Staying up-to-date is important for lots of reasons, but when you’re a Cyber Security professional, knowing about the latest tech, breaches, vulnerabilities,etc. is pretty much essential to your career. If you miss out on an important piece of news, your organization could miss out on much more.

More than just knowing what’s going on, though, keeping current in cyber security news is an opportunity to absorb and uncover innovative ideas surrounding InfoSec and the way you do your job.





The InfoSec community is lucky, to be honest. With so many security blogs available on the interwebs, the only real question we have to ask ourselves is: Which ones should I be reading on a regular basis? Well, for that we’re here to help. We’ve compiled a list of the blogs and security news sites we read and consistently gain value from on every visit.

The following cyber security blogs are those we consider thought-leaders in each of their niches and offer a full range of topics within cyber security. We hope you’ll discover some new reading material, and if we missed one of your favorite cyber security blogs, tweet us and let us know @Checkmarx!

Note: These blogs are in no particular order!

Independent Cyber Security Bloggers:

Krebs on Security

A Washington Post investigative reporter turned independent cyber security journalist and blogger, Brian Krebs regularly blows the covers off security breaches (Remember Target?) and the schemes of cybercriminals. His blog is an intriguing mix of posts on tips he’s received and security news we need to know.

He may not come from a cyber security background, per se, but he has something not many other bloggers do: friends in high (and geeky) places. “Much of my knowledge about computers and Internet security,” Krebs writes, “comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet.” An experienced journalist with connections to the world’s top security gurus? If it sounds like a blog you need to be reading, it’s because it is.

Errata Security

Run by Robert Graham and David Maynor, Errata Security is always a terrific read, with opinionated, smart posts on all things security, and a big focus on government surveillance.

Thought Crime

Moxie Marlinspike is a renowned security researcher who has been in the forefront of research on SSL attacks and strengthening authentication systems. He is also the creator of Whisper Systems, whcih was bought by Twitter. Moxie (a pseudonym by the way) blogs about cryptography, secure protocols, privacy and anonymity in a relatable but still intelligent way.

Troy Hunt

He’s a Microsoft MVP for Developer Security, so you can be sure it gets technical on Troy’s blog. He writes mostly about improving security within development and drills down on important security concepts.

Aside from his blog, Troy (@troyhunt) also runs Have I been pwned, which allows anyone to check if their email has been found in hundreds of stolen databases and another great community addition.

ircmaxwell

A Developer Advocate at Google, PHP core contributor and security expert, Anthony Ferrara aka @ircmaxwell has a well-rounded background in programming and InfoSec and it shows in his blog. Ircmaxwell is a must-read for both developers and anyone working to develop secure software.

Graham Cluley

A programmer turned security guru, Graham is a prolific blogger (and tweeter!), both on his site and on security sites around the web. He’s also a regular keynote speaker at security conferences around the world and makes his rounds in media appearances talking – and blogging – about a wide range of topical InfoSec news and in-depth security advice.

Rational Survivability

Chris Hoff (@beaker) isn’t a daily writer, but offers great value when he does get the chance to post. And as VP of Strategy and Planning at Juniper Networks and founding member and technical advisor of the Cloud Security Alliance, we can forgive him for posting when he gets the chance. In addition to the blog, check out Chris’s page of presentations and papers for a bonus resource.

Ivan Ristic

Application security expert and author, Ivan (@ivanristic) has established himself as a thought leader on SSL and web application firewalls and blogs about once a month, mostly on those topics. Ivan’s guide on mitigating POODLE last year is a great example of the actionable posts you can expect from his blog.

Schneier on Security

A household name in security and cryptography, Bruce’s blog is teeming with his take on the most relevant topics in the industry. If you’re not already one of the 250K+ readers and subscribers to his monthly newsletter, it’s time to get on board!

The author of several books surrounding issues in the security industry, Bruce has established himself as an in-depth writer. His blog is an extension of that dedication to his craft – and a true gem.

Bonus: Whether you’re not a squid enthusiast now, you’ll quickly become one, as Schneier posts vieos and articles about squids each Friday.

/dev/random

Interested in honing in on your offensive as well as defensive security skills? Look no further – Xavier is here! Xavier Mertens (or @xme if you’re more of a tweeter than a reader) is an independent security consultant who blogs about issues he’s currently dealing with along with other technical insights.

Holistic InfoSec

Since 2005, Russ McRee has written extensively on information security, offering readers effective advice and useful resources. Russ is Director of OSG Security Response and Investigations, giving him a bevy of research and other brilliant minds with which to blog on and about.

Lenny Zeltser

Blogging about InfoSec trends to more technical malware write-ups, Lenny’s blog is a wealth of InfoSec centered data. Those interested in cloud security, incident response and malware will get tons of value out of Lenny’s articles.

Cyber Security News Sites:

Dark Reading

A must-read for InfoSec professionals of all kinds, Information Week’s Dark Reading has cultivated a great staff and contributing staff writing detailed and thoughtful pieces on a variety of topics with the goal of “connecting the information security community.”

Wired Threat Level

While most recognize Wired as an on tech, they’ve also become an established voice on security, with insightful commentary and long, thought-provoking essays on issues ranging from the NSA to USB. Follow Threat Level not only for the current security news but for the great writing you’ll learn to expect from them.

Ars Technica Risk Assessment

Another tech blog with a reputable security section, Ars Technica’s Risk Assessment is an invaluable news resource to keep us up to date. Led by Dan Goodin’s admirable way of writing about technical security topics for the ‘layman,’ this is another must-follow news site.

SANS Software Security AppSec Blog

SANS in general is a great resource to turn to, and their AppSec blog is just one of those great offerings. Their editorial staff write comprehensive resources around important topics like the Secure Software Development Lifecycle and the gap between developers and the security team.

The Hacker News

A great resource for white-hats everywhere, The Hacker News offers news and tutorials in an array of InfoSec areas. With monthly readership in the millions, we guess we’re not the only ones who get value from The Hacker News!

The Register

Delivering the news with their one-of-a-kind wit, The Register is an established British news site with a language few could master but them. Just the article title’s are enough to make you question whether you’re reading security news or the InfoSec section of The Onion.

And they couldn’t have picked a more fitting tagline for themselves: “Biting the hand that feeds IT.”

SC Magazine

Providing cyber security professionals with the news they need to know, SC Magazine is another news site providing more than just bulletins. Their Data Breach Blog is a great addition to their main offering, as well!

NYT Bits – Security

For high-level stories about security policy in the government and big business as well as InfoSec industry analysis, we turn to the Security section of the New York Times Bits blog. Nicole Perlroth, joined by fellow contributors, write intriguing cyber security articles that are notable for their big picture views.

Security Current

“By CISOs, for CISOs,” this blog will not be for every reader, but even if you’re not head of information security, you’ll still find meaning in the in-depth analysis you’ll find on Security Current.

SearchSecurity

Offering a nice mix of news updates, articles, and videos covering an array of cyber security areas, SearchSecurity is perfect for InfoSec pros at all levels.

Cyber Security Company Blogs:

State of Security

Readers can count on at least once-daily articles from Tripwire’s State of Security with a huge library of cyber security materials to choose from. If you’re in IT security – this is a blog you need to have in your RSS feed.

ThreatPost

Run by Kaspersky Lab, ThreatPost boasts an impressive editorial team and network of guest bloggers writing about the company’s research along with editorial on recent news events.

Naked Security

If the name doesn’t make you at least curious, Naked Security’s award-winning blog (run by Sophos) thoughtful opinion articles and wide coverage of the hottest industry topics will draw you in for good.

Securosis

It’s hard to deny the power of good research, especially when written up in such an easy-to-digest way. That’s what Securosis offers, and it’s their transparent principle that makes them a blog you can come to trust. Be sure to bookmark their research corner, as well.

TrustedSec Blog

A mix of analytical articles and podcasts (a recent addition – great for your commute!), the TrustedSec blog is another strong InfoSec company blog. Follow for updates on up-and-coming security tools and insights from their pentesting and consultancy work.

451 Security Blog

With so much personality on one team of analysts, their blog is bound to be a great read. The blog is geared towards CISO and security decision makers, with subject matter from achieving PCI compliance to security awareness and lots more.

Google Online Security Blog

While not exactly an Information Security company, the Google Security Blog is a fantastic site filled with both research and announcements about Google’s latest security advancements. This blog’s got the power of Google behind its research and advice, so we’ve long had it bookmarked – and so should you!

Rest of the Best:

While these aren’t blogs, these sites are resources well-worth having in your news feed!