Substack is a powerful platform that lets expert practitioners carry out their own publishing. For application security pros looking to keep up with the latest, Substacks hosted by practitioners and the like can help you keep pace across key areas in AppSec and software supply chain security.Here's our list of Substacks for anyone looking to stay up to speed.
Resilient Cyber (Chris Hughes)
The Resilient Cyber Substack, by Chris Hughes, is a newsletter dedicated to cybersecurity, cloud security, DevSecOps, and software supply chain security. It examines behaviors and patterns that lead to the shadow usage of technologies and how security practices can sometimes be self-defeating, and it brings a particular focus to the security impact of AI. The newsletter offers insights and discussions from various cybersecurity and IT experts, addressing topics such as risk-mitigation practices, vulnerability management, and the future of the cybersecurity industry.
Notable stories include "Bringing Security out of the Shadows," which examines the shadow usage of technologies and the self-defeating aspects of security, and "Public Sector Compliance Conundrums," which addresses the federal and defense communities' challenges in balancing cybersecurity, innovation, and compliance requirements.
Frankly Speaking (Frank Wang)
Frankly Speaking, curated by Frank Wang, is a newsletter that shares insights on various topics related to cybersecurity from the perspective of a security engineer and former venture capitalist. Notable themes include the security challenges brought by the rise of cloud computing and DevOps practices, emphasizing the need for security products that can keep pace with the agility of the cloud. Wang frequently discusses the critical role of developers in security, advocating for the integration of security practices into the software development lifecycle to ensure that security measures align with developers' needs and mindsets.
Wang also provides in-depth analyses of prominent cybersecurity companies, evaluating their strengths, weaknesses, and potential failure modes. Additionally, he explores the future of SIEM (security information and event management) solutions, particularly in light of industry shifts such as the LogRhythm-Exabeam merger and the sale of IBM QRadar, highlighting the necessity for new approaches to security monitoring and analytics in the cloud era.
Securely Built (Derek Fisher)
The Securely Built Substack, curated by Derek Fisher, explores specialized education in application and product security, with an emphasis on software safety. It underscores the need to integrate security into all aspects of technology, from personal device usage and social media interactions to professional productivity applications. Leveraging Fisher's decades of experience in engineering and security, Securely Built aims to support the creation of secure technology and provides resources to help readers improve their security practices.
Notable stories include “SAST Is Dead, Long Live SAST,” which supports the ongoing use of SAST as an essential part of a complete application security strategy but also recognizes its limitations and the necessity of integrating it with other testing methods, and “The Secure Product Lifecycle,” which emphasizes the importance of secure product lifecycle management (SPLM) in managing security risks across various software releases and versions.
The Pragmatic Engineer (Gergely Orosz)
The Pragmatic Engineer, a popular Substack newsletter by Gergely Orosz, offers in-depth insights into the software engineering industry, focusing on both big tech companies and high-growth startups. Highly relevant for software engineers and engineering managers, it provides actionable advice and tools to enhance leadership efficiency. The newsletter delivers an insider's perspective on major tech firms and startups, covering topics such as technical debt, distributed systems, and engineering management practices. It features deep dives into specific software engineering subjects, timely articles on industry trends, and reflections on relevant discussions.
Drawing from Orosz' experiences at Uber, Skype, and Microsoft, the newsletter provides a valuable perspective, along with a growing collection of resources, including checklists and guidelines for engineering managers and software engineers.
Deploy Securely (Walter Haydock)
Walter Haydock, a security researcher and the CEO of StackAware, curates the Deploy Securely newsletter, which focuses on cloud security, DevSecOps, and secure software development practices. It covers topics including cloud security best practices, tools for integrating security into the software development lifecycle, secure coding practices, vulnerability disclosures affecting popular software, and more. The newsletter aims to offer key updates in the rapidly evolving field of cloud security and secure software development.
The Deploy Securely newsletter is as a valuable resource for security professionals, DevOps engineers, and software developers aiming to stay abreast of the latest trends and techniques for building and deploying secure applications in the cloud. By providing insights into emerging threats, best practices, and tools, it empowers its audience to enhance their own security.
The Software Analyst (Francis)
The Software Analyst Newsletter, curated by Francis, specializes in analyzing software companies within the cybersecurity and data infrastructure spaces, especially AI and machine learning (ML). It covers a range of notable topics, including in-depth examinations of cybersecurity firms such as Palo Alto Networks, CrowdStrike, and Zscaler, and it explores data infrastructure and AI/ML companies such as Snowflake, Databricks, and C3.ai, evaluating their technologies, use cases, and market potential. The newsletter also offers insights into emerging trends and technologies in cybersecurity and data infrastructure, such as cloud security, zero-trust architecture, and large language models (LLMs), along with featuring interviews and commentary from industry experts and thought leaders in these domains.
The Software Analyst Newsletter caters to investors, technologists, and anyone interested in these rapidly evolving sectors, offering valuable perspectives on market dynamics, technological innovations, and strategic insights that are crucial for navigating and understanding these industries.
Sign up for RL's Chainmail newsletter
For those more interested in software security, check out our Chainmail newsletter on LinkedIn, which highlights the latest AppSec and software supply chain security news.
