ProPrivacy Awards: 60 Essential Infosec Blogs for 2016
A vast majority (91%) of US adults recently agreed or strongly agreed that consumers have lost control over corporate collecting and mishandling of their sensitive personal data, according to a Pew Research study. With that useful research in mind, we at ProPrivacy.com compiled our Awards list of the Top 60 Essential Information Security Blogs For 2016. These are the blogs we feel can best potentially assuage, or, at least, shed some light on, the dominant thought models of fear and ignorance when it comes to web security.
Our 2016 ProPrivacy Awards list is in no particular ranking order, reflecting no value judgments on our part, other than every entry is worthy – for differing reasons explained per entry. This merit-based list simply reflects the blogs we thought were most useful to our readership.While the number of worthwhile infosec blogs online in the thousands (if not higher), we’ve put together our awards with the best of the diverse collective.
Our choices were based on relevance, accessibility to all levels of technical expertise, and our overall impressions of the blog in question. While some entries posted more frequently, or at a higher volume than others – the thread of shared commitment to open discourse around web security unifies each the disparate recipients.
Sound good? Let’s get down to business below.
60 Blogs To Keep Your Eye(s) On
From the French Expat head of Google’s anti-abuse research team (protecting laypeople from cyberthreats of all types), and the same fellow who redesigned Google’s Captcha, Eli Burszstein’s Blog is full of security nuggets of all shapes and sizes. But what else would you expect from a guy who helped implement more secure cryptography on Google Chrome? Spare us the Bernstein Bear puns, and take a gander through Elie’s blog for some can’t-miss tips and tricks.
It would be remiss of us not to mention both Graham Cluley’s blog, and his guest writing work for “The State of Security,” which falls under the umbrella of security firm Tripwire. Based in the UK, Cluley has been busy researching, speaking, and blogging about his work for nigh on two decades, backed up by his stellar work for industry titans including Sophos and McAfee, in addition to numerous experiences helping law enforcement to combat cyber criminals. Mr. Cluley has been an alumnus of the InfoSecurity Europe Hall of Fame since 2011, and is one of only 26 total honorees since the award’s inception in 2009.
03 Curious Mad
It might seem odd at first glance to include a blog with only four posts – three of which are about cider (not that there’s anything the least bit wrong with that) – in an exclusive compilation of infosec blogs you should read. Fair play. On the other hand, however, the one other post was a novel, secure, insightful, and thoroughly effective VPN setup guide, way beyond what would normally be expected from a nascent blogger. Curious Mad deserves his spot, and we’re excited to see what he says next. Whether it be about lifestyle or security, he’s got our attention.
Gary Warner’s wittily named blog focuses on security through a judicial lens, as you might expect, considering his work as a Task Force Officer with the FBI Cyber Crimes Task Force. He’s a distinguished faculty member at the University of Alabama and, after years spent protecting the public, he’s now working to educate the next generation of computer science professionals.
The team behind the punnily named Malwarebytes (sense a theme yet?!) security software manage this frequently updated site, offering easily digestible news, tips, and practical solutions to being compromised online, as well as preemptive measures to avoid security breaches in the first place. Encouragingly, there appears to be a down-to-earth approach taken both in dealing with technical issues, and presenting findings to their readers. It’s well worth taking at least a periodic look at Malwarebytes.
06 Ars Technica
It would definitely be surprising if you hadn’t at least heard of thought-leading security website Ars Technica – about as odd as not placing them on this awards list. As one of the most influential online publications on all things tech-related, the security analysis proffered in their articles is some of the most in-depth and well researched around. Additionally, you can also find convenient product reviews and news. With Ars Technica, bigger just means more varied superb content – not just some filler crow-talk.
While at first glance not as overtly focused on the twin pillars that many of the blogs featured here concern themselves with, Tech Crunch provides such a plethora of breaking industry news that it would be wrong to leave the site out. The rip-roaring success of several popular expos, such as Tech Crunch Disrupt, put on by the team behind the website further entrenched our conclusion that TC deserves a place on our exclusive list (Kevin Spacey’s interview at Davos is highly recommended).
Known for its excellent all-round investigative journalism, the Guardian’s Technology corner is a necessary presence in this roundup, and is on the front lines of the war against repression in all its nefarious iterations. Playing what might well be considered the pivotal role in disseminating the Snowden leaks neatly sums up the Guardian’s importance.
Another industry mainstay with serious clout, Wired’s Security corner is anything but an afterthought. Consistent updates and top-notch presentation make Wired essential reading, as do exclusive interviews with leaders or former greats in the security field (the profile on virus protection mogul turned gun-toting playboy lives long in the memory).
While widely respected for its product reviews (and quite appropriately so), Endgadget is no Mary Sue when it comes to security. The weekly ‘[email protected] [email protected]’ column is dedicated to infosec news, and the entire site is salt & peppered with the subject matter as part of a push to make their second decade of existence not just about reviews (although they are useful!), but also an examination of the relationship between us and our technology – how we are coopted into a cycle of creation and consumption.
A leading comparison site in its field (much like we are with VPNs!), Cnet has long been the go-to resource for people from all over the world. While there is no clear ‘security section’ delineated on the site, Cnet do a solid job of covering infosec matters where appropriate, without overwhelming the less ideologically-based areas of the site, keeping things as light as possible.
A prominent member of the online thought-o-sphere with decided anti-establishmentarian leanings (not that we mind!). The Motherboard adds a humanistic touch to the sometimes dreary, though still crucial, matters of privacy and online security. It’s not uncommon to see an article about NSA snooping next to a piece on poaching in East Asia – perfectly illustrating the depth of content and holistic outlook that more than qualifies Motherboard for our awards.
Billed as ‘fearless, adversarial journalism,’ it’s not as if The folks behind The Intercept shy away from controversy, or being recognized for doing things differently. Helping to publish the Snowden leaks, and providing further informative coverage of other whistleblowingcampaigns, The Intercept marries true substance with a seemingly contrarian though no less concientious attitude.
After over a decade reporting for the Washington Post, Brian Krebs is now a freelance investigative journalist mainly covering cybercrime. He’s widely respected across the industry for his outspokenness and commitment to thorough research, and it isn’t tough to see why: “The world has no room for cowards. I wish more people had the courage to fail, to be wrong, to be ridiculed, and to stick by their guns.”
A fast-rising star in the infosec community, Robert M. Lee lives and breathes security when he has time to take a break from his PhD courses and numerous other engagements all over the globe. From groundbreaking work with the US Air Force to his inclusion in the Forbes 2016 30 Under 30: Enterprise Tech list, we’re keeping a close eye on Robert’s blog and his company, Dragos Security.
16 Tao Security
For the past 13 years (and counting), Tao Security has provided some of the most unique and profound cyberthreat-focused content around, thanks at least in part to owner Richard Bejtlich’s background in the military and private sectors. While balancing speaking, writing, and researching in addition to his role as Chief Strategist at security firm FireEye, Richard is also pursuing a PhD in Philosophy from King’s College in London. Posting is sometimes infrequent, but more than made up for by the depth and breadth of the analysis provided – and you can find more of Richard’s content via his Twitter account.
Google’s security blog makes it to our list because, well, it’s Google. On a more serious note, it makes little sense to ignore the security rumblings of a mass web monolith, not to mention one of the most influential companies that’s ever existed.
F-Secure Lab’s blog is run by the Finnish Security firm’s research team. Content is focused on both theory and practical application, with educational materials thrown in for good measure. While it might be a bit techy for some, there’s a reason F-Secure garner the respect they have in the community. Take a look at our review of their VPN service, or check out their site.
19 HD Moore
As one of the most famous ‘White Hat‘ hackers out there, HD Moore brings his love of ethical network penetration to the masses through his blog. The number of posts is relatively small and on the more technical side, but anyone interested even tenuously in hacking should keep tabs on Mr. Moore if they haven’t already.
White Hat Security’s blog is a smorgasbord of resources for ethical hackers. From appsec to infosec, think-pieces to whitepapers, extensive solutions are presented concisely with professionals in mind. Have a look for yourself, just don’t use the information you find with dark purposes in mind.
21 Dark Reading
One of the most-referenced infosec blogs in existence, Dark Reading appeals to working professionals industry-wide, though whether that’s on account of their breaking news content or their credo is up for debate. What’s clear, however, is that Dark Reading does a bang-up job of threading the needle between (in their words) ‘data protection and user access.’
An informative blog on the latest news and trends in security run by the crack team at Kaspersky Labs, Threatpost is a go-to source for all things relating to cybersecurity and privacy. When the NYT, NPR, WSJ, and a host of other publications reference articles repeatedly, it’s a safe bet to follow the people behind the content.
Securosis take a refreshingly laid-back approach to presentation in a tech world marked by at times overwhelming snootiness. The site eschews hyperbolic statements aimed as pandering clickbait – instead focusing on a core business model of transparency from all angles of the digital privacy paradigm – whether that be on the professional or consumer side of matters.
There haven’t been any new posts in over a year, yet you’re giving them an award?! Well, yes, actually, as Command Line Kung Fu present a fun twist on the ever-present command line functionality that some of us vehemently detest (despite immense usefulness) but others vociferously stand by.
A must-read for security professionals and those with a passing interest alike, Bruce Schneier disseminates information about privacy, cryptography, and state institutions, using an intersectional lens to view happenings on a macro level. As the inventor of the Blowfish cryptographic algorithm (since replaced by stronger options, such as AES), Mr. Schneier is an expert on both solving security vulnerabilities, and preemptively avoiding them altogether. In addition to writing blogs for publications such as CNN, Mr. Schneier is also a Harvard Law School fellow and a board member of the EFF.
It seems obvious that any blog with the motto: “don’t learn to hack, hack to learn,” is a valuable infosec resource – something that’s especially true for this cracking, hacking treasure-trove. The site is still going strong with a vibrant community of ‘ethical hackers’ looking to test and improve, rather than sadistically exploit, potential computer vulnerabilities.
The team behind Errata Security bring their collective experience of penetrative network testing to bear in a quality resource. The blog is aesthetically spartan, but the dynamite infosec content is hard to match when it’s delivered in such a nuanced fashion.
Another one of the more techie customers in our 60 Infosec Blog Awards pantheon (forgive the obvious oxymoron), Malware Don’t Need Coffee is a no-frills affair primarily aimed towards coders. Laypeople might find the subject matter a bit too technical, and the site doesn’t do many favors for the design-minded, but posts are frequent and well-detailed.
Tony Perez’s self-christened PerezBox blog merits inclusion on our list for its hard to pull off tripwire act – balancing weighty topics with personal weight-loss journeys, and everything in between. With that ethos in mind, it’s no wonder Tony manages to tailor his message so as to be relatable, even to the average user.
Uncommon Sense Security is an altogether more humorous and self-deprecating entry than many of the others in this list. As self-reported ‘curmudgeon,’ Jack Daniel (the only relationship with the whiskey brand being similarity in name – unless he drinks it!), is a bombastically fresh breath of wind in the often monotonous infosec community. Mr. Daniel’s tongue-in-cheek approach fails to detract from the excellent analysis he provides, enhancing his messages rather than undermining them.
David Kennedy’s security outfit is based on his idea that infosec should be accessible for everyone – with emphasis on consumers, not just security pros. Trusted Sec’s blog (get your mind out of that gutter), falls right in spirit with the company’s mission by conveniently rolling out posts in both blog format on their site, and via podcast in iTunes.
Security Weekly aims to encourage an interest in IT security as a free resource. Their appealing, to-the-point discourse on complex infosec material falls right in line with founder Paul Asadoorian’s emphasis on tempering heavy subject matter with entertainment.
33 Red Seal
The security blog over at Red Seal checks all of the important boxes – research, application, preemption – and makes the most of the company’s involvement with over 200 of the Global 2000 organizations. Red Seal count the US DoD as a client and have been referenced in the Huffington Post as well multiple other publications with content ranging from lifestyle advice to security.
Sophos’ security blog is highly regarded in both the professionaland public spheres, consistently winning awards. It’s not hard to see why, with comprehensive coverage of all things security-related and a neat, appealing format. Naked Security is only perceivable as naked if you interpret that as lifting the veil off complicated topics with anything but trite insight.
35 Safe & Savvy
Another superb offering from the aces behind F-Secure, the Safe andSavvy blog makes the theoretical digestible to the less technically-minded among us. Expect plenty of security tips, privacy developments, and cloud storage news, in addition to a nifty PrivacyChecker tool. This gives visitors a peek into their digital footprint, along with the expected plug for F-Secure’s own FreedomePrivacy tool. This feels useful rather than gimmicky, however, prioritizing education over whether a visitor uses their products.
EFF provide an activist-centric blog with updates surrounding the fight for digital rights. Applying a further critical lens is applied to the quest by many netizens for open access, by carefully looking at the bumping of heads between activists and the lawmakers and enforcers desire for control and restriction (often prescribed by the very nature of the office they happen to hold, as opposed to common sense).
Billed as a place for Kaspesrky Lab experts to share their findings and opinions, Securelist is a more technical take on matters than the aforementioned ThreatPost (also run by Kaspersky Labs). As a result, Securelist is more focused on professionals and should be considered as such.
38 Spider Labs
Trustwave’s lab security blog echoes the organisation’s international presence, which includes an impressive collection ofclose to 50 patents. This 26-year-old data protection establishment hasn’t lasted this long by accident – rather as a product of know-how and application, and a satisfied clientele list that keeps the company humming.
Bitdefender’s blog includes posts from other notable members of the2016 ProPrivacy awards list, including Graham Cluley. HFS is also one of the most visually appealing blogs we came across, with layout and design making the information you need easy to find, and keeping casual browsing engaging without the need to endlessly scroll down a long page.
40 Zero Day
An offshoot of Cnet, ZDNet provides intelligence and news to IT pros and savvy consumers, regardless of what stage in the purchasing cycle the latter find themselves. ZDNet’s Zero Day security blog skips the product reviews offered by it’s sister-site, insteadopting for emerging news and trending topics, with heavy doses of pertinent analysis from South Africa to Scandinavia – and everywhere in between.
CIO’s blog is a glut of current infosec developments with a very inclusive view of security. Operating in an overstuffed, alarmist realm often plagued with doomsday predictions, the CIO blog is pleasantly pragmatic – you’re just as likely to find a piece on STEMdegree value as a write-up of the latest malvertising schemes.
The Simply Security Blog from TrendMicro is an excellent example of a properly maintained company security blog, with regular updates and topics that range from the Cloud to IoT, encryption to financial services. Simply Security also has built-in website translation for over 15 countries – a sometimes overlooked, yet no less impressive, feature.
VeraCode’s blog brings to light thoughts and opinions from some of the best in the appsec field. Partnerships with Fortune 100 companies in addition to other security agencies mirror the forward-gazing approaches that dominate their posts, with a philosophy that values futurism over complacency. Happy birthday and here’s to another ten years, VeraCode!
Yet another global player on the security scene, this cloud provider’s blog is a solid lead for all things infosec. Those interested in Cloud security should definitely add this offering to their bookmarks and browse through the regular, informative postings.
45 Carbon Black
The endpoint security specialists at Carbon Black run their blog with aplomb, from design to execution – perhaps explaining why they’re partnered with everyone from Nissan to Major League Baseball. Particularly worth a look are their superb vlogs and security news roundups from the wider community.
From a leader in the threat prevention business, FireEye’s security blogs offer over and above the usual fare (there’s three of them, for starters). The blog-hydra is conveniently subdivided into ThreatResearch, Products and Services, and Executive perspectives; each of which is updated with the same care, illustrating the firm’s equal respect for consumers, professionals, and infosec nerds alike.
Poetry and infosec aren’t normally terms you’d group together, but FlyingPenguin shows that security can in fact serve the same role for IT that poems do for language. Once you’ve you taken a step back to consider that function without regard for form is somehow hollow, and that many people view poetry with the same yawning blasé-tude that they do security, it does sound, erm, rather poetic.
The SANS blog is an expansion of their status as one of the world’s largest security certification bodies. With SANS, training is a constant process, not one that stops with the smiles and a piece of paper (online cert). Their expert coaches also recognize that limitations on learning are necessarily time-induced and, therefore, require constant prompting and updating to perform optimally – like a computer, no?
SE is the topic du jour every day at the Human Hacker blog. While updating isn’t as routine as some of our other awards entries, the clever approach of combining human roles in order to determine towhat extent security works (or doesn’t work), warrants giving HumanHacker a spot.
Russ McCree’s approach to infosec is certainly broad, and though some novice users might be overwhelmed, there’s a reason he’s won awards. Never afraid to get into weighty detail on weighty topics such as ‘how to use IT tools like a boss,’ it’s little surprise that his page garners such high esteem and ample views. Keep up the great work!
If the title above didn’t scream (gamer!) at you, it’s likely you don’t indulge in the popular thumb workout that’s taken the past several generations by storm (yes, motion sensor and VR tech exists,but be real and admit it won’t replace controllers for a year or two, at least). Hardcore gamers and enthusiasts with an interest in attack and defense protocols down to the detail should definitely head here.
It might be more of a podcast than a blog in the strictest sense, but the SFSP crew bring the heat every time. The facetious title aside, the podcast hopes to bridge the divide between ivory tower infosec and common understanding.
Wikid are a firm providing 2FA solutions and general security news, as well as password-centric analysis pieces and company updates. The Georgia firm have been one of the best in the 2FA business for a splendid near decade-and-a-half.
Kevin Townsend’s site brings together unfiltered, closed-door industry CISO and CIO exchanges to the web for public consumption, unamended. As a result, ITSecurity delivers veritable salvos at the repressive entities that would ideally see the concept of privacy eroded back to the time when humans occupied the same sleeping quarters as their livestock – you can do that math.
Scandalous Redflex surveillance cams—those insidious scoundrels!
Some sites remain unavailable via BT, TunnelBear VPN is a goodsolution — gets there via US.
Rafał Łoś is the polished 2.0 version of a certain former infosec pro (the ancestral spirit-doppelganger allegedly got into some wild shenanigans in Latin America – use Google), if that other guy was still: cool, constructively rebellious rather than pigheaded, widely productive in defense-oriented hacking, and could discard the profiteering for conscientious punditry. Instead, Łoś foregoes alarmism for practicality and pertinent content.
The security blog over at Red Seal checks all of the important boxes – research, application, preemption – and makes the most of the company’s involvement with over 200 of the Global 2000 organizations. Red Seal count the US DoD as a client and have been referenced in the Huffington Post as well as multiple other publications with content ranging from lifestyle advice to security.
57 Hogan Lovells LLP
A merger between a major British law firm and its American counterpart, Hogan Lovells is among the top legal avenues for cybersecurity needs. Their transatlantic partners have been honored with prestigious Chambers Guides Awards and numerous cases for clients such as HSBC, Future of Privacy Forum, and the US Chamber of Commerce.
Our second featured law firm is also ranked highly in Chambers for cybersecurity, and it isn’t a stretch to say that the self-professedly techie law firm would be top-of-the-line litigators when it comes to who the tech industry behemoths like Adobe, CVS, and LexisNexis want to hire. Four Californian offices, with one in D.C.and one in NYC, show MoFo’s marked focus on tech litigation beyond privacy – from patent law to Venture Capital.
Indian Security Guru Lucius Lobo shares his knowledge from years spent serving clients of all different backgrounds throughout the world for TechMahindra. Besides the usual (and highly important)infosec information you’d expect to find, Mr. Lobo has a dedicated page for child-safety tutorials – an issue which the entire infosec community should be paying more attention.
The Security Bloggers Network is essentially a portal to many of the blogs listed in our ProPrivacy awards, but still worth a browse if you’re looking for some further reading – perhaps with some blogs that didn’t make our list. A convenient way to peruse new content, the SBN feed pulls posts from other infosec blogs into one concise RSS feed. The best part isn’t even live (but should be rolled-out soon) – sub-feeds will aggregate security news even more conveniently, by categorizing posts into a tidy list of sub-feeds: news, malware, hacking, corporate security, independent blogger. SBN is a promising enterprise, and we’re excited to see what the balance of this year brings for this final entry – as well as the other 59 before it.
A final caveat: this blog was intentionally placed in the rearguard, but solely on account of its scale and function. Fair, but where’s the post you guys enjoyed? This was supposed to be ProPrivacy’s 60 inimitable, unparalleled, splendiferous, better-than-the 'other' infosec blog awards list, with a recommended post for each?
Well, since SBN is more of a portal than a content producer it seemed logical to include ultimate our Privacy Guide (warning: it’s quite long, almost 13,000 words), for a solid idea of our company’s unwavering ethos of and marriage to online privacy and security. Go ahead, it’s only three times the size of this blog awards piece!
Anything you disagreed with? Perhaps we missed an entry, or (internet-gods forbid) misrepresented something, anything! It's by no means our wish to insult or offend any blog owner, writer, overseer, or otherwise, in any way. Please let us know of any mistakes in the comments section below, and happy reading-till-your-eyes-can't-focus and the floaty white things appear in your field of vision, in which case it might be time to take a well-deserved screen break
(Hint: you made it through this post unscathed.)