What to study next?

Want to keep learning security? Here are some ideas.

News

I'm giving you links to the website, but I get most of my news via an RSS reader (I use Feedly, but there are others). Yes, RSS is very-old-school, but it also just gives me the news feeds I ask for, which is extremely refreshing these days.

• Risky Business. This weekly podcast is a pleasure to listen to, and every time I listen, I learn some new concept or term or perspective. It takes a while to learn enough to be able to follow all the conversation, but that's actually a feature, not a bug. The main guy, Patrick Gray, is somehow able to be an even-handed journalist while also having opinions, and his side-kick Adam Boileau is a deeply knowledgeable pen-tester. Comes out on Wednesdays. I never miss it. In the last couple years, Gray has expanded his team and their offerings to a variety of podcasts, newsletters, and videos, but the main weekly podcast is still the best part.
• Ars Technica's security page. Just solid science and tech journalism all around, and sometimes even the comments are good reading.
• The Register. Really solid source of security and other tech news.
• The Markup. Interested in data privacy and digital civil liberties? These folks do deep analyses of the data systems we're immersed in. Just go explore their old stories--it's a grab-bag of horror and hope and cool data analysis tools.
• Bruce Schneier's blog. Whatever news Schneier thinks is important enough to link from his site is almost certainly important enough to know about.
• Brian Krebs on Security. This guy is a legendary security journalist, able to use his amazing technical skills to break wild scoops about who's hacking whom.
• Bleeping Computer. One of many pretty solid sources of news about malware, hacking, etc.

Cryptography

• Applied Cryptography, by Bruce Schneier. This is the classic book with which to study cryptography as it is relevant to software and hardware systems.
• Cryptography Engineering, by Bruce Schneier. This one, even though it's almost 15 years old without a second edition, is a good on-ramp to the other book. Maybe start here.

Pen-testing / red-teaming / ethical hacking

Short story here: doing capture-the-flag exercises on HackTheBox, TryHackMe, OverTheWire, etc. is fun and builds your skills

Get your own server to play with

Install stuff, try stuff, break things. ...

Blue-teaming / just keeping your organization safe

Secure coding

Network security

Conferences

Certifications

Cryptography