Sunday, March 17, 2024

Contributing in New Ways - Everything Everywhere All at Once

It's been a while since I last wrote down my thoughts about things that happened, things I've done, things that evolved. And a lot had happened since beginning of the year when I announced my personal challenge for 2024. I would have loved to share a lot more frequently about my endeavors in small social media snippets, yet the last months had been not only busy but energy-draining (due to other aspects). There simply wasn't any energy left to share what I'm doing, and I rather spent the energy available on the doing itself.

As I'm slowly getting back to a more sustainable pace, and back to the kind of busy that I personally like and that gives me energy instead of just taking it, I'm finally ready to share a few things.

So, how did I contribute in new ways in the last months?

 

New Work Contributions

At work, I completed my first backend feature. I've worked on the backend before, yet rather focusing on cleaning up legacy, adding tests, improving things, adapting existing features. Yet I simply never had the opportunity before to add a completely new feature. We currently only have one dedicated backend engineer in the team, so I'm once again filling a gap. Admittedly, a gap that I really like and am way more familiar with than with other endeavors.

I gave a bunch of company-wide learning sessions again, this time experimenting with two new formats. One on offering a dedicated public learning hour on all things security, one on sharing stories from my own team to initiate conversations how to grow the culture we want to see. Both formats were planned as a series of at least five sessions. Both had high quality (though low quantity) audiences so far, and people could take things with them after each session. I am calling that a success.

I've also learned a lot more about very domain-specific compliance topics, processes, audits, and more. These are not topics I'm keen on jumping on (especially compared to the other two), yet it's been another gap to fill and another contribution in a new way.


New Conference Contributions

Speaking at conferences is not a new thing for me anymore. What can be new, however, are new formats, new teaching styles, new session topics, new conferences, and new communities.

I decided to go for new topics and finally submitted my first security-focused conference sessions. I was thinking about this for a long time already, basically ever since I started to invest in security knowledge and skills. Yet it's an especially scary area to step into, and that accounts for conference sessions as well.

I managed to write three new proposals, two workshops and a talk. Two sessions are still waiting for the first conference to give feedback on, one is already accepted! I'll have the honor to give my brand-new "Capture the Flag Together: Security for Everyone" workshop at the free Software Teaming Online Conference 2024. And Lisa Crispin agreed to co-facilitate with me! It's going to be a lot of fun. I just love this conference, and I owe a lot to it. Fun fact, my all-time most booked workshop "Ensemble Exploratory Testing" also has its roots there. Very curious what happens to my new security workshop in the future, and in general to more security-focused sessions. At least the first step is done!


New Community Contributions

Finally, my courageous community contributions! So much to share from the very start. Right after having posted my personal challenge of the year, yet another initiative evolved. I can tell you I'm so very excited about everything. Depending on the initiative, I cannot always share everything publicly right away, yet there's enough to share already!

  • Launch an open space security conference together with Claudia Bothe, Claudius LinkDave van Stein, Janina Nemec, and Ulrich Viefhaus. The TL;DR version: it's happening for real! The Open Security Conference (#osco) will take place on 4-6 October 2024 in Rückersbach, near Frankfurt in Germany. A lot more folks joined as organizers since I last wrote about this initiative. We have further awesome supporters in the closer circle as well. Our website is public (and constant work in progress), first social media presences initiated on Mastodon and LinkedIn. Have you seen our amazing logo created by Janina Nemec? The event will be a full open space conference with the addition of two keynotes to kick it off - one amazing and well-known speaker is already confirmed. We're looking for sponsors, if you have a suggestion for us it's appreciated! Well, a lot more is coming and to be revealed as we go further. There's a ton of more work to be done, this initiative is indeed not getting boring at all. Instead, it's very exciting, and I'm really happy to have such a great organizer team to take this journey with!
  • Create a security card game together with Martin Schmidt and Philipp Zug. This endeavor took shape as well over the last months. We already had a play session, trying out the game for the very first time. It was such a cool experience to test out the preliminary content and experiment with different game mechanics. And it instantly generated lots of more ideas to improve on. This is a really chill and fun activity and we hope to bring it to open space conferences and the world. Check out our Security Card Game Github org in case you want to follow along.
  • Build a full-stack open-source practice platform as an ensemble with Ben Dowen and Vernon Richards. Yet another initiative I feel very hyped up about! We are taking the roles of the employees of the fictive company "Make-Believe Labs", taking on "Project Snack Shop" for a customer who wants to digitalize their well-running snack shop business by offering an online shop. For real, I just love this happening. We have an ensemble session each week, and we are all in. From our own vision, to the actual project offer and context, to the first proof of concepts, to team agreements, to design documents, to architectural decision records, exploring walking skeleton options with code, and more. This is just super awesome. We have so many ideas to build on this! We don't have an overarching Github org for this yet to follow along, but stay tuned, a lot more is brewing already.
  • Offer Shiva Krishnan's and my leadership workshop series to the community. Ah, a longtime endeavor dear to our hearts. This series proved to be valuable to lots of people in the past, and it definitely helped both us grow immensely. Finally, the time has come to spread the word further and transform our workshops to an open community offer. This year we want to try it out with a small cohort. In the first instance, we won't have public registrations, yet will build on our networks for this first community proof of concept. If this goes well, there are plans for more afterwards! It's now really taking shape, and I'm glad to see this. Although access won't be public in the first instance, I'll see what I can share as we go along.

By the way, as if any one of the above wouldn't be enough (they clearly are), there are still further endeavors on my list that I'd love to start. I know, I know, I can't do everything at once, so I deliberately hold back for the moment, as above initiatives (as you can imagine) already fill my time very easily. They also give lots of energy! Lots of growth, too, and I'm not alone in either of them.

As I'm writing this, I'm looking back to the original hypothesis for my personal challenge. While above endeavors are indeed new contributions, quite courageous and also ambitious, I'm also very pleased to see that the hypothesis criteria will be very easy to measure indeed. I won't have any trouble to learn from these initiatives. Seems I'm on the right track, and that's providing me peace of mind already.

I am very much looking forward to see how each of these new contributions evolves over time. Truly exciting!

Tuesday, January 2, 2024

My Personal Challenge for 2024 - Scary New Grounds

In the last few years, I've taken on several personal challenges. These are things that initially scared me yet clearly helped my personal growth. You could also call each of them my "theme" of the year to focus on deliberately, as my learning partner Toyer Mamoojee framed it. For 2024, I am taking on my sixth one! 


Open Thinking

While working on my current challenge of the year, I am already taking note of topics that cross my path that would make yet another great theme for the following year. Here's my rough and raw list of thoughts that came to mind in the sequence I noted them down.

  • open source contribution
  • security
  • accessibility
  • app development
  • call for a weekly 90min ensemble creating an open source app together
  • a project a month
  • build an intentionally insecure movie app for practicing
  • "everyday security" series
  • "accessible security"
  • asking for help; see Ady's idea
  • initiate pairing/ensembling with others
  • deep dive focus weeks: learn foundations for a topic and share to deepen my generalist me
  • series of how I test things, especially on the backend side
  • anything that contributes to my vision of systemic inclusion and growth?
  • feeling I'm doing the same over the past years, over and over again, also re-using a lot of what I've built before; yet there's so much more to learn and grow into, like Maaret continually does, expanding
  • do something I haven't done before, truly grow again; I've used lots of approaches in the last years that had worked before, just built on them and refined them; yet didn't really reinvent myself anymore
  • really do need my own topics again, not being driven from conference to conference alone, neglecting my goals and blog
  • “Courageous Community Contributions” - finding new ways to contribute to the community (like I found new ways to contribute to a team and company over the years)
    • These are still scary!
      • List of a bunch of points - not revealing them here yet, you'll need to read on ;)
      • … leaving space for serendipity
    • What else I might do, yet not as scary anymore:
      • Paired blog posts
      • Paired conference sessions
    • Other things I’m already doing, that are not scary anymore:
      • Blogging
      • Public speaking
      • Security testing sessions with Peter Kofler
      • Code reading club
      • Learning partnership with Toyer Mamoojee
      • Daily habits and practice

As usual, the last idea grew and took shape in my head, and I kept adding to it. That's usually the candidate for the very next year, so here it is!


My Challenge for 2024

Here's the challenge of my choice for this year: "Contributing in new ways." Let's dive into this.

The challenge: I owe a lot to the various communities out there. I'm doing a lot to give back and especially pay forward through sharing on social media, blogging, and conference speaking. There are a lot more ways to contribute, though! I'd love to explore new options and pathways. This runs parallel to what I do at work: constantly re-inventing myself, my role, and how I contribute to teams and organizations. Going out of my comfort zone is how I've grown myself as a generalist. Therefore, I think I can contribute also in different ways outside of work. So here's my challenge to find new ways to contribute to communities and dare to try them - they only can't be the old things I'm already doing (while no one stops me from continuing what I want to continue).

The hypothesis: I believe that contributing to communities in new, courageous ways will add value to the communities I'm part of and grow my own knowledge and skills. I've proven the hypothesis when...

  • I have contributed in three new ways,
  • other people engaged with these contributions, and
  • I have learned three new things from each.

The experiment: In order to prove or disprove the hypothesis, let's get more concrete.

  • Contributions need to be courageous, something I haven't done yet that I find scary enough while being ready to give it a try.
  • Communities to contribute to are not limited, whether I'm already part of it or it's a new one I'm discovering on the way. Topics are not constrained either, as this is all about re-inventing myself by daring to contribute in new ways.
  • My initial options are not carved in stone. Instead, they are even prone to change, and that's welcome. I deliberately leave space for serendipitous new collaboration options.
  • There's no constraint on how much time these contributions require, whether they only take one hour or continue over many months.
  • If a contribution turns out to be not scary at all, then it's still a valid contribution to the community I can decide to pursue.
  • I choose to share anything about these contributions in any form I find appropriate. I am not limiting myself to blog posts for this challenge, nor do I require myself to write any.

Timeline criteria: It always proved valuable for me to think about when to start, when to pause, and when to stop.

  • Start: The fact that I've taken initial steps for a few courageous endeavors already in 2023 doesn't hinder me from including them in this challenge. The main focus will still start from now on.
  • Pause: Whenever I neglect the self-care I committed to, I stop to re-assess the situation and make a judgment call for how long to pause the challenge and get back on track to maintain the required energy. Pressing on without having the energy for it is a no-go.
  • Stop: It's time to stop my challenge and evaluate my experiment overall when I've either proven the hypothesis or it's the end of October 2024.

The hashtag: Initially, I opted for the following name and related hashtag to refer to this challenge: #CourageousCommunityContributions. Yes, I do like alliterations. This one's quite a mouthful, though, and I realized I'm not thinking about this challenge in this way. So I decided to take the words I use when I think about it, and that's #ContributingInNewWays. So be it.

Reviewing all this, I acknowledge the substantial risk that I open up too many topics and, hence, once again feel overwhelmed like in 2023. To mitigate this, I'm trying to build in as much freedom as possible to reduce unhelpful pressure. I don't want to lock myself in and instead still be able to respond to life. The constraints should be liberating. After all, I'll have to try it out and see how it goes.

Also, framing my challenges as measurable experiments allows me to document a starting point and afterward compare where I ended up with that initial state. So, hypothesis measurements are a tool to help me look back and spot differences. The most important metric will always be how much value I got from these personal challenges for my own growth. So far, it's always been worth it to dare take this journey.


It's on!

You might wonder, what kinds of contributions do I already have in mind? Here's a non-comprehensive list of currently prominent topics. As stated above, these options are prone to change. I'm sharing them here to make all this more tangible, help me reflect once I finish this challenge, and see if any of you would like to join me in any of these endeavors.

My journey already started with a few tiny steps on some of the listed topics last year. With old tasks closed and the new year starting, I now have a lot more focus to spend. I'm grateful for my wonderful conspirators, looking forward to our collaboration over the year, and I can't wait for what I'll learn on this challenge!

Wednesday, December 20, 2023

2023 - Another Year in the Books

All in all, this was quite a tough year. Stabilizing my work situation, picking up more conference speaking again after changing jobs and hence more traveling, restarting my personal challenges, facing lots of family issues, more sickness, the list goes on. A lot more challenges overall, both subtle and obvious, which made it a demanding and exhausting year. I observed myself mostly just pushing things to later, trying to hold on a bit longer, telling myself to just get that one thing over the finishing line, then it'll be calmer again. Well, the end of the year is here, and here I am, having finally realized it was overall still too much. There was one day end of November where I felt that moment of "finally, I recharged my energy, all is good now!" - and very shortly after I was in the hamster wheel again, feeling tired. Just last week, a colleague told me that we always need twice as much rest as we thought we would. Oh, the wisdom in these words.

I made it my own tradition to write a year in review blog post to reminisce about the last twelve months, and I don't want to spend too much on all the challenging parts. Instead, I want to look back and see all the good things that happened that I need to remember, especially at times when things are not shiny. Therefore, here are the highlights of 2023 for me to remind myself of in later years.

  • My team at work is in a good place. There's always room for improvement, yet the culture we fostered and continue to evolve makes me proud. We managed to steer clear of lots of trouble we still faced beginning of the year. We introduced and implemented tech initiatives that had a heavily positive impact on how we move our legacy system forward - kudos to our manager for having our back! We're working in a much more sustainable pace nowadays with more autonomy. All that with seriously awesome people! I'm curious what we can achieve together next year.
  • I found a new place in my team. Once again, I could reinvent myself and my role. It's a generalist, shapeshifting, druid-roleplaying, gap-filling role anyways, and I love it! What made a difference this year: This is the first team that managed to really own testing and quality together over a long period, always striving to get better, together. This freed me up to contribute in lots of new ways. It allowed me to hone and practice different skills and contribute hands-on on all kinds of topics. Hence, the last half year I've been taking tasks and working on changes like everyone else, and learning and growing on each and every one of them. I gained lots of insights from this perspective and some of the challenges that come with a developer's job! Now, I might still jump in on certain high-risk topics where I see the need, yet usually I know my team got this. And we're anyways not leaving anyone alone. Personally, I just love this. Still doing what's currently most valuable for the team (and company), while continuing to grow myself just as well.
  • A difficult work relationship that started with broken communication turned into a trusting and supportive one. This was a hard one for me this year, yet I'm really glad we both didn't give up and worked our ways towards each other and with each other. I'm very grateful for that, and it's been a very insightful lesson in life in general.
  • It's been an honor and pleasure to work with my fellow quality engineers this year, especially those in teams closer to mine. Lots of pairing and ensembling across teams, lots of learning together - I wouldn't miss it. Thanks a bunch to all of you.
  • My fellow teammate and I kicked off an accessibility guild this year. People feared it might become another fluke, yet we have an awesome core group really engaged and going strong, keen on spreading awareness and actually increasing accessibility of our products as well as our workplace as such. More people raised their interest to join us next year, and I can't wait to see where can take this together!
  • This year was my first time as an official security champion for my team. Creating and driving our mobile AppSec strategy was a great experience. Collaboration with our security folks got a lot closer. I experienced my very first security audit! Overall, I learned a whole bunch about what works and what doesn't to advocate for security topics and to make things happen. What tools are there to use, what are actual domain-specific risks and priorities, and what else is going on in the world out there. Huge shout-out to our awesome InfoSec folks for being so open and collaborative, it's been a real pleasure.
  • After taking a two years' break, I finally dared to restart my personal challenges. Which means I've done 5 overall by now! This year, I aimed for connecting with folks of the security community. In the end, it took longer than I intended to, and it was scarier than expected, yet I made it! My network grew, my knowledge as well. These challenges once again helped my own growth for real.
  • My very first security conference is in the books. Something I wanted to do for quite some time now, and this year it happened with BSides Munich! Just loved the experience.
  • I created a new recommended resources page on all things security. I have 8 overall by now on various topics.
  • I spoke at 7 conferences and gave 10 sessions (3 of them brand-new ones), along 4 other speaking engagements like webinars and podcasts. This makes it overall 91 speaking engagements since I've started speaking in September 2017! What a number. At conferences alone, I gave now overall 40 sessions at 24 conferences in 10 countries. This year, I also had my first appearances for LeadDev, which is also something I strived for. I still can't quite believe the amount of speaking things I've done so far; I never would have thought I would when starting out. But I received so much from the community, so I tried to give back and pay forward where I can. I've invested a lot in this, and I got a lot out of it as well.
  • During on-site conferences, I created sketchnotes again. This year, I received a shout-out for the alt text I'm adding to them nowadays - which really was a highlight for me. I'm still learning how to do them even better, yet what I learned from Cakelin Fable was seen and acknowledged and I'm just happy I found a way that's feasible for me while making a whole difference for people.
  • I wrote 15 blog posts in 2023, including this one. Part of it was thanks to my personal challenge that often makes me write more, and I'm thankful for that. It's been while since I learned about myself that I'm thinking in writing - I need to write things down and see them in front of me to help clear my thoughts and come up with new ideas, especially as I can always come back to them. So, these blog posts are mainly for myself to process and digest, remind my future self, and also gain new insights. If anyone else gets something out of it, it's a real nice bonus.
  • Last year a group of amazing folks kicked off a code reading club. This year, we had a bunch of new people joining and a lot more sessions. While I didn't make all of them, it's just been awesome to practice our skills together. Highly recommended!
  • Ever since my Testing Tour in 2018, I had monthly pair testing sessions with Peter Kofler on security, and they are still going strong. We finished our deep dive on the OWASP Top 10 and now started with the mobile application security guides to explore and discover more. Invaluable.
  • I've deepened long-lasting friendships, I've found and evolved new ones, and also met family members again I haven't seen for a very long time. I might not mention these things enough, yet I am really grateful for the foundation I have in some very special folks.
  • I finally picked up playing computer games more again. Still not as much as you would think, as that hamster wheel always tries to push me to run one more round (until I'm too tired to play). And I can run in that wheel for a long time - yet I would do it a lot better when resting more, play more games, do more other things I enjoy in life. I'll do my best to keep reminding myself of it.
  • I continued to revive other passions I have that bring me joy, like drawing, and especially my passion for volleyball. I've learned so much from this beautiful team sport for life, for work, for me personally. And I still can't get enough of it.
To all those people who accompanied my journey in 2023, I'm truly grateful for everything. For all ups and downs, for support and challenge, for you being there with me, for us learning together. Thank you.

All is settled for 2024 now. I have a bunch of conference speaking engagements lined up (stay tuned). I have my new personal challenge ready. I'm even working on a few things with amazing people already, while trying to keep it slow enough to get the rest I need. And oh my, do I need some rest. As my colleague would say: twice as much as I think, so remember to double your time to rest.

Saturday, December 2, 2023

AskAppSec - Finding Closure

My personal challenge of the year, AskAppSec, came to an end and I finally found closure. Here I'm looking back to see what happened and what I can take with me for my next endeavors.


What I aimed for

The personal challenge I set out to in 2023 was to connect with security folks and related communities to grow my application security knowledge and skills. I've detailed things out in another blog post, so let me just re-share my original hypothesis here.

I believe that joining and actively participating in at least one security community for a period of six months will increase my understanding of practical application security in everyday work situations. I've proven the hypothesis when I have...
  • solved five mobile application security challenges,
  • explained how I solved them, and
  • asked community members for their review and feedback to learn from.

 

What happened

Due to a lot of other things happening in life privately and at work, plus me taking up my conference speaking endeavors again more seriously since the pandemic broke out, I had a really late start with my personal challenge only in May this year.

I looked around for security communities to join and asked a lot of folks for recommendations. At first, I wanted to only join a choice selection to fully focus my engagement on those. Relatively soon though, I opted for a different path and joined as many communities as I found in order to figure out those where I found value for myself, that were open for newcomers, and that felt welcoming for me to participate.

Feeling overwhelmed by options, I started doing more of what I found valuable right now in the moment, and that gained me some dearly needed momentum. I also managed to secure a ticket to my first security conference, BSides Munich 2023, which in itself added to said momentum.

In my previous challenges, I used to take one action, work on one topic, instantly blog about it and then take the next step. This time around, I realized I did lots of things at the same time, overlapping with each other, and then wrote my blog posts rather at the end in a row. Here are the posts that matched the five main topics I chose to work on.

Besides sharing these blog posts on my usual social media platforms, I also asked explicitly for input in the communities I've joined. Sometimes just in one of them, sometimes in multiple, depending on where it felt safe enough and if I've practiced asking strangers enough already to dare it. Sometimes I received feedback from folks on these posts, sometimes even feedback that added to what I already wrote so I edited my blog posts to reflect it there as well.

Through all this, I did make new connections to security folks. These new bridges between specialty roles and also fostering previously existing relationships really helped my own growth and offered opportunities for me to contribute back to community.

I've built up a new recommended resources page on all things security. It's still growing, yet hopefully already useful for others as well.

Finally, I'm ending my challenge later than planned and granted myself the freedom to do so - even though this broke my original constraint of ending it by end of October.

So, did all this increase my understanding of practical application security in everyday work situations as I believed in the start? Based on the conversations I ended up having at work and getting closer to our InfoSec team as well, I believe it did indeed.


Where I struggled

To be frank, I really struggled with this challenge. On the one hand, I'm supposed to struggle with my personal challenges, otherwise they wouldn't get me enough out of my comfort zone. On the other hand, this one felt particularly difficult to me.
  • My late start really weighed on me, as usually I make use of the fresh energy of a new year to get things moving and then build on the momentum.
  • I realized once more that it's only a subset of folks being engaged in communities. This is the same for all kinds of professions, something I've seen in testing and quality, development, architecture and so on just as well. It's a bubble in a bubble. This made getting recommendations harder than I thought it would be.
  • Originally, I aimed to focus on mobile specific security. Sometimes this was the cases, yet mostly my topics were not super specific to mobile and instead applicable to other areas as well.
  • Asking communities felt super daring. I am proud I managed to do so. While knowing I might not receive a lot of responses, of course I hoped for feedback. Well, I mostly didn't receive much input at all, which can be quite discouraging. Mostly it was either feedback through social media from communities I'm already in - after all, this seems like a natural thing. They know me, we're already well connected, and I still value the provided feedback a lot - I'm grateful. In other cases, it was feedback from new communities that merely stayed on the surface and unfortunately didn't add to what I already wrote or gave me new pointers. Sometimes, though, there was just brilliant feedback that really helped me and triggered new thoughts, so I'm trying to cling to that.
  • I took on too many commitments next to my personal challenge and really struggled with my capacity. I neglected personal constraints I usually have on my personal challenges to keep some part reserved for self-care, and it drained my energy.

What I learned

This challenge taught me quite a few lessons. That fact in itself already really made it worth it. I'm definitely richer in experiences and knowledge than I was before. Here's what I'll take with me on top of the gained knowledge, skills, and connections.

  • Sometimes life takes over and has unplanned demands, and that's okay. That could either lead to pivoting like I did with my challenge in 2020, or still pursuing it while being more flexible about like I did this year, and that's okay as well. I do need to take my own advice of good enough being actually good enough more often.
  • It doesn't matter that I didn't do everything as I envisioned, as long as I learned valuable things - and I did. It's not about reaching everything; it's about taking actual steps instead of just wishing I would be the person who had taken those steps.
  • As outcome of this challenge, I do have more connections to security folks now. Not a whole lot of them, yet valuable, deeper ones. Once again this shows me that quantity is not everything.
  • Connections made face to face, be it remotely in a video call or in person, are way easier for me to make and they tend to hold longer. Therefore, I'm looking for joining more meetups and conferences that offer the opportunity to speak with one another.
  • I really should not start too many new unrelated things at the same time overlapping the personal challenge I set out to take on. This year, I overdid it. I had unlearned how to enjoy myself for myself and overstepped my own boundaries which left me drained. The recent weeks where things finally got closer to the end really showed it to me: my body told me to stop and finally take the rest I need.

Conclusion

While I did really enjoy diving into security further again and this will definitely not be the end of this journey, I really needed closure on this specific challenge. There's always opportunity cost to consider and I need to free myself up for new things. I already took on topics reaching into the next year, and I am already looking forward to these next endeavors, so I want to make time for them without feeling overwhelmed. Therefore, one personal challenge a year is still a good thing to force myself out of my comfort zone while also keeping it within limits.

Having focused on my AskAppSec challenge during this year, there are still so many topics on my list of things I could do or write about. The good thing is, just closing this challenge doesn't mean I cannot pursue them anymore. It just means I'm leaving this open for myself, and I feel that's a good thing. And it also grants space in my life that's not just commitments to others, but commitment to myself.

Now, before revealing what I'm up to in 2024, I'll indeed take some time for myself. But looking back at AskAppSec, it's overall been a good challenge at a good time for me. So, let me close this post with a huge round of applause and gratitude for all those folks who talked security with me this year and hence helped me on this part of my journey - my sincere thanks to you!

Monday, November 27, 2023

AskAppSec - Capturing Flags

Deliberate practice proved being invaluable in my own career. The last months showed me once again that this applies to the field of security just as well.

As we can't practice security related skills on just any system without causing harm, we need dedicated spaces to practice safely. Fortunately, there are lots of options readily available out there, way too many to list them all. Hence, here are just a few sites that provide not only great starting points yet also the opportunity to go as deep as you can.

  • OWASP Juice Shop: This is an intentionally vulnerable web app, mimicking a quite common e-commerce scenario. Based on this, you get a set of challenges presented that allow you to try out techniques to find and exploit the present vulnerabilities. It's been my own entry point into practice apps for security and the gamification behind this app in particular really drew me in further.
  • OWASP WebGoat: Another commonly cited OWASP project that offers you a place to practice. In this case, you go through dedicated lessons to learn about vulnerabilities, to see how they work and how they can be mitigated.
  • Hack The Box: This service offers you a huge amount of prepared virtual machines aka "boxes" to practice on safely. I really like their starting point machines that guide you towards the secret aka flag you're trying to find and introduce you to commonly used tools to identify and exploit vulnerabilities.
  • TryHackMe: Another service offering lots and lots of machines to practice on. You have plenty of themed learning paths to learn on with a lot of detailed information to guide you on the way. Both Hack The Box and TryHackMe have big communities active on Discord offering a great support network.
  • PortSwigger's Web Security Academy: The developers of BurpSuite provide a great resource with lots of challenges to solve in order to learn more about web security in general.
  • PentesterLab: The courses offered on this platform include lots of explanation and guide you step by step to learn skills needed for penetration testing. My thanks go to Yianna Paris for introducing me to this service!
Besides these dedicated apps and labs available around the clock, you can also watch out for hosted public capture the flag (CTF) events. I've recently joined one from Huntress and I see several being announced for the upcoming holiday season, like TryHackMe's Advent of Cyber or the SANS Holiday Hack Challenge. Being in security-focused communities and following more security folks on social media really helps to learn about these CTFs. Alternatively, you can check dedicated sites like CTFtime to look out for the next ones coming up.

When practicing in these kinds of spaces on such kinds of challenges, I've experienced the following benefits.

  • Reduce scariness. Dipping your toes into security can by scary indeed. You might not know where to even start, so having these kinds of practice spaces can serve as just the starting point you need. More often than not, they include challenges designed for beginners that offer further explanation and guidance to get you introduced into the space.
  • Grow knowledge. Through these practice apps I usually got introduced to something I didn't know before, be it a concept, a tool, or anything. For example, they also provide a great reason to get to know security focused Unix systems like Kali Linux, Parrot Security or Mobexler and their respective tool boxes.
  • Hone skills. The more we practice, the better our skills get, and the more we can make connections between things we know. More pieces to complete the puzzle, or in our case the next challenge. Creative problem solving is definitely a skill we're practicing here!
  • Build confidence. The more touchpoints we get and the more we seize practice opportunities, the more we can grow our own confidence that we can also figure out the next challenge.
  • Spread awareness. We can use the gained knowledge and skills to raise awareness about vulnerabilities with others. Even better, by practicing together we can increase awareness in real time. These kinds of challenges can help people see what's possible and why we need to defend our systems, protect value and keep harm away.
  • Find joy. Security can be perceived as such a dour and tedious topic. Finding solutions to security challenges, however, can feel very rewarding in itself. Doing challenges together can further help with connecting security with fun and make it more interesting for people to engage with. It can also help to find community and like-minded people to learn and grow with.

All of these advantages I've experienced myself as I've been trying out various vulnerable apps, a bunch of labs offering dedicated challenges, as well as dipping my toes into my first public CTFs. I've also seen them over and over again with conference participants, joining me for many sessions of "capturing flags together" at SoCraTes, FroGS Conf and Agile Testing Days. It's been just the same when hosting practice sessions with colleagues in the past - something I'd like to pick up again in coordination with our current InfoSec team.

So, just practicing within these spaces gives us everything we need, right? Well, unfortunately that sounds too good to be true. There are also downsides to these kinds of challenges. Kudos to Dave van Stein for making me think more about this!

  • Artificial challenges. All these spaces are crafted with a specific goal in mind, usually to educate and provide a safe place to practice. Therefore, challenges are inherently artificial and can't fully represent real-life scenarios.
  • Mindsets differ. Attackers tend to think differently. I mean, they usually don't have the one clear flag to find in a constrained environment to announce their win. Instead, they might gather all kinds of information over a period of time, and based on that build their strategy on whether to exploit identified paths into a system, what to gain from it, and so on. It highly depends on their motivation and goals as well.
  • Uncertainty instead of solutions. For labs and CTFs you'll know when you made the right move, you get a reward. In real life, there's no cheat sheet, there's no walkthrough. Just potential and ambiguity and never being completely sure that whatever you've found (if you've found any at all) is all there is to find.
  • Overly focused on penetration testing. All the sites listed above are mainly offered to practice penetration testing. It's the one hot topic that probably attracts most people, but how often do you actually need those skills? How many jobs are in this area compared to all the others? There are so many more skills needed in the field of security. So where are the challenges on secure coding, or secret storing, or vulnerability evaluation, or threat identification, or incident response, and so on? Well, more practice apps are being built all the time, so some of these do exist already while not always being in the spotlight. And of course, there's official formal training to have as well (though it can come at high costs).
Weighing benefits and downsides against each other, I consider deliberate practice opportunities like the ones listed above still invaluable. We do have to be cautious, though, to put them into perspective and be clear about their goals and limitations.

That leaves me with yet another question: can we practice closer to reality? Here are a few approaches I think we could experiment with. I'd be happy to hear about further options to add to the list.
  • Replay past real incidents. I'm thinking of actual security issues that your own company faced. We could replay these very real scenarios both from an attacker and a defender point of view and hence learn what we can do better - very concretely for our specific situation.
  • Run open thinking exercises. Deliberately practice approaches like threat modelling, attack trees and similar to improve our thinking, within our actual work context to make it as applicable as possible.
  • Host custom-tailored CTFs. Have one person hide a custom flag on your own system for people to find. It might still be an artificial scenario, yet placed in your very real context. This requires quite some preparation of course, like a dedicated environment to practice on and, as usual, explicit consent from all involved parties. The gained insights might still be worth the effort.
Personally, I'm sure I'll continue making good use of the various practice opportunities there are. I'm also considering joining or starting a CTF team to make practice even more deliberate. If anyone's interested or has recommendations for good places to find a welcoming, inclusive and diverse team please let me know.

Now let's bring this question back to the community: what do you do to practice your security skills?

Monday, November 20, 2023

Agile Testing Days 2023 - Celebrating Opportunities

It's been the 15th edition of Agile Testing Days and the conference came a long way. This was my very first conference in 2015 and I was fortunate to be able to come back every year since then - never regretted it! On the one hand, there's the huge and diverse program to choose from, and on the other hand, there's this wonderful and ever-growing community to come back to. Loved meeting so many awesome folks again, while I missed opportunity to check in with others - it's a lot going on, I hope next year we can make more space for it. At the same time, I got to know lots of people I haven't met yet! This is something I'm looking out for deliberately, and while I didn't have much capacity this year to go mingle proactively, I'm glad it still happened.


Sunday

After attending so many editions of the Agile Testing Days, returning to the venue felt like coming home in all the best ways. There are usually some familiar faces to instantly meet in the lobby on arrival, and there are lots of people to re-connect with during the evening before the event starts.

A few of the people I could already catch up with were Elizabeth ZagrobaJoep Schuurkes and João Proença, having a lovely dinner together and exchanging what happened since we last met. I really enjoy these kinds of shared moments at conferences. Besides the official program, these opportunities are usually the most insightful for me.

The evening faded out at the hotel bar, meeting more awesome people again like Udita Sharma, Shivani Gaba, Dragan Spiridonov, Richard Bradshaw, and so many more. It was also the first opportunity to finally meet people I only knew from social media like Yuya Kazama, as well as make new connections like with Nadja Schulz.


Monday

The first day of the event is dedicated to full-day tutorials, the official conference opening and dinner in the evening. Personally, I really like kicking off the conference with attending a tutorial. On the one hand, I enjoy the focus time on one topic before the huge, busy program starts, and on the other hand, I really like starting with a smaller group of people and get to know them better before a whole lot more join during the regular conference days. This time, I had the pleasure of having Sanne Visser right next to me in the tutorial - loved it. Over lunch, I could also re-connect with Jumpei Ito and get to know Masanori Kawarada. The day was already off to a good start for the conference!

  • Tutorial Breaking into AI and Machine Learning by Tariq King. I hesitated for quite some time to dive further into machine learning. Yes, I've attended a few talks and workshops in the past years on the topic, yet haven't tried much of the generative tools or LLMs yet. Therefore, this tutorial was clearly one to learn from. Also, I've had a few chances to join Tariq's tutorial at other conferences yet always went for a different topic. So, it was about time to finally get out of my comfort zone and seize this opportunity. Didn't regret it one bit! It was a great dive into different areas of AI and machine learning. I especially appreciated the hands-on experience we could gain, and then learning about theory as we went - instead of the other way around. It made this topic really accessible, and you could see how you could apply this in other areas as well. Definitely recommended.
  • Keynote My tale of playing the Testing Game by Maaike Brinkhof. This keynote was an awesome opening for the conference - a pity not everybody was there yet, this would have deserved the big audience. I love it when people share their story, what decisions they made, what they learned, where they struggled. Really related to the options provided in the end as well - we should be intentional about our moves; we don't have to just stay where we are and be miserable.
  • Mini-missions: making the everyday exciting by Veerle Verhagen. Somehow I missed that there was yet another talk scheduled before the evening started, so this was a nice surprise! Unfortunately, I didn't take a sketchnote of this one, yet I really liked the idea Veerle presented. Going on mini missions (or side quests) to get your mind set on something else when everything is otherwise too much, you're getting anxious, you're lacking drive, or anything else. No actual tasks you have to accomplish, yet fun little optional things that can help you enjoy life more. It was amazing to see how this idea really stuck with people throughout the conference, looking for mini missions throughout and having fun with them - what an impact!

The evening started with speakers dinner as well as greet and meet dinners for participants to break the ice and get to know a few people already. This is a really good opportunity for everyone already around. The event can be overwhelming as it is, and it's good to have some familiar faces in the crowd you can more easily catch up with. That's one of the huge advantages of being a speaker returning to an event you've already spoken at, as you usually have made lots of connections already through speaking.

When it comes to speakers dinner, Agile Testing Days is known for treating their speakers very well! That includes food and drinks, the scenery, basically the whole atmosphere. It's been yet another amazing evening together with lots and lots of awesome conversations. Catching up with Micha Kutz and Vernon Richards. An amazing opportunity to reconnect with my dear friend Thierry de Pauw! Together, we had really insightful conversations with João Proença and Johannes Nicolai about branching strategies and pull requests with all the trouble and benefits that can come from it - loved it.


Tuesday

The first regular conference day started with all its usual busyness, lots of people, lots of learning. Here are the sessions I joined on that day.

  • Tuesday Morning Lean Coffee by Janet Gregory and Lisa Crispin. I just love lean coffee sessions for all the serendipitous insights and inspiration! Janet and Lisa are great at setting a welcoming space for them. This time, I learned about maturity maps - Wardley mapping applied to teams. We also once again talked about adapting our wording for desired impact; for example, does it help more to talk about a "test strategy" or a "delivery strategy" in the given context?
  • Keynote 10x Software Testing by Kristel Kruustuk. Kristel painted a picture how testing evolved over time, and how AI and machine learning helped her company become more effective. She also made clear that big changes don't happen over night, yet usually in taking many small steps.
  • The alliance of a security engineer and a tester by Aleksandra Kornecka. I really liked that this talk spread awareness on collaboration and career options in security! Personally, I've seen testing and quality overlap with security work quite a few times, and vice versa. Joining forces resonated a lot with me, as well as her point that cybersecurity is everyone's job.
  • Facilitating a quality process assessment by Janet Gregory. As I've done a few assessments myself in the past for my own as well as other teams, I really related to this talk. Janet presented steps to facilitate an assessment and gave lots of advice what to look out for. For example, watching for gaps between what people say and what they do - so much this!
  • Keynote Could Agile Testers Help Debug Management? by John Buck. John shared how common organizational structures result in autocracies, especially on the top. These usually lack the feedback loops that are crucial to have good product outcomes. He presented a different option in the form of a sociocracy with elected representatives and various forms of consensual collaboration. Including debugging the system and finding better approaches instead.
  • Workshop Collect your explorer badge by Udita Sharma and me. This was the first time we could give our brand-new workshop together! We presented a new approach to help with exploratory testing: applying high concepts from the domain of fiction to the world of exploration. What for? To come up with exploration ideas ourselves, to explain what we do to others, and to inspire more folks to join us in these efforts. All in very short time, without unfamiliar jargon to make it accessible for everyone. It's been a great experience to prepare and facilitate this workshop together with Udita, and we just loved seeing people engage so much with our content.
  • Keynote Missed Opportunities. When quality is put in a box. by Erika Chestnut. I really liked Erika's take on opportunities, especially those that we miss, be it intentionally or unintentionally. For ourselves personally, in our careers, as well as for our product. "Poor quality is a succession of missed opportunities" - I so much relate to this! Erika also encouraged people not to stop with testing, yet look for further opportunities to influence quality.

That wasn't it yet for the evening! First, there was the snack exchange, initiated by Sophie Küster (who unfortunately didn't make it in the event, and who was missed dearly!), and organized by Tobias Geyer. Lots of folks from the community brought regional snacks they love and it all came together in huge snack piles on the tables. So many wonderful tastes to explore! Just awesome. Some might say it maybe wasn't the very best idea to do this right before the big dinner, but hey, we all still enjoyed both very much - and it's unicorn land after all, so who is anyone to judge?

Dinner and party for everyone is on the usual program for this evening. A costume party to be precise! I personally really dislike dressing up, yet this is my favorite costume party ever. I've not been judged by not dressing up once, and everyone just enjoys whatever they want to wear and whatever everyone else came up with. This year, the theme was 90s, so it was a real throwback time into me teenage years for me. Loved it. Also, lovely food, a huge 15th anniversary cake, and great conversations. 

Usually, this is also the time organizers reveal who won the Most Influential Agile Testing Professional Person (MIATPP) award. This year was special though. It was officially the last in-person conference for Janet Gregory. Phew, what a tough, sad moment for all of us to say goodbye to such a huge and dearly loved figure in the community. At the same time, what a happy moment for Janet to move on to new endeavors and opportunities! All the feelings. Janet and everything she's done for this community was celebrated - so very well deserved. I owe a lot to her and can only hope to pay it forward in some ways. I'm very happy I had the opportunity to be there to witness her goodbye, and I'll keep her in my heart and memory.

The evening was long and awesome. There was finally time to catch up with my dear friend and learning partner Toyer Mamoojee. Time to talk with my amazing colleague Rita Avota who volunteered at the event. Janina Nemec and I could finally play SET together, an opportunity we waited for since SoCraTes. A chance to re-connect with Marianne Duijst and her family! Really loved seeing my friends Anne Colder and Vincent Wijnen again. The evening got longer and longer, lots of folks, I just loved it.


Wednesday

The longer the previous evening got, the more tired I was when getting up on this day. Well, there's always a trade-off, and I realized the fear of missing out and the enjoyment of the moment didn't let me take care of myself as much as I should have. Not sleeping enough took a toll on me. Still, I tried to make the best out of what the day had to offer.

  • Keynote Reimagining Automation by Andrew Knight. He presented an interesting narrative of the past and future of testing, showing what could be. I especially liked the emphasis of automation as tool beyond testing, which we already see nowadays. Lots of food for thought how we would like to create our future, and for which cases tools will be able to assist us best.
  • Workshop The Hitchhiker's Guide to mobile accessibility by Nithin SS. This was a really great session that would have deserved more time, as there are so many aspects for mobile accessibility to consider. I gained lots of insights and resources from the session and loved the hands-on exercises. A lot to take with me and digest further.
  • Keynote Everyone is a Leader by Zuzi Sochova. Lots of gems in this talk! I really liked the message of everybody being a leader and being able to influence - more people need to hear this. Same applies to what true collaboration really means.
  • Workshop How to Untangle Your Spaghetti Test Code by Michael Kutz and Christian Baumann. Loved this session! Very relevant and very hands-on. Micha and Chris shared lots of tangible advice how to recognize issues in our code base and what helps to remedy them. My table formed an awesome ensemble to work together on the exercises provided, which allowed us to contribute from our different perspectives and learn from each other. It's been a real pleasure to work again with Mazin Inaad this way!
  • Keynote MOVE THAT WALL by Dr. Rochelle Carr. I've seen her keynote at Agile Testing Days USA this year, a talk that really hit home for me. And once again, this was yet another powerful and energetic presentation. I saw and heard from many folks how impactful it was for them, and you could also hear it in the many, very personal questions asked right after the keynote. I especially appreciated the very direct and clear advice provided that makes you think. In the end, if there's a wall in front of you, no matter what or who it is - let's move it!
  • Keynote Don’t go breaking my code by Lena Nyström and Samuel Nitsche. Now this was something completely different! I knew these two were up for something, and yet they exceeded my expectations. A different kind of keynote to be sure! Who can claim they've seen conference speakers act and sing on stage, in a musical-like way, while also conveying great points probably lots of people can relate to? Very entertaining, something to remember. I especially loved the message that we need each other to deliver something of value, so let's build on that together.

In the evening, I felt really tired and was ready to take a break from the crowd. That was when I met Parveen Khan again, and we decided to go out for dinner that night! Loved that calm time to catch up. Afterwards, I had energy again to mingle and have the evening fade out in good company.


Thursday

While Agile Testing Days usually starts slow with the whole week and plenty of time lying ahead, it often quite quickly comes around to the last day of the conference. Here's what I chose to close things off.

  • Keynote A Fighting Chance - Learning the Art of Conflict Resolution by Alex Schladebeck. This keynote was meant to be given by both Alex and Sophie Küster together. Although Sophie unfortunately couldn't make it, Alex did a great job keeping Sophie in this talk and in people's heads nonetheless. The keynote provided lots of valuable and tangible advice on how to deal with conflict situations. I especially loved the concrete statements provided that we could use in our communication with each other, as this is what I often struggle with.
  • Workshop Ensemble Testing by Elizabeth ZagrobaJoep Schuurkes and me. Time for my second workshop! Again, I was in lovely company. Elizabeth, Joep and I had lots of fun setting the space for effective collaboration and fun learning to happen. We introduced people to working as an ensemble (also known as software teaming, formerly referred to as mob programming). We offered three different topics for people to choose from: exploration, programming, and security. I had really fun with the latter, facilitating yet another "capture the flag together" ensemble session! People really engaged and, judging from the feedback received, seemed to have a good time while gaining lots of insights. Just loved seeing this!
  • Keynote Wait! That’s Not Tested by Heather Reid. I really like Heather's stories and all the data she gathers to tell them. This keynote was full of great points as well. I especially loved shifting the narrative towards thinking in bets and hence minimum shippable risk - phew, some real food for thought to take with us!
  • Continuous performance testing with K6 by Alexander Chumakin. Alexander presented a distinct set of tools and demonstrated how they can work nicely together. Really concise talk, giving a concrete example of how we can improve performance testing.
  • The paradoxical state of performance testing by Sonja Nesic and Frank Kootte. Sonja and Frank shared their story of where they came from and what they did to turn the ship around when it comes to performance testing. Lots of tangible advice. Especially applying lessons learned from functional testing to performance was great food for thought! 
  • Keynote The Rise of Generative AI: Judgment Day by Tariq King. And here it was, the closing keynote of the conference. Tariq shed a light on generative AI from the angle of the Turing test. He also did a live imitation game with us, presenting us with artwork and music that may or may not be real. That was a quite impressive demonstration that drove the point home how easy we are to trick! While there's no real intelligence yet for machines, we should consider revising the Turing test. In any case, we're overdue in coming up with an ethics framework around these kinds of tools to use them for good rather than bad purposes.

With that, it was a wrap. The 15th edition of Agile Testing Days was officially over. Lots of people still stayed around and engaged in the various evening activities. As it became a tradition, I went out for dinner with a lovely group of people.

As always, we still ended up in the hotel lobby. Playing another round of games. Using the opportunity to catch up with people we couldn't talk with yet. I really appreciated the time I had with Gitte Klitgaard this evening. Also, last minute opportunities to meet new people like Virginia Weidhaas and Nicole van der Hoeven. So many more good memories to take home with me.

I loved that this year a whole bunch of people from my code reading club were there and we even managed to make photos with (most of) each other! Huge shoutout to Anne ColderJanina NemecLisa CrispinSamuel Nitsche, Vernon Richards - while missing everyone else being on the club.



Change Is Coming

This year was amazing, next year will be different. Well, Agile Testing Days is slightly different every year, they do a great job listening to feedback and adapting. Yet for 2024, the organizers already announced that the concept will change. I'm really curious what they are up to. They have my full trust. I will be back in any case.

Tuesday, November 7, 2023

AskAppSec - Dependency Updates

When one of my former managers commented on my blog post on Painless Usable Security, asking about our approach of keeping dependencies up to date, I realized that there's more to the topic and I should write a separate post about it. So here it is!

Keeping dependencies up to date has been a big topic in lots of the teams I've been part of. When I created our AppSec strategy for my current team beginning of the year, this topic once again stood out to me as the first one to tackle. This is based on our context. We have a whole bunch of services we own and most of them are around for quite a long time (and still valuable). We inherited a system that had degraded over time, and knowledge had been lost. Over the last two years, we learned to understand this system a lot better, as a whole team. We invested in several endeavors to get it in shape again, to preserve its value, and also ease extendibility.

Before going into details, let's first take a few steps back.

Why even have dependencies in the first place? Nowadays, most software is not built in an echo-chamber. It'll be based on lots and lots of other software that lots and lots of other people provided, so that we all can achieve more with less. There are specific contexts where dependencies will indeed be very constrained, usually in situations where stakes are very high. Yet even then you probably don't invent your own programming language, operating system or infrastructure. For the kinds of products that I've worked on so far, the system will have lots of dependencies to third-party frameworks, libraries, and more.

So, we need dependencies. Yet why should we update them and keep them updated? Can't we just keep everything as it is?

  • Even if we don't change anything on our side, the world around us does not stop. Tech evolves every day. If we don't change anything, our system will naturally degrade from both business value and security perspective. More vulnerabilities in the dependency versions used will be found, and the system will be more and more at risk. Until suddenly it's very time-critical to have that risk mitigated. Remember Log4Shell, anyone?
  • Besides security fixes, you'll also want to use new capabilities that dependencies offer in their newer versions. These can help preserve or even increase the value of your system and keeping it relevant to users, business and other stakeholders.

Fine. Yet why do people struggle so much with updates? Just do it, right?

  • Dependency updates oftentimes come with the need to adapt your system to the new version. Sometimes that means completely re-architecting your solution; very painful. Sometimes dependencies had removed or replaced features in their newer versions, and you'll need to cater for that. Even if there's no obvious need to adapt the system, updates might break functionality in lots of surprising ways - so you better have suitable measures in place to mitigate that risk and detect regressions early.
  • Updates can come in very fast, sometimes multiple times a day. Think about the JavaScript ecosystem for example. It can be overwhelming and feeling like a Sisyphean task: as soon as you got your system in an up-to-date state, there's a new version of at least one dependency released again!
  • Dependencies have dependencies themselves. Oh my. Updating one dependency often means it's not compatible anymore with the rest, so you need to update a whole bunch of others as well; especially when updating frameworks. This also means, by the way, that dependencies have to keep on top of their own dependency updates. The struggle is real.
  • Dependencies might be discontinued and not get any updates any longer due to a variety of reasons. They might get moved to other places, integrated into other projects, you name it. Sometimes you can migrate, sometimes you have to find similar tools from scratch again to meet your needs. For any newly introduced dependency, it needs evaluation and validation again (better do it regularly for existing ones as well). Licenses are crucial to consider, especially when including open source dependencies. Checking its usage, how many people contribute to the project, how many issues had been already identified or fixed, when the dependency was last updated, how much community support it has, and so on. It's good to have a guideline in your context what's considered suitable to choose and what not, and what's the reasoning behind it.
  • You have more dependencies than you might think. The number of libraries directly used by your services alone is probably high. Yet there's also the infrastructure you're running on and its dependencies, like container images with their operating systems and - surprise - their respective dependencies. There are dependencies to data storage solutions and so on. It's a lot to keep up to date.
  • Probably the biggest hurdle I've seen is getting buy-in to do this kind of maintenance "keep the light on" work as part of normal everyday business. It's an investment and there's opportunity cost - if you invest in one thing, you can't do another at the same time. This often leads to not investing in maintenance at all. A strategy which comes around to you soon enough, presenting you with even bigger investment needs to get back on track again, while already being hindered to follow other opportunities that you wanted to prioritize for business reasons. It can slow you down to a complete halt. Yet as that's usually only a future problem of a potential risk, it's really tempting for people to ignore it (guilty of that myself). It requires lots of experience, discipline, and good practices to still keep your system tidy and in shape, continuously. And keeping each other accountable, we're fallible human beings.
  • Last but not least, context is crucial. In industrial cybersecurity settings, updates might have a hugely different impact, not only financially yet also when it comes to safety. Lesley Carhart describes it well in her CyberWork podcast episode. Context really matters, risks can differ heavily.

What about tools to help us keep dependencies in shape?

  • There are Software Composition Analysis (SCA) tools to help you detect outdated dependencies, including their known vulnerabilities. They usually compare your dependencies' versions against a list of available versions and reported issues for each. Integrating tools into your source code hosting platform and delivery pipeline can help as well. You might have heard of OWASP Dependency-Check, Dependabot, Renovate, Snyk Open Source, and the like.
  • Package managers often come with integrated checkers. Like NPMs dependency-check which also offers to update potentially straightforward ones automatically for you.
  • Modern IDEs support you by indicating outdated or vulnerable dependencies, like IntelliJ IDEA Ultimate does. Check out Marit van Dijk's awesome talk Keep your dependencies in check to see it demonstrated along with lots of useful advice.
  • There are repositories like Maven Central to get dependencies from in all available versions, which often also help if dependencies moved their artifacts, got renamed, deprecated and more.
  • Tools like OpenCVE allow you to subscribe to updates for your technology stack to get alerts on potentially relevant security issues.
  • Sometimes frameworks offer migration tools to help with bigger updates.
  • More and more people talk about software bill of materials (SBOM) to keep inventory of all kinds of software including dependencies in use.

Lots of aspects come into play when updating dependencies, and there are probably a lot more factors to consider than listed here. The big question to answer is what's most helpful in your context to actually get the job done, get the dependencies updated and keep them updated.

Let's talk about strategies. How can we keep dependencies updated?

In a previous team, we worked with major updates once per quarter, going through everything. This worked okayish for the given context of an internal product with limited usage. In my current team's context, however, we have a customer-facing product with a hugely different attack surface. So far, the following worked for us to update our services' dependencies.

  1. Establish, encourage and ensure 20% time for every team member and use it to drive tech initiatives. Like getting dependencies of our services in shape. Having dedicated time to improve certain areas like this was a massive cultural foundation for lots of good stuff happening.
  2. Use tooling to support easier updates where feasible. Automated scanners to indicate outdated dependencies, utility tools to adapt required related documentation for compliance reasons, and automated checks to discover potential regressions. Tools like these were great in combination with our system knowledge, so we could quickly unveil more surprises where automation reached its limits.
  3. Do the easiest, most straightforward, quick win updates first and get them out of the way. It'll reduce cognitive load and clear up headspace for the bigger challenges, like the ones requiring updates of several dependencies or even frameworks. The advice to "solve the smallest problems first" helped me massively with legacy systems like ours; as far as I remember the credit goes to Nat Bennett, yet I can't find the source anymore (if anyone does, let me know). Having said that, it doesn't mean you shouldn't prioritize updating your most critically vulnerable dependencies first. 
  4. Small changes done frequently compound. The system will get better step by step, you'll get better at updating the system step by step. Always a bit better. It might not look like much today, yet a month from here it's already painting a different picture. We'll get there.
  5. Build on existing energies and practices. This is one of my tools that helped me with lots of culture change initiatives. We also used this to keep dependencies in shape. We have regular tasks needed for each release, and updating dependencies simply became one of them.

All this, however, likely only worked due to the team culture we fostered where people are sharing everything; knowledge, skills, load, a common goal, and more. This made it clear from the start that keeping dependencies up to date is a team task as well and we're all responsible for it, together. I hope to share more once we've lived this approach for a longer time. I'm myself curious if we can manage to keep our system in shape this way or what other approaches will turn out to be more successful in the end.

A word of caution when it comes to tooling. Scanners are only as good as the team can respond and act on their results. The cry for more tools to make a problem go away, or the desire to just finding the one right tool to save us all is not going to fix the underlying issue. Just throwing more tools on a problem won't move anything towards better - most likely, the opposite will occur. All of this becomes noise. It's overwhelming. There's so much other work to do as well. People start shutting themselves off and ignoring alerts just in order to be able to deliver anything (most likely the thing that others put them under pressure for). Yes, alert fatigue is very real. We see the same overwhelm with observability tools, monitoring alerts, test findings, static analysis feedback, and more. Having yet another class of alerts you don't get time for to understand and fix just does not help get into a better place. Not to forget false positives! Alerts that are simply not alerting you on anything real or actionable or relevant for your context are like poison.

At BSides Munich 2023Jasmin Mair talked about "My CI/CD pipeline contains all security tools available! Now what...?" (check out the recording, too). I loved the strategy she presented to add one tool at a time, train developers, set a baseline, and manage findings. Like eliminating one class of vulnerabilities at a time, and allowing people to follow. For the case of dependency updates, we decided to go service by service, starting with the most critical ones first, and only afterwards include more tools where needed. First make alerts be seen and worth responding to again. Once we live that, we can always improve further. By the way, that was also our approach to clean up other alerts, errors, log spam, and similar noise - enabling ourselves to see what's actually important again when it occurs.

Here's another side note. Getting things back in shape wasn't done with updating dependencies. It also included other topics like removing unused code. It's always been a struggle to clean up functionality that had been superseded by something better, was just not invested in anymore, or had never been used at all while being dragged along. In one of my previous teams, we decided to get rid of all that under one big theme that also could be sold to business easier: reducing complexity. It's also part of opportunity cost to keep maintaining things that are simply not worth it any more (if they ever were). We can't foretell the future and hence need space to try things out in our product to learn what actually solves the problems our users and business have. Yet if we want to make progress towards a shared goal, we do need to make clear decisions what to keep and what not, and follow through. When I joined my current team with our big legacy system, I was stunned how much unused code was still around from many years ago. This year, we finally had buy-in to clean up - oh how much I loved it! Not only did it indeed reduce complexity and increase maintainability, made things a lot clearer for new teammates, and so on - it also reduced our attack surface! A win on all sides.

A similar case can be made for services and features we want to keep, yet that are complex, hard to understand, inconvenient to modify, or people are afraid to touch them. Not a great starting point when things go awry and a security incident comes in. Actually, if any incident occurs. Even if nothing bad happens in that area, this part will tend to stay untouched until no one in the team knows about it anymore and it's even costlier and scarier to touch it.

All in all, when I came across the following statement in Tanya Janca's book "Alice and Bob Learn Application Security", it made so much sense to me: "technical debt is security debt". Big aha moment, this resonated heavily with me. Good for maintenance and extendibility can be really good for security, enabling us to adapt fast to an ever-changing world.

It's time to bring that original question back to the community: What do you do to make keeping dependencies up to date work?