As an information security professional, I’m often asked how I keep up on the seemingly never-ending flood of content being produced on Information Technology and Security. Newly disclosed vulnerabilities, patches, and 0days, reports on the latest breaches, research studies, and new security tools and techniques are published every day. The truth is, it isn’t easy keeping up and I would be naïve to say I’m staying on top of it all. Still, over time I have curated a selection of “go to” information sources that I’ll share with you in hopes that you can use them to stay current too.
Three Podcasts Worth a Listen
I listen to two InfoSec podcasts a day, on average, throughout the week. Whether you commute or work from home, I suggest using your pre-work morning minutes to get caught up on current events. I highly recommend these podcasts:
These daily, 5- to 10-minute information security threat updates are typically released in the evening, making them an excellent primer for your morning, no matter how early you get started. I find these podcasts offer the right amount of information to get the brain activity going, are easy to digest, and cover a wide range of technologies.
If you want to sharpen your application security skills, this podcast is for you. These vary in length from 25 to 45 minutes and are packed with valuable discussions, interviews, and topics. Chris Romeo and Robert Hurlbut do a great job of explaining foundational application security to newbies, and make their podcast easy to follow along, even when they dive deep into technical details. As a big user of the Zed Attack Proxy (ZAP) and WebGoat/WebWolf apps from OWASP, I find the Application Security Podcast highlights a lot of interesting OWASP projects and often includes interviews with the project leads, developers, and engineers behind them.
I find this podcast very relatable with many episodes covering real-world concerns and scenarios that echo the conversations I have with my peers. The podcast's runtime is around one hour on average, which I find flies by. I appreciate that this podcast’s hosts don’t sugar-coat their views of problems with today’s security posture of vendors and companies; they provide unfiltered guidance. Give the podcast a listen and you’ll understand.
Three Reddit Subs to Follow
Reddit is an incredible resource for all things Information Security. It’s my go-to when I’m researching something and I want to read first-hand advice and, depending on how old the thread is, chime in and get involved with the dialogue. * Note: When engaging online, do your research and due diligence on existing threads before asking anything on Reddit; you will receive far better results in the long run. Also, be sure you’re not divulging sensitive information about your organization with your questions and comments – ensure that your Redditor persona is created with enough distance between you and your place of employment.
It’s very easy to get sidetracked on the platform, so I have three—yes, only three—subs for you to get familiar with:
- /r/netsec – High-quality and frequently original content that is an all-around great resource. Covers many areas of interest from basic theories and topics to very advanced deep dives into technical details.
- /r/compsci – I need to stay well-rounded, right? This sub offers great insight into complex topics and covers a lot of ground; a very helpful community.
- /r/sysadmin – Home of the “Jack of all trades, master of none” systems administrators. The people that come to this sub share an enormous amount of useful information and can be very helpful when you need to know more about how a certain technology works or to get the viewpoints of the community. Very often I have found information about outages or critical topics that were developing in real-time.
Three Subscriptions to Invite into Your Inbox
These days we are all inundated with email, but subscribing to email lists, newsletters, and RSS feeds is still a great way to have information come to you. I typically glance at them throughout the day while working, stopping to read articles that appear relevant or interesting. Beware, it’s very easy to subscribe to too many resources, which will overwhelm your inbox and cause you to ignore them altogether.
Start off with these:
Brought to you by PortSwigger Web Security, the Daily Swig is my RSS feed of choice. It keeps me abreast of the latest industry headlines, hacks and data breaches, web vulnerabilities and exploits, new security technologies, solutions and policies. The team at PortSwigger (of Burpsuite fame) are on top of their curation and send these out at a higher frequency than most.
When the Cybersecurity and Infrastructure Security Agency (CISA) sends out information, it’s worth it to stop what you’re doing and make yourself aware of what they’re broadcasting. My RSS feed pulls from most of their offerings and I encourage you to do the same. The feeds range from:
- Alerts — timely information about current security issues, vulnerabilities, and exploits.
- Analysis Reports — in-depth analysis on new or evolving cyber threats.
- Bulletins — weekly summaries of new vulnerabilities. Patch information is provided when available.
- Tips — advice about common security issues for the general public.
- Current Activity — up-to-date information about high-impact types of security activity affecting the community at large.
Bruce Schneier is a world-renowned security technologist, cryptographer, and an all-around hero to the tech community for decades. As an author of more than a dozen books, contributor to numerous articles and papers, and fellow and lecturer at Harvard's Kennedy School, Schneier is a reputable and knowledgeable source. He blogs almost daily and I find his curated newsletter valuable in many ways.
I hope you find some, if not all, my recommendations helpful for your own learning. If you have a favorite podcast or website you’d like to share, let me know.