’s the CEO of Sucuri, although he prefers to call himself a Chief Evangelist, a company he runs with Daniel Cid, also known as the Founder of the OSSEC project – Host Intrusion Detection System (HIDS). At Tony on Security, he aims to express his thoughts and perspectives on a multitude of subjects, with a particular focus in his areas of interest and expertise.
Three posts we like from Tony on Security:
eLearn Security is a leading provider of IT security and penetration testing courses for IT professionals. Naturally, the company’s blog is a valuable resource of information on security news, with coverage of major security breaches impacting enterprises and consumers, such as the Home Depot breach, leak of Gmail login credentials, and similar events, along with useful tutorials for security hacks and solutions for common challenges.
Three posts we like from eLearn Security:
Russ McRee has spoken at leading security conferences, such as Defcon, BlackHat, RSA, and others, and he works for Microsoft’s Online Services Security & Compliance team. He also writes toolsmith, a monthly column in ISSA Journal, but shares many of his views and perspectives on his belief in a holistic approach to information security at Holistic InfoSec.
Three posts from Holistic InfoSec:
Founded and authored by Raj Chandel, Hacking Articles is a comprehensive source of information on cyber security, ethical hacking, penetration testing, and other topics of interest to information security professionals. Chandel’s primary interests lie in system exploitation and vulnerability research, but you’ll find tools, resources, and tutorials on everything from social engineering to footprinting, Google hacking, and more.
Three posts we like from Hacking Articles:
Started back in August 2008, SkullSecurity is home to hundreds of articles about security, data breaches, and general insights from the trenches based on blogger Ron Bowes’ professional experience. Bowes’ posts are equally as entertaining as they are informative, making this blog an intriguing read.
Three posts we like from SkullSecurity:
A free learning resource from Social-Engineer, Inc., Security Through Education focuses on the blend of science, psychology and art that is social engineering – and how it’s used by penetration testers and security enthusiasts. It’s all brought to you by a team of leading professional social engineers, psychologists, researchers, scientists and security enthusiasts. In addition to the blog, you’ll find a newsletter, podcast, and much more to ensure that you’re always in the know, entertained, and never out of consumable security media.
Three posts we like from Security Through Education:
A Facebook engineer, privacy advocate, and web app hacker, Joey Tyson is the blogger behind The Harmony Guy, where he covers privacy, security, and random geekery, with a particular focus on social networking. He began writing in 2007, using the pseudonym “The Harmony Guy” after discovering some simple vulnerabilities on popular websites. In addition to his own content, he often shares interesting stories he discovers around the web, sometimes in response to vulnerabilities he’s discovered and reported.
Three posts we like from The Harmony Guy:
Jeff Soh began blogging in 2007, and continues to share suggestions on the new intrusion analyst and other miscellaneous news on information security. Soh also offers book recommendations, product recommendations, and useful tips for information security professionals and everyday users.
Three posts we like from JeffSoh on NetSec:
Lucius Lobo is a security evangelist and author of StaySafe Cybercitizen. Professionally, Lobo heads an India-based specialized security services business unit for TechMahindra. At Lucius on Security, he writes about issues and risks affecting Internet users, including cybercrime, impersonation, privacy, and security, while he works to reduce cybercrime to some of the world’s largest companies. His posts provide valuable tips for parents, kids, and anyone using the web.
Three posts we like from Lucius on Security:
Sophos’ Naked Security blog is a near one-stop shop for security news. The blog features content from a wide range of security experts with a focus on malware, consumer privacy, social media security, and more.
Three posts we like from Naked Security:
Matt Flynn is an information security and identity management specialist who works at Oracle. His personal blog, which reflects his own opinions and not those of Oracle, covers identity management and security, software, services, processes, and analyses. He’s been blogging since 2006 and has built an impressive collection of posts and perspectives over the years on topics impacting information security professionals.
Three posts we like from Matt Flynn’s Identity Management Blog:
A computer scientist researcher with an intensive hacking background, Marco Ramilli has an impressive background working with the U.S. Government and several leading universities on new security paradigms, penetration testing methodologies and electronic voting systems’ security, and Malware. His blog, which he started back in 2007, is a reflection of his many experiences in the security field in his many roles. Ramilli, self-described on his LinkedIn profile as an expert in ethical hacking, advanced targeted attacks, and malware evasion, has earned multiple honors and awards for his work.
Three posts we like from Marco Ramilli’s Blog:
WiKID is a two-factor authentication solution, and the company’s blog is a valuable source of information on authentication, security, major industry news, and other information. You’ll find tips and tutorials, insights about risks, resources, security news about Google and social media, and other relevant information.
Three posts we like from WiKID Blog:
Rational Survivability is run by Chris Hoff, who brings more than 20 years of experience in “high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.” His current role is VP of Strategy and Planning at Juniper Networks, where he formerly served as the company’s Chief Security Architect. Hoff has been blogging since June 2006, and has accumulated hundreds of posts on everything from risk management to virtualization, intrusion detection and prevention, the consumerization of IT, and much more.
Three posts we like from Rational Survivability:
The Robert Penz Blog covers information about Linux and open source in general, along with tips, tricks, small scripts, and IT security. Robert became interested in IT security when he was a student, and his master thesis was related to the field also; much of the blog is related to Information security as a result.
Three posts we like from Robert Penz Blog:
A blog from Smoothwall, a “specialist developer and provider of Internet security and content filtering solutions,” the Smoothwall Blog provides a space for those in the industry to share their insights, observations, interests, and more. The posts cover everything from web content filtering to passwords, and it is a great resource for InfoSec.
Three posts we like from The Smoothwall Blog:
The Security Ledger is run by Paul Roberts, former ThreatPost editor and analyst at 451 Research and Kaspersky Lab. The independent blog focuses on cybersecurity, bringing insight to subjects such as the internet of things, malware, government policy, and consumer security.
Three posts we like from The Security Ledger:
InfoSec Island aims to provide a place for IT and network professionals to go to find help and information quickly and easily, by combining an online community, infosec portal, and a social network. Infosec Island’s blog features several contributors and includes information about the Cloud, malware, cyberattacks, and more topics related to information security.
Three posts we like from Infosec Island:
Dedicated to advancing information security and fighting malware, Lenny Zeltser is a business and tech leader with years of experience in information technology and security. Lenny writes often about information security, including a book he co-authored, chapters he has contributed to other projects, articles for various publications, and his daily information security blog.
Three posts we like from Lenny Zeltser on Information security:
The Open Security Foundation is responsible for DataLossDB, which looks for new and old data breaches by scouring news feeds, blogs, and websites daily. They compile the breaches in various places and get the information out to members of their mailing list, on Twitter, and in their Primary Sources Archive to get deeper insight into data loss and to discover incidents that were missed by the media. DataLossDB provides links to incidents by month, latest and largest incidents, and posts from the Blotter to provide as many details about information security as possible.
Three posts we like from DataLossDB:
Cyber Sins is the blog of Rishi Narang, a consultant, writer, and researcher who focuses on cyber security and threat intelligence. The blog offers information about cyber attacks, web security, and more subjects in information security.
Three posts we like from Cyber Sins:
The Dr. InfoSec blog is curated by Christophe Veltsos, PhD, who teaches about information security and information warfare. Dr. Veltsos seeks to “diagnose and treat everyday information security problems” with the blog, which covers risk, cybersecurity, and other topics important to information security. Many of the posts contain links to original sources, including videos and articles.
Three posts we like from Dr. InfoSec:
The Tech Wreck InfoSec Blog is run by an Information Assurance Engineer, covering a variety of topics pertaining to information security and related news and information. The blog provides articles of use to both consumers and security professionals.
Three posts we like from Tech Wreck InfoSec Blog:
Uncommon Sense Security is the blog of Tenable Network Security Strategist and Security BSides co-founder Jack Daniel. While Jack’s updates are not as frequent as they once were, his blog still serves as a trove of infosec knowledge on topics such as vulnerabilities, small business infosec, data breaches, the infosec community, and more. A self-described “infosec curmudgeon,” Jack’s insights, opinions, and humorous writing style are always worth a read.
Three posts we like from Uncommon Sense Security:
TaoSecurity is FireEye Chief Security Strategist Richard Bejtlich’s blog. For over a decade, TaoSecurity has been a source of expertise on cybersecurity, hacking, security strategy, threats, and more. Richard is a recognized security author and his blog contains a great amount of educational security resources.
Three posts we like from TaoSecurity:
…And You Will Know Us by the Trail of Bits is the official blog of Trail of Bits, an enterprise infosec consulting firm founded by Dan Guido and Alexander Sotirov. The blog offers expert infosec advice based on consulting experience at some of the world’s most advanced security programs. The blog provides excellent educational content focused on vulnerabilities, exploits, malware, and more.
Three posts we like from …And You Will Know us by the Trail of Bits:
Application security firm Veracode’s blog has grown into one of the leading sources for appsec news and insights. With regular contributions from security experts such as Chris Wysopal, Chris Eng, Melissa Elliot, and Mark Kriegsman, the blog offers informed commentary on the latest security issues. Favorite topics include application security testing, software vulnerabilities, hacking, mobile security, and more.
Three posts we like from the Veracode Blog:
The F-Secure Weblog by F-Secure’s Mikko Hypponen and Sean Sullivan. The blog is research-heavy, with lots of educational content covering the latest findings from F-Secure Labs. Focal points include vulnerability discoveries, software patches, mobile security, and more.
Three posts we like from the F-Secure Weblog:
Daniel Miessler is an information security professional, and he uses his blog as “a means of organizing everything I have learned and want to learn, and then as a way to share that same content with others.” With information and posts beginning as early as 1999, Daniel provides a robust site and blog for anyone interested in technology and information security
Three posts we like from Observations on InfoSec:
Courtesy of digitalguardian.com