Alan Shimel announced the Security Blogger Awards and Security Blogger Hall of Fame. It was a treat for me to be included in both, mostly because it was alongside a number of people whose work I have great respect for. More than anyone, Richard Bejtlich was the guy who made me think a blog on technical security issues would be a good way to consolidate knowledge and that writing a journal on events in software security would be useful. Jack Daniel is a true blue, sage security bellwether, Brian Krebs' work is essential, as is New School, and don't tell the Securosis guys I said this but they are both smart and fun to work with.
That's just a small sample, one reason I like round ups like this here's plenty of good stuff going on out there beyond the ones I mentioned. But when I started my blog I really wanted to shed light on areas of security - software, identity, defensive coding - that did not get anywhere near the focus as other areas in security like infrastructure. At the time I did not think it would end well if security continued to focus mainly on infrastructure and ops, we did then and do now need to spend way more time upstream in design, development. The core of what security is doing remains important but it needs to expand up to what Hoff calls the infostructure.
There's another issue on blogging that I hope changes. Pre-Twitter there was a very active security blogosphere, most of that has moved to Twitter. I am a fan of Twitter but its not a place to get too deep into issues. One reason I started a little miniseries Security > 140 was to have some longer conversations about important topics. So basically I feel the security industry is worse off that there is overall less blogging and would be good to see this come back in vogue a bit.
The RSA roundup is a good reminder that there are a lot of good things going on out there still. I don't think that the security blogging scene will go back to the free for all, grab bag of ideas that it was 6 years back, but maybe there is a way to sort of make some progress.
I know some non Twitter-related reasons why there is overall less blogging. 1) lots of security things going on, people are super busy 2) blogging is hard, most of the real good stories are not able to be told. (Pro tip: find anecdotes and analogies in other industries)
Why I would really like to see the scene keep making progress is that I think security is an industry where its easy to get lost in the urgent and forget the important. its a non stop flow of urgent operational issues, but not much time to look at - why does this keep happening and how do we fix it or stop it from recurring? These are things you cannot do in 140 characters, and we need something between a Tweet and a Whitepaper to have an industry conversation. Blogs fill that space very well, look at the issues, consider the deployment options, integration concerns, and what we might realistically do. These are the conversations we need to have.
We simply do not have "the solution" at hand, instead we have a series of sub optimal decisions to make, each with their own second and third order knock on effects in terms usability, integration, economics and risk. That's what makes the security job so cool, but those shades of gray do not lend themselves to compression, they need to be considered from multiple perspectives,
For example, nowadays Java is a non stop loop of hairballs pushing enterprises into a series of "less bad" decisions. But what is the big picture? And where do we go? My friend Andy Jaquith's post Paving Over the Proprietary Web takes a run at exactly these issues. Speaking of HTML5, Brad Hill wrote a very practical post that both recognizes the issues inherent in HTML5 and shows why its better way forward than the alternatives. These posts are both very timely and give valuable ways to frame issues for conversation, get people thinking in ways that we do not do nearly enough (tactical issue + big picture + pragmatism), and so I hope blogs continue to play a vital role in helping security age like wine instead of milk.