Paid Advertising
web application security lab

Web Application Security Blogs

I’ve had a number of people over the last year or so ask me what good sites are out there for people to learn about web application security. Honestly, as of a year ago there really weren’t many out there, but suddenly there’s been a bit of an explosion of them. I’m actually really glad to see so many rising up, because the more people do research the better we will understand the issues involved in writing and breaking web applications. Anyway, here’s a list I threw together in just a few minutes. If I missed some let me know and I’ll add them. (And this really isn’t in any particular order, in case you were wondering):

  • the web application security lab. Nuff said.
  • Jeremiah Grossman’s blog it’s sort of ubiquitous because it’s such a must-read. This is one of the few blogs that I actually point my RSS reader to to make sure I read things as they come out. It’s a must read.
  • Stefan Esser’s blog I love that Stefan quit the PHP security team, we’ll get a lot more intelligence out of him now.
  • if you read Ukranian, you’ve got a head’s up, because there is some good stuff coming out of this site.
  • Sylvan Von Stuppe’s blog he’s a regular in breaking applications. I actually try to visit his site at least once a week to see what he’s thinking. Smart guy.
  • Kuza55’s blog he may be new to web app sec but he’s scary smart. His blog is definitely one to keep your eye on.
  • Billy Hoffman’s blog he’s often got a unique spin on a lot of security issues that affect us. I find myself here at least once a month or so reading the backlog of what I’ve missed.
  • Michael Sutton’s blog another SPI Dynamics guy who writes a good blog. Since he wrote the story on reading Google’s anti-phishing list it’s been a good read. He’s really stepped up his game and I look forward to reading more of his stuff.
  • Zeno’s blog he’s had his site up for forever and a day. He’s recently started posting more and I regularly check his site out for anything interesting he might have come up with. He’s also a proponent of building security into the QA cycle, which jives with a lot of how I’ve structured a secure PDLC. Good read.
  • Jungsonn’s blog he floats back and forth between pure webappsec stuff and random other thoughts, but I always keep my eye on what’s he working on. Jungsonn has got a lot of interesting thoughts on securing sites with Apache rules that is probably interesting to the individual webmasters out there (myself included).
  • Mightseek podcast it’s not updated much anymore but it’s still interesting. I am always looking forward to his next podcast. I’ve never been into listening to podcasts because it’s annoying and I’m a much faster reader than a listener but his is one I’ll make an exception for.
  • pdp’s blog he’s the guy who built attack API, came up with quite a few vulnerabilities in quicktime and runs a good security site. He goes back and forth between technical and high level, but it’s quite often an interesting read.
  • V-wall’s blog he’s barely got started, but I bet it’ll be an interesting blog to read in the not too distant future.
  • Sven Vetsch’s blog this is a pretty new site and a pretty technical read but like V-wall’s site I have high hopes.
  • Martin Johns’ blog while not updated that often, it’s one of the few sites that really delves into some of the more technical research that actually builds new exploits. He’s definitely opened the door to some of the more interesting anti-DNS pinning exploits.
  • Kyran’s blog he’s new with webappsec but he’s really come out with some interesting stuff, including some writeups on Kuza55’s XSS fragmentation issues in MySpace.
  • Luny’s blog he keeps it updated and focuses primarily on social networking worms and MORPGS. It’s often a very interesting read.
  • Anurag Agarwal’s blog he primarily keeps up on mitigation techniques and also does some biographies on hacker types. Could be a good one to keep up with.
  • A Day in the Life of an Information Security Investigator a funny outlook and a smart blog on information security. He does delve into webappsec issues as well as a ton of other stuff.
  • Bruce Schneier’s blog okay, maybe it’s not really webappsec, but it’s one of the few security blogs that I type in by hand on a regular basis to see what he’s talking about. He doesn’t just talk about crypto. Sometimes he does talk about web applications and whenever he does I lift my head up. It’s one of the few interesting sites out there that is updated regularly (2-3 times a day).

  • a really good blog that I tend to forget about, but for no good reason. It’s updated regularly and has a lot of good posts. Definitely worth a read.

    I’m sure I’ve missed some, and for that I’m sorry, but these are the ones I could remember off the top of my head while I was writing this. Let me know if you know of others that I should be looking at. I’m sure other people would be interested too!

  • 15 Responses to “Web Application Security Blogs”

    1. zeno Says:

      Forever and a day being 7 years :)

      I’d say your list pretty much hits what I visit as well.

      - zeno

    2. Kyran Says:

      Hehe, I think it was actually Kuza that originally disclosed the MySpace fragmentation attack. I’m just a newb with nothing under the belt. :)

    3. RSnake Says:

      Thanks, Kyran, I re-worded it to be more accurate.

    4. Kyran Says:

      Not a problem. I do have most of these already in my reader or check them out somewhat regularly except for Stefan Esser’s which I have just bookmarked. It’s good to know that I’m at least keeping up if not contributing.

      Oh right, I guess I do have a few things like gaiaworm under my belt. Better than nothing, right?

    5. Wladimir Palant Says: is Ukrainian, not Russian - that makes it much harder to read for me :)

      And your text says ** instead of though the link is correct.

    6. fogez Says:

      What about ??

    7. fogez Says:

      doh…never mind…

    8. RSnake Says:

      Thanks, Wladimir, I changed it.

    9. » Web Application Security Blogs - Says:

      […] Original post by web application security lab and software by Elliott Back […]

    10. kuza55 Says:

      Mmm, I found the WebSecurity blog, and struggled trying to read it for a while until I came to the conclusion that it wasn’t Russian - I just thought my reading skills had plummeted dramatically until I checked that .ua is Ukraine.

      Speaking of which; does anyone know a free online Ukrainian to English or Ukrainian to Russia translating service?

      If you’re also talking about crypto blogs, there’s Exhaustive Search which si matt blaze’s Blog: which is a quite interesting read IMO.

    11. Wladimir Palant Says: translates from Ukrainian to Russian and the results seem to be reasonably good.

    12. justin.henry » Blog Archive » Web application security blogs Says:

      […] A nice list of blogs and brief descriptions of each that discuss security issues surrounding web application development. (via Jeremy Zawodny’s Linkblog) Tags for this post:application blogs development news programming rss security web […]

    13. Jungsonn Says:

      Cool, only I can’t read russian also ;)

      Oh and thanks RSnake! for forwaring the military and other spies to my blog :)

    14. kuza55 Says:

      Mmm, the results are rather good, but the 500 character limit hurts….

      You can always use google translate or a similar service to translate from russian to english.

      But I’m using it as a reason to read more russian, so that my reading doesn’t go completely to pieces, :p

    15. Ron Says:

      How about “A Day in the Life of an Information Security Investigator” by “Security Monkey” at

      He does multi part case studies that are very educational and entertaining.