(target audience: students)

Depends on context, but roughly sortable into 3 categories:

  • Independent (you, by yourself)
  • Industry (you, with a company)
  • Academic (you, with a professor)

These different sectors have different incentives. It is worth considering whether these incentives align with your goals. Once affiliated with an institution, it generally becomes easier to switch to similar classes/tiers of institutions.

I previously did undergraduate research with an academic lab that focused on systems security. Nowadays I do personal research into whatever topics I find interesting / think are most relevant for my career.

Independent

Incentives: whatever you want! Probably get a job doing work you find interesting.

  • Looking for bugs (0days) in things.
  • Developing new tools.
  • Reading/studying/practicing/doing whatever is interesting to you.

Sample publication:

Industry AKA Private Sector

Incentives: make money, reduce business risk.

  • Large firms:
    • Intel, Apple, Microsoft Research
  • Small firms:
    • Consulting
    • Sell security products to Fortune 500/bigtech

Sample publications:

Academic

Incentives: publishing papers in conferences. Getting grant money so you can pay for students.

  • Targeting “big issues” – demonstrating novel attacks that highlight a flaw in some kind of infrastructure/protocol, not before demonstrated.
  • Doing science. Measuring things & applying the scientific method.

How to get into academic research:

  • Get sufficiently good grades (3.5 out of 4.0)
  • Find a relevant professor who publishes papers in the domain you’re interested in.
  • Read a few of their papers.
  • Try to get published in a relevant smaller conference.
  • Send them an email:
Hi Professor $NAME,

I'm a 3rd/4th year undergraduate student at $INSTUTION interested in
possibly doing work with you. I read your paper $TITLE and thought it was
interesting because $REASON_DEMONSTRATING_YOU_UNDERSTOOD_THE_PAPER. I'm
interested in this research domain because $REASON. I recently published a
paper to $VENUE titled $TITLE. Here's a link: <link>

Do you expect to be taking new students in Fall 20XX? Do you have any
suggestions for undergraduate-level projects I might be able to complete in
advance of applying to your program?

Thanks,
$YOUR_NAME

Note that professors often receive a high volume of these emails and so must choose to ignore most of them – try contacting one of their listed graduate students (usually on their personal websites) if you don’t get a response.

Example conferences:

  • Systems security: 4 big ones: NDSS, Usenix Security, ACM CCS, IEEE Security & Privacy (Oakland)
  • Privacy: PETS

Sample Publications:

Fields that exist today, off the top of my head

  • Fuzzing
  • Cryptography
  • Taint analysis
  • Data provenance
  • Bugfinding
  • Consulting