Saturday, November 16, 2024

BSides Munich 2024 - We Belong

Last year, I've attended my first security conference with BSides Munich. It was an awesome experience connecting with the community. This year, it was clear to me to come back as participant. Yet when the call for papers started, I figured: why not try my chances? I dared to submit my brand-new talk "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" to BSides Munich. You can imagine my joy when it was indeed accepted! So, here's my recap from this year's conference as participant and speaker.

 

Workshop Day

Tickets for this conference are usually quickly gone, so I made it a point to decide on my workshops early on and then grab the tickets as soon as they went online. It worked! This time, I decided to go for two half-day workshops.

In the morning, I joined "Backdoors & Breaches: Simulating Cyber Security Incidents" by Klaus-E. Klingner. I wanted to give the Backdoors & Breaches card game a try for quite a while, so here was my chance. Klaus started setting the scene describing how classic incident response simulations can be tedious and require a lot of preparation effort. In contrast, using game-based learning, like playing a round of Backdoors & Breaches, can be done very quickly and provide playful insights. Backdoors & Breaches is designed based on the tabletop role-playing game Dungeons & Dragons. Instead of a game master, you have an incident master. They choose the attack scenario that led to the incident, which the group has to figure out - how did the attackers manage to compromise the system, move deeper, maintain persistence in the system, and finally exfiltrate data? What happened? The group has procedures they can use to find out more about what happened - yet depending on how they roll the dice, they won't always succeed! There's a bit more to it, just check out the complete rules for yourself. What a fun game; it led to really insightful conversations in my group. There are expansion packs already enabling further scenarios, and you can also play it online, either using Klaus' version or the official one.

In the afternoon, I participated in the "How to Hack your Web Application" workshop by Janosch Braukmann. I really liked his introductory web app hacking challenges offering simple yet not uncommon mistakes to exploit. A really nice hands-on connection to the topic, allowing him to gauge the context of the audience just as well. It made his point very clear: don't trust anything coming from the client side, it's not in our hands. We've walked through the OWASP Top 10 together and how to mitigate the respective risks. Then it was time for practice again: we got our hands on a vulnerable web application he provided for the duration of the workshop. It's usually insightful and fun to see what people find and what approaches they come up with to do so. Practice didn't stop here, how do we prevent these issues in the first place? The most effective and simplest way Janosch has seen so far are malicious user stories: user stories from a malicious actor's point of view. We then just need to flip the acceptance criteria to build an implementation that prevents the threat actor from being successful with their attempt. This can easily be done along with any usual ideation and refinement activities as part of the development life cycle that teams tend to be used to. Even though I've heard the content before, I like joining these workshops in order to get surprised of what I didn't know yet, and to learn about different approaches to convey the respective concepts and skills to folks.

All in all, the workshops were great. Even better, this day already granted space to check in with people! It was awesome to meet Claudius Link again in person, my Open Security Conference (osco) co-organizer fellow. It's been great to re-connect with a few folks I've met at last year's BSides. And I really enjoyed getting to know Yin Yin Wu-Hanke and Lisa Aichele!


Conference Day

The day started very early for me. Being a local meant commuting to the venue, and being a speaker meant showing up at 7:30 am for the tech setup check. If you've met me, you know I'm a night owl, so this hurt quite a bit. And yet I was excited to have this opportunity at re-connecting with the community and also presenting my own content at the event. 

This conference has an amazing organizer team and so many people volunteered to help and ensure it's running smoothly. Many thanks to all of you for creating and holding this space for us! This year's main organizer was Sneha Rajguru. When she opened the conference officially, she emphasized that this event is for all of us in all our diversity, and her words stuck with me: "You belong." Last year was my first BSides. This year, I've really felt I do belong indeed. We all do. 

Overall, BSides Munich had once again a lot to offer. More than I could try out myself! A hardware hacking village, a CTF, a retro-gaming area, the sponsors exhibition, and more. I mostly focused on the talks myself, while at times taking a break to chat with folks in between. Here are the presentations I've attended.

Finally, a huge shout-out to lots of amazing people I've connected with during the day! I really appreciated meeting Van Nguyen, Clara Kowalsky, Sujaritha, Dagmar Swimmer, Morton Swimmer, Tobias Schuster, Julien Reisdorffer, Konstantin Weddige, Stuart McMurray, and Rudolf Kaertner whom I've first met at osco this year.

At the end of the day, the organizers invited all speakers to a fabulous speakers dinner where we enjoyed great food in great company. What an amazing closing for the day.


BSides Munich 2025

One thing is for sure, I'll do what I can to make it to BSides Munich next year as well! If you have the opportunity, seize it to experience it for yourself. Maybe even submit a proposal to share your own stories with the community, or offer to be a volunteer. It's been a great event once again this year and I'm happy to have been part of it.

Need more reasons to join? The recordings for this year had already been published! Have a look by taking the direct links from this year's agenda, and check out past years' recordings on the BSides Munich YouTube channel.

See you in 2025!

Wednesday, October 9, 2024

Open Security Conference 2024 - A Memorable Beginning

We've done it. The very first Open Security Conference, osco24, is over! It was a memorable event that exceeded our expectations. It's highly likely that there will be a 2025 edition.

Launching this brand-new open space conference together with my amazing co-organizers Claudius Link, Dave van Stein, Janina Nemec, and Ulrich Viefhaus was part of my personal challenge for 2024 to contribute to community in new and courageous ways. Our efforts paid off! 

 

The Day Before

Most of our organizer team arrived on Thursday, the day before the conference. I haven't met everyone in a physical space yet, so it was amazing as usual to see the folks I've worked with throughout the year to make this event happen. We could explore the venue that only one of us had visited before. We had a great dinner together. We organized the last bits, managed last minute communication with participants, clarified a few things. Not much to do anymore, we already prepared most things upfront, including what needs to be done when we're on-site. So mostly we could just breathe and enjoy the moment, socialize and relax before everything starts. 


And you know what? We weren't alone at the venue! The previous conference just had their last day, and what a pleasant surprise to meet folks we already knew from other spaces. Community for the win!


Kicking It Off

Friday, and hence the start of the conference finally came. Time for last preparations! Distributing Covid tests and masks in small packages for participants to grab on arrival. Preparing stickers and cutting communication cards we brought. Aligning on last moderation details. Setting up the registration tables. Putting up all sponsor material. Creating a conference feedback wall. Adding our conference values on a flip chart. Preparing the room to ensure the welcome introduction as well as the two planned keynotes could go smoothly. And many more of all the little things.

Then the first participants arrived! Time to test out the registration procedure for the first time. Things worked well with welcoming people and introduce them to osco. They could settle down, get familiar with the venue, get some snacks and hot drinks, start initial conversations with other folks. Our two amazing keynote speakers arrived as well and could test out their setup, everything good. Our Mastodon Glacier social wall was also installed and showing live updates as people posted using the conference hashtags #osco and #osco24.

One thing we noticed at this point was that the venue's WLAN was too restrictive for our use cases. Only specific protocols were allowed so that, for example, you couldn't use ssh to pull from GitHub, or connect to certain VPNs. Well, mobile hotspots for the win - yet mobile network wasn't well covered by all providers either in the area. Definitely something to look into for next year! After all, it wasn't convenient, yet we made things work for the conference.

Before kicking off the evening, we all first enjoyed dinner together - really nice food and various options. More conversations took place, all good so far.

And then it happened: we opened the very first osco ever. All five of us organizers presented the welcome and introduction together. We explained how this conference idea became reality after the initial conversation about it back at SoCraTes 2023. We shared our core values of cybersecurity for all, inclusion and being community-driven. Values that also represent why we invested in creating this space in the first place. We want to welcome all people who are interested in cybersecurity, eager to exchange knowledge, and keen to learn with each other. We want to get rid of gatekeeping in the industry and instead lower barriers to the cybersecurity field so people can enjoy diving deeper into it from wherever they are. Therefore, we encouraged participants to contribute to a good experience for everyone including code of conduct and giving examples on how welcoming and inclusive behavior can look like. I really loved seeing how one participant demonstrated visual applause (over making noise) and everyone jumped on it throughout the conference!

It was time to introduce our keynote speakers and then lean back ourselves to enjoy the presentations. I decided not to create sketchnotes this time, but instead opted for live posting during the talks for our Mastodon and LinkedIn presences. Here's what I took with me during the talks.

  • "OWASP Juice Shop 10th anniversary: Is it still fresh?" by Björn Kimminich. OWASP Juice Shop was my first real touchpoint with security testing back in 2017 so it has a special place in my heart. Can you imagine how happy I was when Björn confirmed he'll come and speak at osco? Especially for the 10 year anniversary? He even brought the Juice Shop lego tower. The keynote was awesome, leading us through the history of this intentionally vulnerable web application from back then until today and into the future.











  • "How to hack a company in one day or less" by Yvonne Johnson. I'm really glad that Yvonne agreed to give her keynote at osco. She's an experienced red teamer and gave us glimpse into her everyday work. What they aim to achieve on an assignment as well as approaches they take to do so. Yvonne gave a hands-on demo breaking into a system in short time - well, it would have been even shorter if the live demo curse wouldn't have hit! What worked before, done exactly the same way, of course did not work instantly when presenting. Yet Yvonne stayed remarkably calm and we could witness how she either found ways around the issues faced, or patiently tried things again until they worked - just like during her regular work. Impressive and very insightful.












The official program being over for the day, we invited everyone to join for conversations and games in the hotel bar. Lots of folks took up the offer, they even brought some games themselves. As organizers, we checked in with each other and aligned on the last bits and pieces before the first full day of conference. The first evening went well - so far, so good.


A Full Day of Open Space 

On Saturday morning the main part of the conference started: the open space. We had ask a dedicated person to set and moderate the space for us, Pierluigi Pugliese. Which meant we as organizers could focus on the rest to create a smooth experience, and besides that, be normal participants as well.

Being the very first instance of this conference, we wanted to start small yet feasible. Therefore, we were glad that 25 people had registered for the event. As it usually goes, there were last minute changes, so overall we were a group of 20 participants in the end. Leading up to the conference, we had worried whether that number would be enough for a good open space with enough sessions proposed and people getting real value out of it. As it turned out, we wouldn't have needed to worry at all! Even though several folks were not familiar with open spaces before, they quickly got the gist of it and enjoyed this more informal, self-designed space that gave them agency. Also, already during the first marketplace, lots of people instantly proposed sessions and the schedule filled up quickly and nicely.

The marketplace is one of several places where we could give kudos and huge shout-outs to our sponsors who trusted that also this very first instance is worthy to support. And it's a great place for it as well! We were inspired by SoCraTes who thanked their sponsors in lots of funny ways as "ad breaks" or "commercials" in between the session announcements. It's such a fun and effective way to raise attention to those who made osco more affordable. 

The first sessions started, and the first things we missed to prepare ahead of time showed - fortunately, everything could be fixed quickly and we could also start enjoying and giving sessions ourselves. Here's what I chose from the schedule.

  • "How to get people interested in just about everything (including cybersecurity)" by Felix Schnellbacher. Due to having some organizational tasks to do at the same time, I could only drop in late and had to drop out early - well, showcasing that you can indeed do so any time at an open space. What I witnessed was interesting storytelling on how to raise people's attention to important topics that are not easily digestible. A really nice match to our conference idea!
  • Hanging at the coffee bar. I had to enable one of the sessions during this slot, and also prepare for my own session. So I decided not to join any announced session and instead take a break and enjoy some tea and snacks. And I found great company there as well!
  •  "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" by me. This was the third dry run for this brand-new talk overall, the first public one, and the first on-site. It still took longer than the conference slots I have for it in November. But besides that, things went well and I received lots of good feedback. People even stayed around for further exchange even though it meant we all arrived late at lunch. All this helped reduce my worries that I usually have with new talks - iterations for the win! Many thanks to everyone who joined and shared their thoughts with me. And huge shout-out to Janina Nemec for creating a wonderful sketchnote of my talk!
  • "Make your own Juice Shop theme" by Björn Kimminich. This app really evolved over time, it's impressive. Nowadays it has lots of additional features, like very easily being customizable. We could quickly adapt the look and feel to our own needs - an osco-style Juice Shop of course! There's lots of configuration options available to adapt the experience overall as well. 
  • "Which security tools should I know for everyday development?" by Chris. An awesome session that initiated an engaged conversation on all kinds of cybersecurity tooling. Those that a security team would use themselves, those that they could offer as a service to development teams, those that could be included in pipelines, those that you could use on demand when implementing a change. Really insightful exchange.
  • For the last session, I had planned to join one of the proposed sessions, and then the other great thing of open spaces happened: a new session emerged right in the moment. Julian Michelmann and I started talking about security culture, strategies to bring teams on board to make things more secure, challenges we face, and everything. Very interesting and appreciated!

Time flew and it was already time for the evening news. Everyone came together again and shared impressions and insights from each of the sessions so that everyone got value out of them even if they weren't there.

Finally, another short marketplace where participants offered evening activities after dinner. Speaking of dinner, I really enjoyed the conversations I had with Yvonne Johnson, her partner, Björn Kimminich, Janina Nemec, and Dave van Stein. Especially on TV shows and computer games! Oh, so much to geek out about.

Originally, I wanted to make time in the evening to finally solve a few OWASP Juice Shop hacking challenges, as Björn had set up a CTF throughout the day using the MultiJuicer. Yet things happened, as they often tend to do! Further conversations were had, further topics had to be organized, and time was running. In the end I still made space to at least try a speed run - that lasted only eight minutes as then the instance had to be shut down already. Well, I focused on solving challenges I still remembered and managed to get four flags in the eight minutes - yet next time I'll do better in preserving the time, exploring new challenges, and also tackling them in a team. I'd really enjoy that.

The evening continued, games were played, snacks and drinks enjoyed, lots of great conversations. Challenges and opportunities, struggles and wins. What a great day.


The Closing Day

Finally, the last day of osco24 had came. I could feel it in my bones, I didn't get enough sleep - and yet it was worth it so far. So I decided to make the best of the remaining time we had together.


Another marketplace (of course), offering two more slots for sessions in the morning. Here's what I chose.

  • "osco25" by us organizers. We wanted to gather people's ideas for a potential (and very likely) next edition of the Open Security Conference. This initiated a good exchange on what people valued and what they'd like to see differently. We were super happy to find out that we also gained further supporters for next year, be it in the core organizing team or in other ways! While we secretly hoped for it, we really didn't expect that people would proactively reach out and offer their support. We're really grateful.
  • "Mob-hacking some Juice Shop challenges you might not have solved yet" by Björn Kimminich. As I couldn't invest much time in this the previous day, I jumped at the chance that Björn offered another session. It was really insightful to go through a few of the harder challenges, figure out the path to the solution, and see the vulnerability being exploited. What an awesome way to close off.

Afterwards, we came together for a final round of sharing our insights from the sessions. We also had a chance to find folks we hadn't been in contact with too much during the conference and share with them what we aim to do until a potential osco25. We had the space to find people and thank them directly for whatever impact they might have had on us. This was a nice addition to the physical kudos cards that we had provided throughout the conference, and that people had made good use of. I had received a few myself, and I could give out further to other participants. Physical kudos cards are such a valuable form of feedback that you can literally take with you. Another lesson I had learned from SoCraTes.

And that was it. The open space was closed. Everyone helped cleaning up the rooms, which turned out to be straightforward and quick. We sat down for a final meal together before one after another started their journey home. 

Really tired and really happy, with a heart full of gratefulness, I said my last goodbyes as well and started my own way home. Reflecting on everything that happened, I felt content. Most things went very smoothly, there were only a few minor hiccups that could be corrected quickly, people gave constructive feedback, overwhelmingly positive support, and in general validation for the space we set out to create. Huge shout-out to my amazing organizer team, our wonderful sponsors, and especially the participants who put trust in this idea - you are awesome. This was great. Way better already than expected. I have lots of hopes for osco25.





Tuesday, September 3, 2024

SoCraTes 2024 - A Community to Grow With

It's been my third time at SoCraTes this year. I'm very grateful that the organizers invited me as trainer once again, enabling me to come and experience this wonderful community event. It's been a blast. I've met lots of folks old and new, and enjoyed both casual and deep conversations. It was a pleasure exchanging experiences and knowledge. I've had a safe space to practice deliberately and hone my skills together with like-minded folks. Everyone growing, everyone at their own pace, everyone together.


Arrival Day

On the final leg of the trip to Soltau there's usually the first conference folks to meet. Perfect time to ease in and brace mentally for lots of peopling the next days. This time I had a really nice chat with Martin Schmidt and Juke Trabold, catching up on all things.

Once arriving at the hotel, more reunions were to be made. You could feel that everyone was excited it's finally this time of the year again, full of hope that good things will happen. Also, this conference takes inclusion seriously, and a big part of that are health concerns. They require on-site testing for Covid before even entering the hotel. Once cleared, we settled in and prepared for the first dinner together.

For conferences, I really enjoy meeting less folks at a time by arriving earlier than most people. It really helps me manage my load and have more quality time with folks. This night especially with Thierry de Pauw, their son, and Jana Fuerchtenicht - loved our conversation! And it was so good to see Micha Kutz again.


Training Day

SoCraTes is an unconference at heart. Since three years, they offer an additional training day with a more classic structure to provide foundations and to ease new folks' way to join the open space without knowing the exact program before. I assume this also helps with selling the event to their companies, especially if they never had the opportunity to experience the magic of such an unconference before.

Personally, I'm very grateful that I got invited as trainer for the third year in a row. And this time with another topic that's dear to my heart: security! It was the premiere for my brand-new workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day".

But first things first. In the morning, I joined Marit van Dijk's "Code Reading" session. Now, this wasn't a new topic to me, as we both are in the same code reading club. That being said, it's always good to practice this skill - we read code way more often than we write it! Thanks to exercises from Felienne Hermans it's fascinating to learn more about your own understanding and mental model of code you read, no matter in which programming language, and especially what other people around you perceive and think. Also at SoCraTes, this session was a blast! Loved how people engaged and shared their own interpretations and pieces of knowledge which really helped figure things out together. There's always learning something new in these kinds of sessions. If you want to learn more about this whole topic, Marit offers a whole page of resources on reading code that's worth checking out.

Next up, I joined Thierry de Pauw's training on "Trunk-based development for regulated environments". Very relevant to me as I'm working on a regulated product at my current company. I've had the pleasure of reading lots of Thierry's excellent articles on the topic, like the "The Practices That Make Continuous Integration" or the "On the Evilness of Feature Branching" series. Already the beginning of their training resonated a lot with me. Thierry shared how often organizations conflate their approach to regulations with "regulation" - which is not the same thing at all! They pointed out that what folks mostly want to see is "do you do what you say you do", and the more rigorous ones add to that "get two people to look at it" and "have an audit of what happened". Thierry showed throughout their training how regulation and continuous integration principles aim for the same thing: risk reduction. They also emphasized that the deployment pipeline has three purposes: every part of the process is visible, it improves feedback, and it empowers teams. We also had the opportunity to craft our own pipelines using Emily Bache's pipeline game and a scenario as constraint. Lots of great conversations emerged from that!

Finally, it was time for my own training. Lots of people joined, more than I hoped for. It's always exciting to give a workshop for the first time at a conference, you never know if things will work out regarding the general concept - while the audience will always differ. I'm thankful to my dear InfoSec colleagues Tarik Kobalas and Honey Susan Kurian for their input which helped me improve the workshop before this first edition. Based on the feedback received from participants, I can say it went well! People enjoyed their time learning about threat modeling, secure coding principles, security testing approaches, and how we can detect malicious activity on our production systems. I'm already looking forward to the next opportunity to give this workshop.

After the trainings ended, it was dinner time. Loved the conversation with Michelle Avomo and her partner. It was a pleasure to reconnect with Claudius Link and Janina Nemec, two of my fellow organizers for the upcoming Open Security Conference, an idea that started at last year's SoCraTes. Playing the game SET together, of course! Just before that, we had a nice world café session as the official opening to the main conference. Three rounds with different groups of people, exchanging what brought us to SoCraTes, what this conference means for us, how we widen its impact. I met lots of first timers this way and we had a good time together.

 

Open Space Day 1

After a wonderful introduction to the open space and its principles by the amazing Juke Trabold, the first marketplace started and people began to queue up to share their session ideas and build the program together. Once again, it quickly became clear: there will be tons of interesting sessions, and I will only get to see a fraction of them. That's the beauty and the pain of any multi-track conference, yet for big open spaces like SoCraTes, it's showing even more. On the bright side of things, there will be sessions for everyone, no matter which topic, format, or experience level. We can all grow and learn from each other. 

Here are the sessions I've joined. If you're interested what other sessions had been offered this year, check out the schedule.

  • "Priorities, Priorities, Priorities" by Yorgos Saslis. So many things compete for our attention and claim to take priority - so how to decide what to do next? This challenge resonates a lot with me as it fits to the experience of nearly all the teams I've been at, and never so much as in my current team. In this session, people came together and shared their approaches of gauging what to tackle first, what's the most valuable thing right after - and to communicate accordingly and manage expectations. Wardley maps were brought up to help decide what to build ourselves and what not. An approach that stood out to me were business decision records - basically architecture decision records (ADRs) for business to document the reasoning of decision making at that time. If circumstances changed since then, we know more clearly if we can change the decision as well. The cost of delay was mentioned to help prioritization; I like to think of opportunity cost yet costs like this should be considered as well. People reminded each other that value is not always money, enabling or unblocking another team provides value as well.
  • "Making better decisions as a group" by Tobias Mende. After thinking about prioritization, this seemed a fitting session to continue with. Tobias gave a dry run of his upcoming new talk around collaborative decision making. I really relate to him sharing that poor decision making is costing companies a lot - seen that too many times when we sunk too much time and effort into a feature that didn't return the value we hoped for before pivoting (sunk cost fallacy, anyone?). But how can we make better decisions, together? From the options presented, two stuck out for me: consent with integrative objecting handling which focuses on said objections, and systemic consensing which brings forward the resistances of various levels that exist within the group. Tobias encouraged us to make decisions smaller, safer and more often - I can't agree more.
  • "Security card deck game" by Philipp Zug, Martin Schmidt and me. It was time to present our security card deck game project to a wider group, for the first time! Where better to share this than at SoCraTes, the very place the idea originated at? We were stunned how people showed up to see what we created so far. Philipp presented the background of the project. Martin demoed a first round - and we already received so much valuable input and lots of ideas how to evolve the game further. The crowd seemed to like the idea a lot, it was really encouraging to see such interest. We are also happy to have gained a new contributor in Julian Michelmann and are curious where the game will end up until SoCraTes 2025. Stay tuned!
  • "Capture the flag together - Security Testing" by me. I had already given this session at SoCraTes 2023 which made lots of enthusiastic folks show up and ended up in many fun follow-up sessions throughout the conference. Therefore, I was eager to bring this session to this year's edition just as well. I hoped to find again like-minded folks to practice security testing in a collaborative setting. You can imagine how happy I was when lots of people showed up once again, some from last year, lots who had not joined yet before. We had good fun practicing on Hack The Box!
  • "Baba is you" by Marco Emrich and Michel Grootjans. A few days ago, someone had mentioned a game to demonstrate and teach the mechanics and practices of ensembling, aka working on the same topic, same place, same time, same computer together. That game is Baba Is You, an endearing puzzle game that I can only recommend trying out yourself. It's been interesting to watch group dynamics unfold as the ensemble tried to work effectively together and solve the puzzles.

Dinner time! Yet beforehand, it's time for folks to announce what sessions they offer for the evening. Because the conference doesn't end as long as people don't let it! Lots of fun options were presented from playing boardgames, doing sports, learning Rust, solving coding katas, to whatever you can imagine. Well, SoCraTes 2023 taught me that I love doing capture the flag exercises in a collaborative setting, and that I find lots of enthusiastic people here to join me. My afternoon session confirmed that once again, so I offered to do even more of this in the evening. I was stunned how many people joined the evening edition, even a lot more than in the afternoon! We had such a good time. Just as last year, it got late! We didn't care, it was a blast.


Open Space Day 2

The second day started, another marketplace took place, offering even more awesome sessions to join. I took it slower in the morning and allowed myself to be kind and not join the first slot, yet rather engage in conversations, and prepare for my first session as facilitator.

  • "Smart Workshop Setups (Pull)" by me. A pull session in an open space is where you ask folks for their expertise, knowledge, or help on a topic you'd like to learn or a challenge you're facing. In this case, I decided to pull for support on smart setups for technical workshops, especially if it requires a more complex setup while folks might not be able to prepare a lot in advance. How to make these workshops as accessible and welcoming as possible so people can quickly get to a working setup and focus on the actual practice content? This is especially relevant for my next workshop on "First Steps in Mobile Security Testing"; my original setup idea unfortunately does not work out anymore, and while I have ideas how to make it work, I was curious what other folks would suggest. Lots of great ideas were gathered! I'm grateful for people taking time. I'll ponder more over them the coming weeks and might share more after said workshop. For now, let me say that pull sessions are awesome.
  • "Next Level Spring Boot for Hipsters with Kotlin" by Chris Welcz. It's always interesting to see what tools, libraries and approaches other folks use. In this case Chris demonstrated his usage of Kotest providing convenient test structuring and property testing capabilities. He also showed his preferred mocking library Mockk. You can find examples in his hipster-tdd and kotlin-beer repos. Good input to consider for the Snack Shop project I'm collaborating on!
  • "Passion Personality Test" by Gabrijela Hladnik. Models are flawed, and some can be helpful - especially to reflect about oneself. That's how I see personality tests as well - flawed, sometimes helpful. Gabrijela presented the personality test from Clarity on Fire around different passion profiles and how it helped her. This was the starting point for a very insightful conversations about personality tests as such. How much do we box ourselves in? Are labels we put on ourselves helpful? Why shouldn't we use tests to categorize others? How can companies misuse these kinds of tests? Which tests have scientific research as background, what are the driving motivators behind them, and especially what systems of oppression do they foster? Lots of food for thought.
  • "Securely saving passwords" by Fabian Blechschmidt. In one of my capture the flag sessions we came across the topic of rainbow tables, which inspired Fabian to give a talk on passwords and ways to store them. A great session to recap hashing algorithms, rainbow tables (of course), salting and peppering, and key derivation functions. Always good to brush up on foundations!

This concluded the open space part of the conference. It's traditionally closed with a retrospective. We had a really great conversation in our group, with lots of highlights and lots of things we'd like to see improve - and how we as participants can help improve them. Especially for an unconference, participants are essential to co-create the conference. This means that participants are also responsible for creating a safe and inclusive space and taking care that everyone gets that safe space to contribute if they want to. We collected various ideas for how we can do so better. These ranged from how to notice that I am overtaking a conversation and should shut up to give space, to ways to navigate a dominant conversation among few people and open it up to the rest of the room, to options to indicate to the whole group that space is lacking and we're currently not hearing everyone who might want to contribute.

Dinner time again, and then - who would have guessed - capturing even more flags together! Yes, as evening session hosted by me. And once again, folks came and tackled a fun challenge together. We built on the knowledge and approaches we learned about the day before, we tried a lot of things, got closer, got stuck, took hints, moved forward - and in the end found the flags. What a learning journey! A late night one as well again, yet so much worth it. Many, many thanks to everyone who participated, it was a real blast. Can't wait for more of these sessions next year!


Workshop Day

The last day arrived way faster than expected - time is flying at conferences like these. Traditionally, the last day is the workshop day, where people offer hands-on sessions of various lengths throughout the day. Already being very tired, I skipped the marketplace - I knew which session I wanted to go to this year anyway: the Code Retreat, hosted by Janina Nemec and Micha Kutz. I ended up arriving late, and already felt bad when entering the room seeing all tables being full and everyone being deep into the first exercise. Huge kudos to Janina and Micha for welcoming me in, recognizing my struggle and going to lengths for making me feel it's okay to stay and still join in. That mattered a lot to me and helped calm my brain down. Micha arranged a new table and offered to pair with me (thanks so much!) - until even more folks joined, and space was made for them as well.

Time to focus on practicing hands-on together in pairs. We tackle the challenge of Conway's Game of Life, which can be solved in countless ways so you will always learn something new in each round. Programming language, approaches, modeling, communication, and so forth. Always using TDD, and usually having additional constraints to consider each round. Always deleting the code at the end of each round and starting all over again with the next pair. There's a lot to learn about oneself as well in this exercise! In our case, we were given the constraints of strong-style pairing, then we were allowed at maximum one level of indentation, then we tried it as ensemble, and finally the rules changed. In my last rounds, I was part of a small ensemble together with Janina Nemec and Hadrien Mens-Pellen. I loved it as we brought up any misunderstandings as they arose, clarified them instantly, and aligned quickly on the way forward - super effective! We also made use of the Code Retreat card deck designed by Janina, and we pulled the card to use Object Calisthenics as our constraint during these rounds. Overall, I can really recommend joining code retreats; no matter which level of experience you currently have, you can take a lot with you from them.

To add to this: We were all really, really tired. That alone can teach a lot of lessons about ourselves, and how we cope with stressful situations then. Each round was challenging in its own way, one was especially challenging for me emotionally. I for one learned again that kindness, respect and consideration go a long way - for each other, and also for oneself. Very grateful to both Janina and Micha for granting us this space!

After the code retreat ended, many people had to leave the conference while some like me stayed until the next morning. We were all tired, so we decided to break things up a bit and get some fresh air. We went on a short walk in the beautiful moor surrounding the venue, visiting the famous Heidschnucken, moorland sheep from northern Germany. I was glad to get the chance to see them this year as I've missed out on them the last two years.

We had dinner, we had more conversations. People decided they still had the energy to come together for a round of lightning talks - some of the short like lightning, some rather ending up as longer thunderstorm sessions. All of them great! We learned about IntelliJ IDEA's AI assistant from Marit van Dijk, how cognition principles apply to software from Corstian Boerman, how things that start in noise get organized over time from Martin Schmidt, and about the power-law distribution and Adam Tornhill's work detecting it in code from Christoph Kober.

Even more tired, we decided to play What Beats Rock - which stuck with us for the rest of the evening until we finally called it a day.


Departure Day

Last chance for final conversations and final goodbyes. Everyone super tired, everyone very happy. The post-conference blues was being held off a bit longer while chatting on the train. More ideas were exchanged, plans for next year made. Until we finally had to part, taking a lot with each of us from this wonderful community space.

My head is energized due to new inspiration and ideas what to try. My heart is full of connections and the community spirit we experienced. My soul is calm thanks to the validation received through feedback and kudos cards, and smiling thanks to all those folks for whom I wrote kudos cards myself. Physical kudos cards are such an awesome concept! I'm ever grateful for each person who took the time to write a kudos card for me this year, you really make this conference even more special to me, and I can't even tell you how much your card means to me.

Next year, this conference will be a month earlier than usual. I plan to be there. Looking back at what happened between each SoCraTes instance I've been at since 2022, all the good stuff, all the growth, all the strong connections - I'm already curious what will happen until 2025.

Friday, August 16, 2024

Contributing in New Ways - Getting over the Hump

This year, my personal challenge is to contribute in new ways - courageous community contributions I haven't dared to do before. As opportunities arose, I took on a bunch of endeavors beginning of the year, which are both very exciting and, admittedly, time-consuming. While I've been aiming to share intermediate updates from time to time, I'm grateful for my past self deliberately decoupling my challenge from any writing efforts to reduce artificial pressure. Still, it does help me to sit and write down my thoughts from time to time. It's time now.


A Lot to Celebrate

It's been a lot to juggle this year. Well, I realize I've set myself up for that. It's one of those self-inflicted situations, which might be uncomfortable yet also come with a bright side: it's totally up to me. I can reduce things at any point in time. Or shift my main focus between endeavors. Right now, this is working out sufficiently well so that I didn't have to cut anything completely yet. In addition, there's an even brighter side: no matter how the rest of the year plays out and what else will happen, there are lots of things to celebrate already.


Open Security Conference

It's happening! It's actually happening. The very first Open Security Conference (#osco) will take place from October 4th to 6th in Rückersbach, close to Frankfurt/Main in Germany. The event will be kicked off by two amazing keynotes before we then all learn together in the open space:

  • "OWASP Juice Shop 10th anniversary: Is it still fresh?" by Björn Kimminich, who's well known as project leader of the OWASP Juice Shop and a co-chapter leader for the OWASP Germany Chapter
  • "How to hack a company in one day or less" by Yvonne Johnson, who's an experienced red teamer and penetration tester

I'm so very curious about how the first osco plays out. A first event is always exciting! You're trying to set the space and constraints in ways to support your values and your goal. What of it helps and what rather hinders is something you'll only find out when you give it a go. We are starting small and learning as we go indeed. We've already gained lots of insights during the preparation so far. We can't do everything we'd like to do for the very first event, and yet it's a starting point that sticks to our principles and is based on our values. A starting point that hopefully helps establishing this new conference so we can build on it and evolve it further over the next years. Because cybersecurity is just a way too important area that's too often struck by gatekeeping and other barriers we're trying to lower and remove where we can to make it more accessible - for everyone interested.

We gained a better understanding on our individual and collective reasons for doing this in the first place, why we think there's a need and a gap to fill, what makes this conference special to set it apart from existing events in the security space. Not only for marketing osco and figuring out our target audience (which is a real challenge!) but also to make even more intentional decisions to shape it further. We'll continue to iterate on how we present the conference vision, just as we'll also continue learning to spread the concept of an open space conference format to cybersecurity which lots of folks seem not to be familiar with yet. Well, for now - we'd like to do our part in changing that!

As an organizer team, we had a tough challenge to overcome. We weren't quite clear on the direction to take on how to handle finances, which paralyzed us. Not much happened during this time besides going back and forth pondering about our options and worrying. It felt like treading water. I think it speaks for our group that we didn't break up at this point, that we indeed got over this hump and we came out stronger together. We made a feasible decision for the initial event this year and paved the way to create an underlying non-profit organization to sustain the efforts for next year.

Solving this big bump in the road meant we picked up speed again. We could finally open the registration, and we already have more registrations for this first event than we dared to hope for! There are still a few more tickets available, so if you're interested in participating in our inaugural event, go ahead and register now! And if you like what you read and want to help us spread the word on either LinkedIn or Mastodon, I would appreciate it very much.

I'm really grateful for my organizer team to be on this journey together: Claudius Link who came up with the initial idea, Janina Nemec, Ulrich Viefhaus and Dave van Stein who considered it a worthy cause to work on together. I'm also grateful to all supporters on our way. We had several initial thinking sessions, like with Tarik Kobalas, Jahmel Harris, Dan Billing and others. Several people contributed with lots of advice based on their expertise, like Mathias Verraes on organizing conferences, or Raphael Albert on the legal side of things. My thanks to all of them.

We're still learning lots of stuff and we won't get everything right from the start. We observe and listen to feedback, we adjust what we can right away, and we take note of what we can do better next year. That's what makes me hopeful that we're coming to stay.


Leadership Workshops 

Shiva Krishnan ran his series of leadership workshops many times in company settings. A few years back, I was fortunate to participate in one of his cohorts myself and got hooked - more people needed to do this program that I was drawing from so much! So I paired up with Shiva and we ran the next cohort together, until I changed companies. Thinking back, I'm still using those tools and ideas until today, and still continuing learning. Shiva and I kept in touch and thought about how we can bring this offer to community. Talks, writings, all good but not the same. How about bringing the actual cohort idea to community?

For a half-public first experimental community cohort, we reached out to our networks to find people who give us enough trust to get this started. We had first calls to present the workshop series, manage expectations transparently (it's a whole program after all and no small commitment), and answer any questions that came up. That alone already taught us quite a lot of what might be different for community cohorts compared to a company-internal offer. 

We indeed found a great cohort of six people who agreed to join us on our journey of bringing these workshops out there. We set up foundations like a shared communication channel with folks, clarified feasible lengths and frequencies for our remote sessions next to everyone's work. Everyone was eager to get started and looking forward to this endeavor. All we needed to figure out was scheduling now to run the first workshop.

Oh my. "Just" the first time slots. We knew scheduling is not the easiest task when it comes to these workshops, we've seen that in the company setting, yet always managed to find good solutions. Phew. What can I say, we really did not expect it to be that much of a struggle. We're only eight people. And yet, all our schedules differ in ways that make it really hard to find any overlaps. Like, any. Each time we thought we've now found a solution, more obstacles got in the way. And time keeps running. We brought everyone together to solve the puzzle, we made judgement calls and a few tough decisions to make this work. 

Let's see what happens with our latest option. In the end, we might need to rethink our whole approach. It's an experiment after all, and we're still learning from it even if it might not turn out what we planned it to be. But yeah, scheduling such a workshop series when you're all working at the same company, and you have the buy-in of people's managers is a lot easier. By far. We still hope there's a way that people can also benefit from the content and format of this series in the community space. In any case, we're grateful we got that far, and we definitely learned a lot which hopefully helps us in the future to bring this content and concept to a wider audience.


Security Card Game

This is probably the most relaxed of my endeavors. Martin Schmidt, Philipp Zug and I are trying ourselves, and absolutely enjoying ourselves with creating a new security-themed card game. Taking it as a deliberate practice project, we're learning a lot just thinking about it and evolving it further.

The game concept evolved quite a bit from the very first paper draft. We already played it several times with different variables and rules and gained more insights each time. We have both game engine and user interface to support our current ruleset, lots of cards already added, and it's honestly just providing us a good time. It's not balanced well yet, the game goal needs refinement, more content would help. We are currently only playing in collaborative mode all together, while having ideas for the future to simulate different company scenarios with people taking different roles to advocate for different strategies, maybe just going about their own (hidden?) agenda, or secretly sabotaging everything from the inside. Lots of potential paths - because in the end it's a game about decision making.

So, what is it about? You're employed at a fictive company. As time passes, you gain a certain number of resources available for you to invest in one way or another. Also, as time passes, more and more "oopsies" happen from a security point of view - a password got leaked, a vulnerable dependency wasn't updated, an internal website became accessible to the public. Do you close those doors to make it harder for attackers, or do you risk leaving them open for a while? At the same time, attacks are attempted by malicious actors. Sometimes they hit one of those open doors and you have to pay the price. Sometimes attackers don't find a target, or get impatient, or you just got lucky so you can counter the attack. All the while new employees need to be onboarded, security training can increase your skills, or it's just a normal day without anything bad happening. How do you make it through, will you still have resources left at the end? And how many oopsies did you leave unattended?

Well, curious? Just give it a try yourself! Get our latest release 0.5.5 and check out the current rules to get started.

Our next step is to share this game with more people at SoCraTes - we are fortunate that we can meet there again in one week's time already. It's the place where this game idea saw the light of the day in 2023, so it's going to be awesome to return a year later and play it with folks. I'm sure we'll be able to gather lots of feedback and future ideas for our game project. And hopefully people have a fun time with it, just as we do.


Snack Shop by Make-Believe Labs

Ben Dowen, Vernon Richards and I set out this year to fill a gap. We wanted to have a full-stack, open-source practice platform for all things product development. One that resembles real work scenarios close enough, with challenges people actually face so that gained skills could be applied. One that provides a safe space to hone all skills development, testing, architecture, UX, infrastructure, security, accessibility, you name it. One that offers opportunities for us to make use of it in teaching and coaching situations, e.g. for conference workshops and trainings. One that we could use to showcase collaboration dynamics, from ensembles to pairs to individual asynchronous work - both in live streams as well as through the artefact trail that we're leaving behind. When working on the project, we had good fun leaving a deliberate trail at times, sometimes showing rather commendable, sometimes less ideal behavior, so we can make use of them later.

What we're building is project "Snack Shop", a client project that the fictive company "Make-Believe Labs" took on. It's based on a brief from the owners of a bricks and mortar snack shop, who want to take their business online. Taking on various roles, we're working hard on a proof of concept system that we hope they will love.

The snack shop is composed of three services as of now:

  • A web frontend for users to interact with the shop, using React, written in TypeScript
  • A backend for frontend, often called BFF, to serve as single public gateway and orchestrator to various backend services - using the Nest.js framework, also written in TypeScript
  • A SpringBoot Kotlin backend service connecting to a MongoDB

What we're having as of now is a so-called walking skeleton. All components are running on their own and are integrated. It’s walking, and yet it’s still a skeleton. There’s a lot of work to do, and yet we can evolve it iteratively.

The first goal was to create a typical proof of concept. We were starting out rather well, taking deliberate architectural decisions, taking time documenting them. Then we received a first due date - and the rush began! Tradeoff decisions made it in just as they would in real life. A due date works wonders in cutting corners! Okay, we did that deliberately, and yet! We see what happens. We have pull requests that were sneakily just merged without communication, we have changes that do a lot more than what they claim, we have faulty descriptions, we have long waiting times for asynchronous work, we skipped good practices like test automation, input validation, and a lot more. Well, we took on this scenario and played the roles, yet I admit I felt those feelings myself. It was both fun to see patterns play out I've seen so many times, also in myself. Indeed, a real practice project! Oh, and yes we also had lots of good behavior and great collaboration, don't you worry about that.

What caused that due date? Good thing was we had a real one, which indeed pushed our project forward in the end. All thanks to Ben who was invited to the Automation Advocates meetup, and extended that invite to us. We chose to use our own new project and work on challenges together. In front of a live audience. For the first time. Well, the right kind of scary that really lets you grow! Not everything worked out, yet we felt we still did alright for a first time, and we learned more for potential future sessions. Because we want to do more of those live sessions. By then, the project will have evolved as well.

All in all, it's really evolving, slowly, and in waves, but steadily. And it's just fun to work on, practicing deliberately.  Ben is currently preparing for his next conference workshop "Coding Challenges: Prepare for Success in Technical Interviews" for TestBash Brighton where our project will make its second public appearance. If you have the chance, check it out! Personally, I'm already curious what he'll learn from that. Overall, I'm eager to get back to our Snack Shop once I'm on top of another topic I currently focus on. I'm happy I can be flexible to follow my energies here, plus I love that I always gain energy from our ensemble sessions.


Conference Sessions on Security

It's been a while since I started speaking at conferences. At times I look back at how many speaking engagements I already had and am both speechless and grateful. It's really been a ride so far, and I wouldn't miss it! So, while speaking at conferences is not a new thing for me, speaking officially and publicly about security topics certainly is a new contribution.

I'm very pleased to share that I am giving four different conference sessions on security topics this year. All but one are brand-new as well! I'm still in awe and very excited. Already next week the next session is coming up.

Finally taking this step that I've waited for quite some time is a big thing for me. I've paved this way since my first security pair testing sessions in 2018, diving deeper every year, and I'm quite enthusiastic about it.

That being said, it's honestly quite a lot of work. It's already a huge challenge for me to create three new conference sessions in one year on any topic, and all those in this huge area... It's a real stretch. It's scary and I'll certainly grow. It'll work out in the end, as always - and yet it's making me as uncertain and nervously excited as I haven't been in a long time when speaking at conferences.

Just recently I've learned that there's even more to celebrate in this space, I got accepted for yet another speaking engagement which is not public yet. I can only share that much: a dream came true for me. I hoped it might happen next year maybe, and now it's already there. I'm still speechless it happened. And very excited!


A Lot to Reflect On

Once again, I noticed that, while I had to force myself to sit and write down all of things above, it really helps me. Having my thoughts sorted, written out, and put out there is a relief from a perceived overdue task, it provides me dearly needed clarity, and it is going to help my future me as well when looking back on what happened and what I did over the years.

Truth be told, listing all the above feels quite good, despite the effort going into making each and every point happen. But how has it been for me in the past months? I've taken some notes for myself during this time. I wish I would have taken more, yet it is what it is, and that's what I got. I still want to persist them and show the other side of it. So here are my rather raw notes, jotted down over time, to keep as a reminder to myself.


May

I came to the realization that accountability works well for me, especially when I don't want to let others down. Yet I always prefer those tasks where I feel I gave my commitment to someone else over my own endeavors, so I'll always feel guilty. And always behind. Did I set myself up for failure? Or for learning to let go and do less?


June

I got so busy that I neglected where I get my energy from: celebrating, taking breaks, games, people conversations and feedback. I dearly needed that reminder.

Now I focused deliberately on de-stressing - and it worked! I'm already feeling a lot more relaxed.

I also re-aligned with people - I really needed this and the energy gained from it. Especially rediscovering the joy. For osco it was really liberating to make that financing decision finally and get over the hump, this allowed me to also start advertising the event again more freely. It's really hard to promote something if you don't know if it's going to take place for real.

Following my energies always served me well - just do the next thing I think of and can do right now. Taking small steps. Feeling good.

My new laptop also encouraged me doing something for the current projects, making it very easy and quickly accessible. It's a great side effect to have the nice combination to have various platforms available now for testing out my projects on different setups. Also, I'm building on the energy of "this is new, I instantly want to do something with it" that I usually get from shiny new things.

Also: I'm finally writing again, journaling these notes. Well, I knew I was better at reflecting and thinking in writing! And I'm so used to write on a laptop that's similar to my working setup - very interesting insight.

Oh, and movement and games of course! I finally did something just for myself again apart from these challenges. It's been way too long.

More sources of energy to take note of: sleep, breaks, tidying up, games, movement, emotions, focus, more intentional social media time.

Due dates help unless they get overwhelming.

 

July

Ben and I set ourselves a due date: until the meetup we're going full in, setting things up - but minimal in every regard! Cutting corners and taking shortcuts, like a real team will have to do if they need to present the proof of concept. We even set ourselves a code freeze a week before (editor's note: we ignored it and did changes until the day before the meetup, obviously).

I'm so glad we did this! This really pushed me to contribute and get into coding again! All my previous jest and unit test and Angular RxJS observable knowledge came to play! Plus my new bff knowledge, all combined - very, very useful, already proofing the concept.

Today I committed lots of changes - and it only took me a couple of hours overall to figure things out I haven't done before yet, very proud of myself. The last bit to add a bff endpoint was only half an hour in the end, including everything! Probably even less.


August

Still feeling overwhelmed with all challenges although most things are more under control now - mainly the time factor is pressing on me. How to juggle all those balls I've sent into the air? I know the answer - I need to drop some and pick them up again at a later point in time. And while it doesn't feel right right now, that's okay and in hindsight it'll also feel better.

I also know I need to force myself to sit down and do things one by one. I know afterwards I will feel better. But sometimes I have to do everything else before I can actually make it happen and sit down and do the thing I'm dreading. Once I've started, it's way easier for me to keep going until things are in shape again. It's about that initial sitting down when I lack energy. Habits could help me, yet I don't have as clear ones for these in place yet. Today I had to force myself to sit down. And again, and again, as this post didn't write itself in one long session. It was still important to do.

I need to wait sometimes to have energy again. Do other things. Just watch a TV show. Dive into the Olympics. Rest as my body told me to. All while feeling that time is running, while knowing I won't get far without sufficient energy. Today I finally had enough energy to get a few things done, even though I had to push myself.

What I'm writing in my initial draft is not very coherent, yet I have to get into just writing again - I can clear things up later, even if that takes more time. First, I need to get to writing again.

Switching contexts is - surprise, surprise - draining energy. And too many tasks on different topics all having due dates drain even more. I've experienced the same here.

I originally thought of posting heavily on social media regarding updates on each single endeavor - and didn't have energy or wasn't sure as I'm not alone on any of these, and it was costing too much to align on everything. In the end I just didn't.

This year I've left out my "stop when you notice you neglect self-care" clause - and guess what? I'm not holding myself accountable. I have rarely played any games, not read much of my fiction. For physical health and strength, I often only invested rather the minimum although I wanted to get in better shape again this year. The most I did was watching TV shows as I wasn't able to do anything else anymore. Often falling asleep on the couch or over a book as well. Hard lesson learned: don't skip self-care, however it looks like for you. Ever. Life is short anyway. I need to make time for things I deeply love. Games, books, volleyball.


A Lot to Keep for Next Year

Several of my endeavors won't completely stop with my personal focus on them at the end of October 2024, they will reach into next year. And yes, I already have further ideas for challenges next year (as if I haven't learned enough from overdoing yet - I haven't). Well, I'm taking note of ideas and leave the actual decision to end of the year, as always. Only making a call once I have more information to make it a good call.

For this year, there's still more to do. I'm looking forward to getting over the next big hump as well. I'm sure I will. And I'm already curious what I'll write in my concluding wrap-up for this year's personal challenge of contributing in new ways.