It’s probably impossible to map out the infinite MotherLoop of All Rabbitholes of RabbitholeLoops that information security has become in the last three or four decades … but even so, it’s probably not a bad idea to try to develop your own prioritized Top 10 List of some of the best blogs, repositories, newsletters, and other infosec resources.

It’s a good idea to develop a PRIORITIZED list, so that one might come back on reviewing the list on a regular basis … the list should be thorough enough FOR YOUR NEEDS, even though it’s impossible to ensure that your list will be exhaustive … but as a general rule you will want to avoid anyone who’s totally NUTSO hysterical when it comes to the topic of cybersecurity … as with EVERYTHING, avoid the saleguys, who are always hawking what they have on their travelling medicine show wagon

In spite of how tedious it is, cybersecurity is getting more and more important every single day, especially if you do much business in the virtual room, but then again, if you have much business in the virtual realm, you already KNOW that…

As we learned again with the eclipse … it’s necessary to have some damned perspective.

  1. GitHub Security Lab is extremely useful for the GitHub opensourcist user audience like me AND … in the very best opensourcist fashion of GitHub … if you are already an independent security researcher or cybersecurity professional or someone who’s already up to speed and even ahead of the game with respect ot everything on this list, you can join CodeQL Bug Bounty program to be rewarded for queries that have a positive impact on open source projects by codifying your security knowledge as an expressive, executable, and repeatable CodeQL query that can be run on many codebases. Others in the VERY BEST of the very best opensourcist fashion of GitHub vein of most forked repositories in network-security, most forked repositories in cybersecurity and most forked repositories in DevSecOps which include Meir Wahnon’s curated list of tools for incident response, Marek Šottl Ultimate DevSecOps library, Mobile Security Framework(MobSF)’s (automated, all-in-one mobile application (Android/iOS/Windows) for pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis, Firezone’s open source WireGuard®-based zero-trust access platform with OIDC auth and identity sync, Scapy’s Python-based interactive packet manipulation program & library, HackerRepo.org by Omar Santos … and tens or hundreds of other repositories that are better to explore … RATHER THAN WASTING TIME WITH THE RAMPART FEAR-MONGERING OF CYBERSECURITY BLOGSTERS and the depressingly incompetent NEWS MEDIA that quote them verbatium!

  2. Schneier on Security is … AFTER ALL THESE YEARS! … still easily the most level-headed, SANE and cerebrally PROFESSIONAL resource on information security. As a general rule, at least one a week or maybe more frequently everyone should read Schneier On Security. We all know that infosec is something that we should be more aware of … the reason that normal, well-adjusted people tend shy away from this topic is that, unfortunately, MOST OF, but not quite all of material on information security is like antivirus software being worse than viruses … people shy away from infosec blogs because they don’t want to catch infosec mindrot. EXCEPT FOR Schneier on Security … most of the OTHER material you will find will be ad-heavy content, which inherently needy and likely to be insecure or even quasi-malicious trackering malware, out there is mostly just out-and-out hysteria barrage coated in disgusting slop of stewed fear-mongering grease, ie “THIS new threat is something you need to be totally terrified of and you’re probably already fucked, but it’s too slippery for you to grasp, so get yourself some of our X or book me for a seminar immediately.

  3. OWASP (Open Web Application Security Project) is a nonprofit foundation with tens of thousands of members working to improve the security of software with community-led open source projects including code, documentation, and standards. Different materials might be particular useful to people trying to learn as much as possible as quickly as possible about security. OWASP provides a wealth of resources, including: Cheat Sheet Series Software Assurance Maturity Model

  4. SecLists.Org Security Mailing List Archive – everyone knows that the latest news and exploits are not found on any web site. The cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. SecLists provides web archives and RSS feeds. You can browse the individual lists or search them all using the Site Search box. A similar effort that uses a slightly different approach in gathering its intelligence is Packet Storm Security which provides around-the-clock information and tools in order to help mitigate both personal data and fiscal loss on a global scale. As new information surfaces, Packet Storm releases everything immediately through it’s RSS feeds, Twitter, and Facebook pingdump … so that the Redditors, Facebookers, X-sters and LinkedIn crowd and re-pingdump over and over and over to it’s audience, ie it’s just like total eclipse or all kinds of end-of-the-world shit, ie you will not be able to avoid it, even if you wanted to.

  5. Black Hat Conference is another computer security conference which provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat is very similar to DEF CON, except that BlackHat is actually four years younger and has a different audience. BlackHat is typically scheduled prior to DEF CON with many attendees opting to go to both conferences or catch the tail of BlackHat and the start of DEF CON. BlackHat is probably perceived by the security industry as being the more mature, more corporate security conference whereas DEF CON is more informal, more fun for a younger, partying audience … although there’s an element of competition in the mgmt of these conferences, these two conferences really complement each other by targeting slightly different audiences. DEF CON is the oldest continuously running cybersecurity / hacker convention around, also one of the largest and not entirely one of the worst … although with its nerdware antics and contests like lockpicking, robotics-related contests, art, slogan, coffee wars, scavenger hunt, and Capture the Flag, it has become sort of a sociohistorical cliche of its nerdy recursive back-to-the-nerdy-kiddo future self.

  6. Exploit Database non-profit project that is maintained and provided as a public service by the OffSec training and pentesting company as one of its open source community projects. A similar effort is the SANS Internet Storm Center(ISC), part of the SANS Technology Institute.

  7. Krebs on Security covers a wide range of topics, from general security news and analysis to technical details on vulnerabilities, exploits, and defensive measures. Brian Krebs is probably as good, concise, well-written as journalism can get when it comes to reporting on cybersecurity. In a similar, independent bloggers who do a good job of writing about topics in this realm include Risky Business Group, Daniel Miessler’s Unsupervised Learning, Troy Hunt’s Blog and Graham Cluley.

  8. The Hacker News attracts 50 million readers annually; most followed B2B cybersecurity news outlet on all major social media platforms … so it might not be the first place you find about something, but THN will not allow any drama to go unexploited. In a similar vein, Threatpost prides itself on be referenced as an authoritative source on information security by the copypasters who right stuff for the leading newsholes, like New York Times, Wall Street Journal, MSNBC, USA Today and National Public Radio. Others in space worth mentioning include Naked Security (Sophos), Bleeping Computer, Dark Reading, Security Weekly and CSO Online

  9. Reddit r/netsec is a Redditor community-curated lowest-common-denominator aggregator, ie Reddit is an LCD aggregator because of the way that Redditors tend to not like or even downvote uncomfortable ideas or commentary … but it’s all content that you could have find elsewhere [looking at higher priority item on this list]. Reddit [or for that matter Facebook or Twitter or LinkedIn] are probably NOT where you find the latest or the greatest information; it’s not going to be an adventure like going to a conference in Vegas … BUT social media does give one a general sense about people interested in this topic are talking about. The content here is about what you would expect from Reddit reflects its population; Redditors tend to be much younger and are significantly more likely to be male than Facebook or Twitter or LinkedIn users, but the converstation tend to be about the same, LCD-wise. FWIW, the stuff you find on Facebook, Twitter or LinkedIn will GENERALLY be less useful, less current than Reddit … but when we least expect it, even blind pigs can occasionally shit acrorns.

  10. Microsoft Security Response Center is about as Microsoft as cybersecurity can get … and that means, it probably is essential content for Windows-centric cybersecurity enthusiasts. In a similar fashion, AWS Security Blog is about as AWS as cybersecurity can get … which means that it’s entirely skippable stuff for most, but probably is essential content for AWS-centric IT consultants. However it is worth noting the different approach of Google Project Zero, which is the team of top rate security analysts employed by Google who are tasked with performing vulnerability research on popular software like mobile operating systems, web browsers, and open source libraries in order to find, REPORT and PUBLICIZE zero-day vulnerabilities … as with everything that Google does SCALE gives Google advantages that nobody else has; in this case, they report and publicize zero-day vulnerabilities. It’s really about using Google scale to SHAME large software companies into fixing their software. But we should not forget that Microsoft, AWS, and Google are themselves massively huge software-driven trillion-dollar companies. It’s in their best interest to develop the best-in-class vulnerability research competency make sure that their systems are secure … WE NEED THEM TO BE RELIABLE and generally they are … we shouldn’t usually expect them to generally produce any PUBLIC content that’s all that disruptive or earth-shattering.