Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Proposal: Association of Security Researchers

Security researchers play an important role in the industry, though one that doesn’t always receive the support needed. In this post, I am proposing the creation of a new non-profit entity, the International Association of Information Security Research Professionals (IAISRP), as a supporting group to push research forward, and provide the tools and resources to improve the quality of work, and the quality of life for those involved in this vital work.

I’ve written in the past about the issues around documenting research, problems with attribution, and the loss of information as the years go on. If you’ve not read “On the need for an open Security Journal”, I encourage you to do so before continuing.

This previously proposed journal would help to bring additional legitimacy to the research happening in the industry and community, and improving the relationship with the academic community. This journal would document, preserve, and support the massive amount of research produced by the security community, and ensure that it’s readily available to all.

This association would also open the door to making other services and resources available; once established, I expect that there would be no end to the ideas and inspiration, allowing this to evolve into something of great value to its members. While the journal would be the initial focus, it may grow to do more beyond that.

Goals #

There are a few key goals to make this a valuable resource:

  • The journal will be available freely to all, at no cost to readers.
  • The journal will not charge any fees to authors. Being able to submit research for publication should impose no more burden than absolutely necessary.
  • The association would seek non-profit status in the United States, and be overseen entirely by members of the industry.
  • Existing research would be eligible for publication, not just new research. This is to ensure that as much as possible is documented and preserved.
  • The association would reach out to conferences around the world, and attempt to integrate itself as part of the CFP process, streamlining and coordinating the publication with conference talks.
  • The journal would be operated under a unique set of rules, different from traditional academic journals, to ensure that it serves the needs of the community it represents.

Non-Profit & Funding #

The goal would be to establish the association as a non-profit entity, under section 501(c)(3) of the IRS code as a scientific & education organization. This is a non-trivial task, though based on IRS rules, should not be an issue. The most important part of this is that it allows receipt of tax-deductible donations to fund staffing and operations.

Funding this association will be a challenge, and perhaps the most important challenge to be addressed. Offering paid memberships & corporate sponsorships (à la OWASP); this would address some of the costs, though donations or other income would likely be needed to provide a comfortable level of support.

With donations being tax deductible, donation matching, and leveraging volunteers & members to push their employers to donate, fundraising will hopefully be minimally painful. For security companies, sponsorship acts to get their name out more, shows community support, and can be helpful for recruitment. There would be real value for companies to direct money to this association.

Starting and running a non-profit is a complex and time consuming effort, and will require volunteers, and possibly paid consultants to ensure that all laws are complied with, and that the organization is and remains viable. This will require a number of people to ensure that no single person is working beyond the time they can commit and not exceeding their skillset. This is, first and foremost, an organization by and for the security research community, and will respect the time of everyone involved.

Expected Expenses #

There are a variety of expenses that will likely be incurred, including hosting, design services, software licenses, legal and financial services, and similar expenses; there will likely also eventually be full-time employees, most likely being the journal’s editor and staff to prepare submitted research for publication. There may be additional expenses as time goes on, including reimbursing leadership for their time, accounting and financial management, fundraising, and the like.

While the work of volunteers would be critical, there are limits to the amount of time that can be asked of members of the community.

Publishing Criteria #

Unlike a typical academic journal, the motivations and commitments are fundamentally different in this case, and attempting to follow all of the norms of an academic journal would almost certainly lead to failure. In academia, being published is vital for ones career, here, it’s doing a favor to the community.

As a result, different standards will need to apply. Research would go through a lightweight peer review as well as a plagiarism review and would err on the side of publishing versus not - the standard of review would be different than a top-tier academic journal. This difference in standards would be well documented, and while not up to the standards of academia, would help to ensure that as much is published as possible, and that as much history as possible is preserved.

The journal would establish an editorial board which would be responsible for defining these requirements, and overseeing their enforcement and evolution.

Keeping in mind that this serves a community that doesn’t typically operate within the rigid structure of proper academic publishing, it has to function in a middle-ground between the two. It won’t be perfect, but it would be better than what’s available today.

Existing & Historic Research #

As noted above, the goal would not to be only publishing new research, but existing research that has been published elsewhere. This is an enormous project, one that would take many years, but it essential to the overall mission of capturing and preserving as much as possible for the future.

Existing research would follow the same process as possible, though may contain editor’s notes explaining variations that took place out of necessity. Such research would likely be published in a separate “section” of the publication, clearly indication its nature.

Next Steps #

As notes above, this is a project by and for the community, and would be possible only with the support of the community. To have any future, there must be enough support - interest, time, effort, money - to make this a viable project.

I am publishing this in hopes of starting a conversation; this may be the beginning of something that has broad impact on the industry, or it may die here on an individual’s blog. The future of this effort, my dear reader, is up to you.

Adam Caudill

Related Posts

  • On the need for an open Security Journal

    The information security industry, and more significantly, the hacking community are prolific producers of incredibly valuable research; yet much of it is lost to most of those that need to see it. Unlike academic research which is typically published in journals (with varying degrees of openness), most research conducted within the community is presented at a conference – and occasionally with an accompanying blog post. There is no journal, no central source that this knowledge goes to; if you aren’t at the right conference, or follow the right people on Twitter, there’s a great chance you’ll never know it happened.

  • The Manifesto

    As a child, all of my time was spent reading – at the age of 8 or 9 I was staying up all night reading the likes of Dickens and Verne, at 11 or 12, I was tearing through encyclopedias, medical texts, and anything else I could get my hands on. I had a love for learning, for understanding, a desire to know everything, and an insatiable curiosity that often led me in interesting directions (in that ancient curse “may you have an interesting life” kind of way).

  • Making BSides Knoxville

    Two years of discussions, months of planning, weekly meetings, and thousands of dollars – BSides Knoxville 2015, the first BSides Knoxville that is, is in the books. By any metric I can think of, it was a resounding success – the feedback was great, awesome talks, good food, and a great atmosphere. I would like to give a little insight into the event, some of what I learned from it, what went right, went wrong, and how to make something like this without going insane.

  • The (Questionable) Future of YAWAST

    The last release of YAWAST was on January 1, 2020; while the release history was sometimes unpredictable, the goal was a new release each month with new features and bug fixes. I intentionally took January off from the project. In February, I left the company I was at; the team of penetration testers there had helped to inspire new features while looking for ways to make them more productive. But something else happened in February, an issue was opened – something that appeared to be simple, but in fact, made me realize that the entire project was in doubt.

  • Developers, Developers, Developers

    Note: This was written in 2012, but not published at the time. The point is still valid, perhaps moreso than ever and deserves to be made publicly. The content has been updated as appropriate, though the core of this article remains intact from the 2012 draft. I would like to note that this doesn’t apply to every environment, there are some where developers are very knowledgeable about security, and write code with minimal issues – my current employer happens to be one of those rare & exciting places.