Why Should You Start a Security Blog?

I apologize, this post will be pretty dry compared to my other posts but I think this information is important and not many people talk about it. I have previously written about Automating Website Creation but I wanted to go into more detail about why I think creating a website/blog is so important in this field as well as how I create new content for my personal site. One of the most important things you can do whether you’re just getting into security or you’ve already started your career is document your journey and share knowledge you gain with others. Part one will be convincing you why you should start a blog. Part two will be how I set up this blog. Part two will be added here when it is out. Edit: Part two is out now.

Blogs are kind of a big deal in the InfoSec community, they’re bigger and more important than you might realize. Why is this? Well, your job as a security expert is to communicate risk to your client. Who exactly your client is depends on what job role you’re in, but at the end of the day you need to be able to communicate complex ideas to others who likely don’t have a technical background. This is not an easy task and effective communication is incredibly important. Starting a blog will do a handful of things to help aid you in being a more effective communicator as well as help you in other areas of your career.

Blogs Get You Noticed

The traditional way to demonstrate your understanding of a security concept is to get a certification in that area. This is great for those with the time and money to pursue certifications, but they also lack a key element of security: communication. Currently there are no certifications that show you can communicate real risk. Sure, there are certifications out there that require you to write a “pentest report” upon submitting your exam but so long as you have a general methodology and good screenshots, this won’t stop you from passing the exam, even if the content is not good. This is gimmicky at best and deceptive at worst. (See @cinzinga’s 4 minute report turn around) Although I do like what the PNPT is doing by having you present your findings to a panel.

Another issue is that certifications don’t leave you with any deliverables to show for all the time and effort your put into it. Sure, you have a certification to put on your resume, but anyone can find a dumps of exam questions that allows them to pass without really knowing the material. Another problem with only having a piece of paper proving you have experience is that you don’t have any guides to look back on when you forget concepts and you certainly don’t have any public projects you can talk about in an interview. I go back to my notes/blogs all the time when I forget how I did something. This is where blogs/write-ups/articles really shine, they allow you to publish work for others to learn from and they allow people looking to hire you insight into how capable of a writer you are.

“YES. Please. As someone who does hiring, give me any substantial evidence of practical work” -@rybaz

Blogs Help The Community

Whether your blog is a walk through of a VulnHub box, a tutorial showing off how to bypass antivirus, or a recap of something cool you did like finding CVEs, there will always be someone that benefits from the way you word something. In this field, you get to a point very quickly where it’s impossible to find answers on google that are specific enough to answer your question and the only way you can find the answer is to follow someone’s methodology they have written about in a blog. Often times the topic you are writing about can be taken further by others who want to do a deeper dive on a topic. Your blog (even if relatively simple) is a great place for other researchers to start. Having your thought process, research, or experience out for others to read is a great way to set yourself apart from others and provide valuable information to the community.

Blogs Help You Learn At A Deeper Level

One of the quickest things you will learn when teaching others is how little you actually know. There is a massive gap between knowing something and knowing something well enough to compile your thoughts into a coherent guide/walk through/write-up. Writing a blog will help you close the skill gap between knowing and being an expert in a topic and help you remember it for much longer(even if that topic is relatively simple). On top helping solidify your thoughts on a topic, writing your thought process can also help you find additional mental threads to pull on that will help deepen your knowledge in a specific area and open up new areas to research. The more time you spend thinking about the topic you’re writing about, the more interesting nuances you will uncover in the tools and technologies you’re writing about. The more of the nuances you know about and understand, the better you will be able to communicate that information to others.

My Toolbox

Before I get into extreme detail about how I host this site in part two, I wanted to go over a few of the tools that I am using everytime I write a blog post or update my site. I want to get them out of the way and then talk about the problems that they solve for me.

1. Hugo: Hugo is a markdown to HTML converter that allows you to take markdown files and convert them into websites. Hugo supports themes, social media cards, and many more cool features.
2. Obsidian: Obsidian is a markdown editor that I use to write blogs, notes, and brainstorm ideas.
3. AWS CLI: Hosting your static site in an AWS S3 bucket is dirt cheap and very easy to access using the AWS CLI
4. Bash scripting: Bash scripting is incredibly useful for managing files and is great for automating repetitive tasks such as renaming, moving, and uploading files.
5. Vim: One of the most useful time-saving features of Obsidian is the addition of Vim-mode which allows you to use vim keybindings.
6. Flameshot: Flameshot is handsdown the best screenshot tool I have ever used. Think of it like the windows snipping tool but with dozens of extra features.
7. Peek: Peek is a lightweight GIF screen recorder. Very handy for when a screenshot simply doesn’t cut it.

The problems these tools solve

Hugo

As stated previously, Hugo allows you to take simple markdown files and automatically convert them to HTML webpages. These pages are typically static although Hugo supports JavaScript if that’s your thing. But why is this helpful? There are many ways to create websites for free, however many have become excessively bloated causing them to load slowly, be a pain to manage, and look terrible. All of this is unnecessary if your main priority is to essentially display text for others. Hugo works perfect for this for a few reasons. 1. Static content is easy to manage, update, and create 2. There are lots of customization options available 3. I already only write in markdown which makes converting notes simple.

Obsidian

There is nothing more annoying than people shilling for their favorite note taking program so I won’t harp on it here. All you need to know is that I like Obsidian which is a markdown note taking program that is extensible with community plugins. It doesn’t matter which program you use as long as it can solve two problems. 1. You need access to the files locally which means most cloud note taking apps are out of the question (unless you want to export your notes or manually format them later) 2. Notes should be in a universal markdown format (Make sure whatever program you use doesn’t use a special markdown flavor). If you note taking program does both of these things, you’re golden.

AWS CLI

If you’re choosing to host your website in an AWS S3 Bucket, using the AWS CLI makes it very easy to upload your site from the command line (which means it can later be scripted). This solves the issue of having to use a web browser to manually drag and drop files which can be cumbersome and can add friction to updating your site.

Bash Scripting

Bash scripting allows you to take commands such as cp /home/Graham/file1 /home/Graham/Documents/ and rerun them by typing one single command. The power of this is that you can run dozens (or millions) of commands by running a single script. If you pay close attention to the actions you are taking on your computer, you will begin to realize 90% of the actions you take are done multiple times. This can be as simple as moving files to the correct folders or generating reports automatically. Scripting solutions sometimes takes some up-front technical nohow but I will leave all the tools I use in a github repository for you to use in part two of this post.

Conclusion

Creating your own security/IT blog is one of the most helpful ways you can spend your time when first starting out in your career. It allows you to set yourself apart from other candidates when hunting for a job, sharpen your writing skills, demonstrate your technical knowledge, and help others in a community that has a deep skills gap when it comes to technical content. I have laid out why you should create your own blog, in part two I will be explaining (in great detail) how I build and maintain this blog.When it is posted I will update this page with links. Part two is out now.