Andrew Hay is an information security industry veteran with close to 20 years of experience as a security practitioner, industry analyst, and executive. As the Co-Founder & CTO for LEO Cyber Security, he is responsible for the creation and driving of the strategic vision for the company.

Topic: Bootstrapping A Security Research Project

It has become increasingly common to see a headline in the mainstream media talking about the latest car, television, or other IoT device being hacked (hopefully by a researcher). In each report, blog, or presentation, we learn about the alarming lack of security and privacy associated with the device's hardware, communications mechanisms, software/app, and hosting infrastructure in addition to how easy it might be for an attacker to take advantage of one, or multiple, threat vectors.

The truth is, anyone can perform this kind of research if given the right guidance. Too many security professionals, however, the act of researching something isn’t the problem…it’s what to research, how to start, and when to stop. Academics think nothing of researching something until they feel it’s “done” (or their funding/tenure runs out). Security professionals, however, often do not have that luxury.

This session will discuss how to research, well, ANYTHING. Proven methods for starting, continuing, ending, leading, and collaborating on reproducible research will be discussed - taking into account real-world constraints such as time, money, and <gasp> a personal life. We will also discuss how to generate data, design your experiments, analyze your results, and present (and in some cases defend) your research to the public.