Saturday, December 7, 2024

Agile Testing Days 2024 - Reunion for Quality

I started this post right after returning from the Agile Testing Days, yet I've only come around to finish it now. It's been yet again such a great conference with amazing folks, and it just deserves a proper blog post to share and remind my future self what it was like this year.

 

Monday - Arrival Day

This year, the conference started only on Tuesday of the week. Traveling on Monday, I could already build up the usual excitement before this conference that back in 2015 was my very first conference ever which laid so many foundations for my career. With its content, yet even more with its amazing folks and the space it created every year since. A space to bring your whole self, to explore what could be, to truly connect with people, and to grow beyond what I thought was imaginable.

Arriving at the hotel, I was greeted with a huge banner that welcomed me home. And as a returning alumna, this indeed hit home and resonated more with me than I already knew it would. It's one of my homes indeed and I'm grateful I discovered it so many years ago for myself.

Thank you ❤️💕 #agileTD

[image or embed]

— Alex Schladebeck (@alexschl.bsky.social) November 21, 2024 at 4:13 PM

Arriving day also means that meeting the first folks - including those I've met many years ago the first time and we've built strong connections ever since. Folks like João Proença, Elizabeth Zagroba, Thierry de Pauw, Anne Colder, Vincent Wijnen, Michael Kutz, Dragan Spiridonov, and so many more. Also meeting people I haven't had the chance yet to fully connect with, so we made up for it this year! Like with Filip Hric, whom I had the pleasure to have dinner with on this first evening, and going full circle having dinner on the last evening as well. It's been lovely to see first-timers as well and have them slowly introduce to the wider community. Agile Testing Days can feel wildly overwhelming with everything going on, so having a chance to make things smoother for those who experience it for the first time is just great.

This evening was full of wonderful conversations over dinner, ending up in the bar, and then going to bed with a renewed sense of this community where I so much belong even though (or actually because?) I never fitted in completely. Which is perfectly fine.


Tuesday - Tutorial Day

Whenever I have the opportunity to do so, I opt for taking a full-day tutorial. This year, the tutorial I chose was "Empowering Inclusive Testing: A Guide to Accessibility" by Laveena Ramchandani. I really enjoyed this training on all things accessibility. It provided foundations as well as where and how to go deeper. Laveena explained regulations, tools, and set the space for us to practice preparing for difficult conversations advocating for making our products more accessible and hence more usable for everyone. She did a great job structuring and facilitating the tutorial, equipping us with concrete actions to take back to work. Obviously, we can't solve or know everything just after a one-day training, and yet there's a lot we can take with us and start doing right away to make things better.

After the tutorial, the conference unofficially opened with the first keynote "To Heck With Your Automation Principles" by Vincent Wijnen and Paul Holland. What an entertaining start into the conference! Well presented, getting the audience to think, engage, and see how context needs to influence which heuristics to try.

Finally, time for dinner. I love that dinner groups are getting organized for everyone, not just the speakers. In my case, I did join the speakers dinner, which was lovely as always. I really enjoyed the insightful table conversations on lots of deep topics with Ash Coleman Hynie and Vernon Richards (both of whom were such a pleasant surprise to see at this conference!), Dr. Rochelle CarrJoão Proença and Sérgio Freire.

#AgileTD speakers dinner. Always special!

[image or embed]

— João Proença (@jrosaproenca.bsky.social) November 19, 2024 at 8:03 PM

 

Wednesday - Conference Day 1

The first full conference day was there, and with it came the full frenzy of Agile Testing Days! And also re-meeting so many awesome folks. Like Toyer Mamoojee and his whole family, who's been my learning partner since 2016 (can you imagine?). Like Janina Nemec, my co-conspirator for the Open Security Conference and long-time SET playing buddy. Like Gitte Klitgaard, whose wisdom, courage, and kindness had a huge impact on me ever since I've met her first here at Agile Testing Days. Here are the sessions I've joined on this day.

  • Lean Coffee by Ashley Hunsberger and Lisa Crispin. Ever since the first Agile Testing Days I've made it a tradition to join the very first day's lean coffee session. It's quite hard for me to get up that early yet I know it's always worth it - and I still have most energy on the first day. Once again, I had a really nice group of folks we discussed interesting topics with. If you have a chance to catch a lean coffee session anywhere, bring your topics and let it surprise you. This time I've asked what are other ways to spread information and connect people beyond communities of practice that people experienced working. The gathered insights: spread information to read where people are like Google's "Testing on the toilet" initiative (that now became "Tech on the toilet"), go on mystery lunches, offer shadowing so folks can see the actual work, publish newspapers instead of only newsletters, have a marketplace with a booth to present yourself, and use the coffee kitchen (or remote analog) which is just never getting old.
  • Keynote "Playful Leadership" by Portia Tung. Great opening keynote that people could relate with, setting the scene for the conference to play, dare something, grow with others around you, and listen to your physical responses. Very confident, authentic, and playful stage presence, love how Portia was leading by example.
  • "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" by me. Just one week ago I've given the inaugural instance of this brand-new talk at BSides Munich. This second time I've had a very different kind of audience in front of me - yet was it really that different? The talk worked just as well, and I loved all the kinds of insightful conversations and new connections that evolved based on it during the next days. For anybody who missed the chance, the BSides edition's recording had been published already.

    Make things a bit more secure than yesterday every day! That would help us all! „A Security Champion‘s Journey“ - a great talk by @lisihocke.bsky.social at #AgileTD ! Thank you!

    [image or embed]

    — Jens Höft (@jenshoeft.bsky.social) November 20, 2024 at 11:26 AM
  • Keynote "Breaking Accessibility Barriers" by Laveena Ramchandani. I really liked that Laveena used the stage to raise awareness on critical issues we encounter every day, with many sites and products not being accessible for way more people than you might think - including yourself! The best part was when she let the audience feel the frustration and emotional roller-coaster of something not behaving as expected. A crucial topic very well presented!
  • Workshop "Collect your explorer badge" by Udita Sharma and me. We were honored to get asked to repeat this workshop this year after we've given it last year at Agile Testing Days for the first time. Once again, we had an engaged group to explore this different approach to come up with exploratory testing ideas which are easy to grasp and quick to convey to anyone else. I've made great experiences with this approach also with my own team this year, having people come up with great ideas to learn more about our product, new features or anything else we needed more information on to make better decisions. Many thanks to Udita for coming up with the original idea to this workshop and doing it together with me this year!
  • Keynote "The Obvious, the Obscured, and the Illusion: Navigating the Noise of GenAI in Testing" by Rahul Verma. I liked the call for action to get to know tools for what they are and how you can combine them to solve actual problems that they are fit to solve. This is too often forgotten over the hype that new technology can bring with.

It was time for dinner. I've always had great conversations over food and drinks at conferences, this one wasn't any different. The first conference evening is also reserved for the big costume party (where everyone without costume is just as welcome, which I personally just love). Hence, we could already enjoy the amazing costumes folks came up with on the theme of time traveling. Just loved it. My special kudos go out to Anne Colder and Vincent Wijnen who came up with the brilliant idea to take their amazing costumes from last year, traveling back in time - yet having the device fail in the most curious ways including a body swap! Absolutely hilarious and ingeniously implemented.

Time travelling women! #agiletd

[image or embed]

— Alex Schladebeck (@alexschl.bsky.social) November 20, 2024 at 7:29 PM

Then it was time for the big thing that everyone had been waiting for: "The Owl Problem", the first ever musical that Agile Testing Days (and any other conference?) has ever seen. Fully composed, enacted and brought to life by community folks. What an amazing event, so much effort in there, so much courage! Huge shout-out and kudos to the whole crew, you've moved mountains with your performance. The whole audience was in awe of you all bringing everything you got on the table and make it such a memorable event.

The Owl Problem @ #AgileTD ! 🦄🦄🦄🦄🦄

[image or embed]

— Jens Höft (@jenshoeft.bsky.social) November 20, 2024 at 9:49 PM

 

Thursday - Conference Day 2

Next conference day, and I could already feel the tiredness in my bones. Agile Testing Days can be a lot, and no matter how much I can easily advise others on taking it slow and skip sessions and take the rest you need, I fail badly at the same advice for myself. Every year again. Probably because I don't regret going full in and getting the most out of it, and yet it might still not be the wisest decision I make in a year. This day, I've joined the following sessions.

  • Keynote "Technical coaching development teams using the Samman method" by Emily Bache. Loved this keynote by Emily, so many important points delivered in such a concise way. Even though I knew the Samman Method already, I've still taken new insights with me when it comes to skill building which triggered thoughts related to my own situation. Emily delivers her content in such a professional and relatable way, I just love that she took the Agile Testing Days stage and people had the opportunity to learn from her.
  • "Make a fearless start with security testing" by Sander van Beek. Sander did a great job breaking down important security concepts to provide digestible starting points for beginners to continue their own security journey from. I always enjoy learning from others how they convey such topics, and also taking sketchnotes so this kind of content can be spread further.
  • Keynote "Testing, Identity, and Symbols" by Jenna Charlton. Jenna really made me think with their keynote about my own identity, or rather identities I gathered so far in my life, and those I'm about to add to all of this. Where I feel I belong already, where not, where not yet. And where others might struggle in different ways than I am.
  • Workshop "First Steps in Mobile Security Testing" by me. My third and final session to give this year was a brand-new workshop. Probably the most daring one, definitely the most complex one I've ever given. I've had the concept in my mind for quite a long time, yet what made this workshop so difficult to prepare for that it haunted me for many months was the setup. This should be a first steps workshop for everyone who was new to either mobile, or security, or both. With an unknown audience and an unknown range of their existing knowledge and skills. In just two hours of time. Well, I might write a separate blog post just on the setup part to fully grasp the extent of this, and hopefully help others find a suitable solution quicker. All in all, this workshop helped me gain insights on how I can reduce the struggles even further for folks. And despite the struggles we still had, it seems to have helped folks to take their first steps in mobile security testing - and giving them this experience was exactly what I set out to do. Special shout-out to Andrej Thiele who wasn't only so kind to share feedback with me afterwards, yet also took time to listen to me on some personal struggles I've been facing - hugely appreciated!
  • Keynote "I'm managing just fine!" by Lena Nyström and Heather Reid. Such a great presentation of such fundamental questions and situations I could really relate to. I loved how Heather and Lena weaved their own experiences and stories in and how they delivered them in re-acting parts of their actual conversations and their insights gained. It triggered lots of thoughts on my own situation and decisions, what made me go this way so far and why I opt for what to be my next step.

There were lots of great evening activities offered. This year, I chose to prioritize self-care and instead opted for having dinner out in Potsdam together with a bunch of folks. Sometimes, getting out, having a smaller group, having a differently loud environment, just helps. This time it was such a good opportunity to also check in with Ashley Hunsberger and Richard Bradshaw

Returning to the conference, we've found the brilliant Sophie Kuester and the outcome of her late night snack exchange. Just loved her idea last year already to ask folks to bring special treats from their regions and have all of us enjoy each other's delicacies! Really brings people together. This year I've missed most of it, and yet still enjoyed so many of these sweet and savory explorations. Many thanks to Sophie for this amazing edition in the purest spirit of Agile Testing Days!

Hey #AgileTD friends (and if you're wondering, yes, you ARE a friend) help yourselves to the greatness that is our collaborative candy bar! #SnacksSnacksSnacks #CrewLove #SnacksAreAwesome #TummyAche #HeartBurn

[image or embed]

— Mlle Sophie Pofie (@mllesophiepofie.bsky.social) November 21, 2024 at 11:00 PM

This was also the night when I finally had the opportunity and pleasure to spend more time with Tobias Geyer and talk a lot about things that are moving us, like what impact we have on other people's lives and the systems we live in, and what else we can do to make the spaces we're in more inclusive, using our privilege. Thanks a lot for sharing these thoughts also beyond the conference boundaries! It's a continuous effort and we all need to continue learning and unlearning.

 

Friday - Conference Day 3

There it was already, the last conference day. Agile Testing Days is a whole week, and at the beginning time seems to extend, we have so much of it in front of us together. And suddenly the last day already arrived and time had just flown by. In addition, the tiredness came to the forefront on this day. This year, Agile Testing Days was hosted as a hybrid event, with the main part on-site as usual, yet all the talks being recorded and streamed, plus online activities happening as well. I didn't have any energy to join online at the same time, yet I knew I could come back to sessions also afterwards. Which allowed me to make a wise decision and skip the first sessions on this day to catch at least some sleep. So here are the sessions I did participate in this day.

  • "Mistaken Identities" by Sanne Visser and João Proença. Such a deep and crucial topic, delivered in such an entertaining way. Awesome stage performance of both Sanne and João telling all the stories how their identities got mixed up and what they tried to cope with the situations thrown at them. I loved that they used the opportunity to remind people of how quickly things can go wrong, even without bad intentions, and how tools we have can be used for malicious purposes as well. We need to be mindful and considerate when building these tools.
  • Keynote "Diamonds in the Rough" by Ashley Hunsberger. This keynote really made me think - what fuels my motivation nowadays? I have crafted my jobs in the past, yet what job would I craft myself right now and here? What potential is still lying dormant that would really relight my fire? So many more questions, based on the research and models presented. I loved that Ashley showed both deep vulnerability and such strength on stage, what a role model for all of us to learn from.
  • "Love in Bytes: QA Engineering for Work-Life Symphony" by Toyer Mamoojee and Reumaysa Mamoojee. How often do we transfer lessons learned from one area of our lives to another? Well, in this talk I learned we should do it more often! We don't learn strategies, techniques and tools for our work context alone. Toyer and Reumaysa showcased how we can benefit from them in our everyday personal life just as well - and vice versa. The stories made the content very relatable, and the paired presentation worked out really well.
  • "Test like a developer, develop like a tester" by Filip Hric. We need more people spreading the word! I really appreciate Filip for showcasing how we don't need to have such a divide between roles in the same team when we're working on the same goal together. And how much we can learn from each other as well. Very well presented, too!

And there it was. The closing session, the many thanks and appreciations to organizers, volunteers and everyone. Final pictures, of course also with the unicorn we all shared the stage with. It was done. Such a happy sad wonderful feeling, it gets me every time.

Lots of people had left already at this point. Some people were staying around, clinging to this community spirit, not willing to let go just yet. Another amazing dinner group, enjoying awesome food together. My chance to also get to know Elizabeth Simister - loved our conversation!

Enjoying more snacks at the hotel. Having an absolute blast witnessing Elizabeth Zagroba run her by now infamous No Vehicles in the Park game with us. Having the day fade out on such insightful conversations on work places, careers, opportunities and more together with Thierry de Pauw, Toyer Mamoojee, and Janina Nemec. Many thanks to all of you.

 

Saturday - Departure Day

Another Agile Testing Days in the books. One that was brilliant in content. One where I once again still got most out of the hallway track, together with all these amazing folks. One that helped me immensely on my current situation searching for a new job, exploring new possibilities. One where I gave back once again to this community I continue to receive so much from. This conference is a very special reunion for quality in all kinds of aspects. We're truly stronger together.

Me: "I really have a lot of mugs, maybe I should get rid of some..." Looks at mugs and keeps all. Gets mug in speaker gift from #agileTD Me: "ok I need one more mug" :)

[image or embed]

— Gitte Klitgaard (@nativewired.com) November 25, 2024 at 5:31 PM

Saturday, November 16, 2024

BSides Munich 2024 - We Belong

Last year, I've attended my first security conference with BSides Munich. It was an awesome experience connecting with the community. This year, it was clear to me to come back as participant. Yet when the call for papers started, I figured: why not try my chances? I dared to submit my brand-new talk "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" to BSides Munich. You can imagine my joy when it was indeed accepted! So, here's my recap from this year's conference as participant and speaker.

 

Workshop Day

Tickets for this conference are usually quickly gone, so I made it a point to decide on my workshops early on and then grab the tickets as soon as they went online. It worked! This time, I decided to go for two half-day workshops.

In the morning, I joined "Backdoors & Breaches: Simulating Cyber Security Incidents" by Klaus-E. Klingner. I wanted to give the Backdoors & Breaches card game a try for quite a while, so here was my chance. Klaus started setting the scene describing how classic incident response simulations can be tedious and require a lot of preparation effort. In contrast, using game-based learning, like playing a round of Backdoors & Breaches, can be done very quickly and provide playful insights. Backdoors & Breaches is designed based on the tabletop role-playing game Dungeons & Dragons. Instead of a game master, you have an incident master. They choose the attack scenario that led to the incident, which the group has to figure out - how did the attackers manage to compromise the system, move deeper, maintain persistence in the system, and finally exfiltrate data? What happened? The group has procedures they can use to find out more about what happened - yet depending on how they roll the dice, they won't always succeed! There's a bit more to it, just check out the complete rules for yourself. What a fun game; it led to really insightful conversations in my group. There are expansion packs already enabling further scenarios, and you can also play it online, either using Klaus' version or the official one.

In the afternoon, I participated in the "How to Hack your Web Application" workshop by Janosch Braukmann. I really liked his introductory web app hacking challenges offering simple yet not uncommon mistakes to exploit. A really nice hands-on connection to the topic, allowing him to gauge the context of the audience just as well. It made his point very clear: don't trust anything coming from the client side, it's not in our hands. We've walked through the OWASP Top 10 together and how to mitigate the respective risks. Then it was time for practice again: we got our hands on a vulnerable web application he provided for the duration of the workshop. It's usually insightful and fun to see what people find and what approaches they come up with to do so. Practice didn't stop here, how do we prevent these issues in the first place? The most effective and simplest way Janosch has seen so far are malicious user stories: user stories from a malicious actor's point of view. We then just need to flip the acceptance criteria to build an implementation that prevents the threat actor from being successful with their attempt. This can easily be done along with any usual ideation and refinement activities as part of the development life cycle that teams tend to be used to. Even though I've heard the content before, I like joining these workshops in order to get surprised of what I didn't know yet, and to learn about different approaches to convey the respective concepts and skills to folks.

All in all, the workshops were great. Even better, this day already granted space to check in with people! It was awesome to meet Claudius Link again in person, my Open Security Conference (osco) co-organizer fellow. It's been great to re-connect with a few folks I've met at last year's BSides. And I really enjoyed getting to know Yin Yin Wu-Hanke and Lisa Aichele!


Conference Day

The day started very early for me. Being a local meant commuting to the venue, and being a speaker meant showing up at 7:30 am for the tech setup check. If you've met me, you know I'm a night owl, so this hurt quite a bit. And yet I was excited to have this opportunity at re-connecting with the community and also presenting my own content at the event. 

This conference has an amazing organizer team and so many people volunteered to help and ensure it's running smoothly. Many thanks to all of you for creating and holding this space for us! This year's main organizer was Sneha Rajguru. When she opened the conference officially, she emphasized that this event is for all of us in all our diversity, and her words stuck with me: "You belong." Last year was my first BSides. This year, I've really felt I do belong indeed. We all do. 

Overall, BSides Munich had once again a lot to offer. More than I could try out myself! A hardware hacking village, a CTF, a retro-gaming area, the sponsors exhibition, and more. I mostly focused on the talks myself, while at times taking a break to chat with folks in between. Here are the presentations I've attended.

Finally, a huge shout-out to lots of amazing people I've connected with during the day! I really appreciated meeting Van Nguyen, Clara Kowalsky, Sujaritha, Dagmar Swimmer, Morton Swimmer, Tobias Schuster, Julien Reisdorffer, Konstantin Weddige, Stuart McMurray, and Rudolf Kaertner whom I've first met at osco this year.

At the end of the day, the organizers invited all speakers to a fabulous speakers dinner where we enjoyed great food in great company. What an amazing closing for the day.


BSides Munich 2025

One thing is for sure, I'll do what I can to make it to BSides Munich next year as well! If you have the opportunity, seize it to experience it for yourself. Maybe even submit a proposal to share your own stories with the community, or offer to be a volunteer. It's been a great event once again this year and I'm happy to have been part of it.

Need more reasons to join? The recordings for this year had already been published! Have a look by taking the direct links from this year's agenda, and check out past years' recordings on the BSides Munich YouTube channel.

See you in 2025!

Wednesday, October 9, 2024

Open Security Conference 2024 - A Memorable Beginning

We've done it. The very first Open Security Conference, osco24, is over! It was a memorable event that exceeded our expectations. It's highly likely that there will be a 2025 edition.

Launching this brand-new open space conference together with my amazing co-organizers Claudius Link, Dave van Stein, Janina Nemec, and Ulrich Viefhaus was part of my personal challenge for 2024 to contribute to community in new and courageous ways. Our efforts paid off! 

 

The Day Before

Most of our organizer team arrived on Thursday, the day before the conference. I haven't met everyone in a physical space yet, so it was amazing as usual to see the folks I've worked with throughout the year to make this event happen. We could explore the venue that only one of us had visited before. We had a great dinner together. We organized the last bits, managed last minute communication with participants, clarified a few things. Not much to do anymore, we already prepared most things upfront, including what needs to be done when we're on-site. So mostly we could just breathe and enjoy the moment, socialize and relax before everything starts. 


And you know what? We weren't alone at the venue! The previous conference just had their last day, and what a pleasant surprise to meet folks we already knew from other spaces. Community for the win!


Kicking It Off

Friday, and hence the start of the conference finally came. Time for last preparations! Distributing Covid tests and masks in small packages for participants to grab on arrival. Preparing stickers and cutting communication cards we brought. Aligning on last moderation details. Setting up the registration tables. Putting up all sponsor material. Creating a conference feedback wall. Adding our conference values on a flip chart. Preparing the room to ensure the welcome introduction as well as the two planned keynotes could go smoothly. And many more of all the little things.

Then the first participants arrived! Time to test out the registration procedure for the first time. Things worked well with welcoming people and introduce them to osco. They could settle down, get familiar with the venue, get some snacks and hot drinks, start initial conversations with other folks. Our two amazing keynote speakers arrived as well and could test out their setup, everything good. Our Mastodon Glacier social wall was also installed and showing live updates as people posted using the conference hashtags #osco and #osco24.

One thing we noticed at this point was that the venue's WLAN was too restrictive for our use cases. Only specific protocols were allowed so that, for example, you couldn't use ssh to pull from GitHub, or connect to certain VPNs. Well, mobile hotspots for the win - yet mobile network wasn't well covered by all providers either in the area. Definitely something to look into for next year! After all, it wasn't convenient, yet we made things work for the conference.

Before kicking off the evening, we all first enjoyed dinner together - really nice food and various options. More conversations took place, all good so far.

And then it happened: we opened the very first osco ever. All five of us organizers presented the welcome and introduction together. We explained how this conference idea became reality after the initial conversation about it back at SoCraTes 2023. We shared our core values of cybersecurity for all, inclusion and being community-driven. Values that also represent why we invested in creating this space in the first place. We want to welcome all people who are interested in cybersecurity, eager to exchange knowledge, and keen to learn with each other. We want to get rid of gatekeeping in the industry and instead lower barriers to the cybersecurity field so people can enjoy diving deeper into it from wherever they are. Therefore, we encouraged participants to contribute to a good experience for everyone including code of conduct and giving examples on how welcoming and inclusive behavior can look like. I really loved seeing how one participant demonstrated visual applause (over making noise) and everyone jumped on it throughout the conference!

It was time to introduce our keynote speakers and then lean back ourselves to enjoy the presentations. I decided not to create sketchnotes this time, but instead opted for live posting during the talks for our Mastodon and LinkedIn presences. Here's what I took with me during the talks.

  • "OWASP Juice Shop 10th anniversary: Is it still fresh?" by Björn Kimminich. OWASP Juice Shop was my first real touchpoint with security testing back in 2017 so it has a special place in my heart. Can you imagine how happy I was when Björn confirmed he'll come and speak at osco? Especially for the 10 year anniversary? He even brought the Juice Shop lego tower. The keynote was awesome, leading us through the history of this intentionally vulnerable web application from back then until today and into the future.











  • "How to hack a company in one day or less" by Yvonne Johnson. I'm really glad that Yvonne agreed to give her keynote at osco. She's an experienced red teamer and gave us glimpse into her everyday work. What they aim to achieve on an assignment as well as approaches they take to do so. Yvonne gave a hands-on demo breaking into a system in short time - well, it would have been even shorter if the live demo curse wouldn't have hit! What worked before, done exactly the same way, of course did not work instantly when presenting. Yet Yvonne stayed remarkably calm and we could witness how she either found ways around the issues faced, or patiently tried things again until they worked - just like during her regular work. Impressive and very insightful.












The official program being over for the day, we invited everyone to join for conversations and games in the hotel bar. Lots of folks took up the offer, they even brought some games themselves. As organizers, we checked in with each other and aligned on the last bits and pieces before the first full day of conference. The first evening went well - so far, so good.


A Full Day of Open Space 

On Saturday morning the main part of the conference started: the open space. We had ask a dedicated person to set and moderate the space for us, Pierluigi Pugliese. Which meant we as organizers could focus on the rest to create a smooth experience, and besides that, be normal participants as well.

Being the very first instance of this conference, we wanted to start small yet feasible. Therefore, we were glad that 25 people had registered for the event. As it usually goes, there were last minute changes, so overall we were a group of 20 participants in the end. Leading up to the conference, we had worried whether that number would be enough for a good open space with enough sessions proposed and people getting real value out of it. As it turned out, we wouldn't have needed to worry at all! Even though several folks were not familiar with open spaces before, they quickly got the gist of it and enjoyed this more informal, self-designed space that gave them agency. Also, already during the first marketplace, lots of people instantly proposed sessions and the schedule filled up quickly and nicely.

The marketplace is one of several places where we could give kudos and huge shout-outs to our sponsors who trusted that also this very first instance is worthy to support. And it's a great place for it as well! We were inspired by SoCraTes who thanked their sponsors in lots of funny ways as "ad breaks" or "commercials" in between the session announcements. It's such a fun and effective way to raise attention to those who made osco more affordable. 

The first sessions started, and the first things we missed to prepare ahead of time showed - fortunately, everything could be fixed quickly and we could also start enjoying and giving sessions ourselves. Here's what I chose from the schedule.

  • "How to get people interested in just about everything (including cybersecurity)" by Felix Schnellbacher. Due to having some organizational tasks to do at the same time, I could only drop in late and had to drop out early - well, showcasing that you can indeed do so any time at an open space. What I witnessed was interesting storytelling on how to raise people's attention to important topics that are not easily digestible. A really nice match to our conference idea!
  • Hanging at the coffee bar. I had to enable one of the sessions during this slot, and also prepare for my own session. So I decided not to join any announced session and instead take a break and enjoy some tea and snacks. And I found great company there as well!
  •  "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" by me. This was the third dry run for this brand-new talk overall, the first public one, and the first on-site. It still took longer than the conference slots I have for it in November. But besides that, things went well and I received lots of good feedback. People even stayed around for further exchange even though it meant we all arrived late at lunch. All this helped reduce my worries that I usually have with new talks - iterations for the win! Many thanks to everyone who joined and shared their thoughts with me. And huge shout-out to Janina Nemec for creating a wonderful sketchnote of my talk!
  • "Make your own Juice Shop theme" by Björn Kimminich. This app really evolved over time, it's impressive. Nowadays it has lots of additional features, like very easily being customizable. We could quickly adapt the look and feel to our own needs - an osco-style Juice Shop of course! There's lots of configuration options available to adapt the experience overall as well. 
  • "Which security tools should I know for everyday development?" by Chris. An awesome session that initiated an engaged conversation on all kinds of cybersecurity tooling. Those that a security team would use themselves, those that they could offer as a service to development teams, those that could be included in pipelines, those that you could use on demand when implementing a change. Really insightful exchange.
  • For the last session, I had planned to join one of the proposed sessions, and then the other great thing of open spaces happened: a new session emerged right in the moment. Julian Michelmann and I started talking about security culture, strategies to bring teams on board to make things more secure, challenges we face, and everything. Very interesting and appreciated!

Time flew and it was already time for the evening news. Everyone came together again and shared impressions and insights from each of the sessions so that everyone got value out of them even if they weren't there.

Finally, another short marketplace where participants offered evening activities after dinner. Speaking of dinner, I really enjoyed the conversations I had with Yvonne Johnson, her partner, Björn Kimminich, Janina Nemec, and Dave van Stein. Especially on TV shows and computer games! Oh, so much to geek out about.

Originally, I wanted to make time in the evening to finally solve a few OWASP Juice Shop hacking challenges, as Björn had set up a CTF throughout the day using the MultiJuicer. Yet things happened, as they often tend to do! Further conversations were had, further topics had to be organized, and time was running. In the end I still made space to at least try a speed run - that lasted only eight minutes as then the instance had to be shut down already. Well, I focused on solving challenges I still remembered and managed to get four flags in the eight minutes - yet next time I'll do better in preserving the time, exploring new challenges, and also tackling them in a team. I'd really enjoy that.

The evening continued, games were played, snacks and drinks enjoyed, lots of great conversations. Challenges and opportunities, struggles and wins. What a great day.


The Closing Day

Finally, the last day of osco24 had came. I could feel it in my bones, I didn't get enough sleep - and yet it was worth it so far. So I decided to make the best of the remaining time we had together.


Another marketplace (of course), offering two more slots for sessions in the morning. Here's what I chose.

  • "osco25" by us organizers. We wanted to gather people's ideas for a potential (and very likely) next edition of the Open Security Conference. This initiated a good exchange on what people valued and what they'd like to see differently. We were super happy to find out that we also gained further supporters for next year, be it in the core organizing team or in other ways! While we secretly hoped for it, we really didn't expect that people would proactively reach out and offer their support. We're really grateful.
  • "Mob-hacking some Juice Shop challenges you might not have solved yet" by Björn Kimminich. As I couldn't invest much time in this the previous day, I jumped at the chance that Björn offered another session. It was really insightful to go through a few of the harder challenges, figure out the path to the solution, and see the vulnerability being exploited. What an awesome way to close off.

Afterwards, we came together for a final round of sharing our insights from the sessions. We also had a chance to find folks we hadn't been in contact with too much during the conference and share with them what we aim to do until a potential osco25. We had the space to find people and thank them directly for whatever impact they might have had on us. This was a nice addition to the physical kudos cards that we had provided throughout the conference, and that people had made good use of. I had received a few myself, and I could give out further to other participants. Physical kudos cards are such a valuable form of feedback that you can literally take with you. Another lesson I had learned from SoCraTes.

And that was it. The open space was closed. Everyone helped cleaning up the rooms, which turned out to be straightforward and quick. We sat down for a final meal together before one after another started their journey home. 

Really tired and really happy, with a heart full of gratefulness, I said my last goodbyes as well and started my own way home. Reflecting on everything that happened, I felt content. Most things went very smoothly, there were only a few minor hiccups that could be corrected quickly, people gave constructive feedback, overwhelmingly positive support, and in general validation for the space we set out to create. Huge shout-out to my amazing organizer team, our wonderful sponsors, and especially the participants who put trust in this idea - you are awesome. This was great. Way better already than expected. I have lots of hopes for osco25.





Tuesday, September 3, 2024

SoCraTes 2024 - A Community to Grow With

It's been my third time at SoCraTes this year. I'm very grateful that the organizers invited me as trainer once again, enabling me to come and experience this wonderful community event. It's been a blast. I've met lots of folks old and new, and enjoyed both casual and deep conversations. It was a pleasure exchanging experiences and knowledge. I've had a safe space to practice deliberately and hone my skills together with like-minded folks. Everyone growing, everyone at their own pace, everyone together.


Arrival Day

On the final leg of the trip to Soltau there's usually the first conference folks to meet. Perfect time to ease in and brace mentally for lots of peopling the next days. This time I had a really nice chat with Martin Schmidt and Juke Trabold, catching up on all things.

Once arriving at the hotel, more reunions were to be made. You could feel that everyone was excited it's finally this time of the year again, full of hope that good things will happen. Also, this conference takes inclusion seriously, and a big part of that are health concerns. They require on-site testing for Covid before even entering the hotel. Once cleared, we settled in and prepared for the first dinner together.

For conferences, I really enjoy meeting less folks at a time by arriving earlier than most people. It really helps me manage my load and have more quality time with folks. This night especially with Thierry de Pauw, their son, and Jana Fuerchtenicht - loved our conversation! And it was so good to see Micha Kutz again.


Training Day

SoCraTes is an unconference at heart. Since three years, they offer an additional training day with a more classic structure to provide foundations and to ease new folks' way to join the open space without knowing the exact program before. I assume this also helps with selling the event to their companies, especially if they never had the opportunity to experience the magic of such an unconference before.

Personally, I'm very grateful that I got invited as trainer for the third year in a row. And this time with another topic that's dear to my heart: security! It was the premiere for my brand-new workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day".

But first things first. In the morning, I joined Marit van Dijk's "Code Reading" session. Now, this wasn't a new topic to me, as we both are in the same code reading club. That being said, it's always good to practice this skill - we read code way more often than we write it! Thanks to exercises from Felienne Hermans it's fascinating to learn more about your own understanding and mental model of code you read, no matter in which programming language, and especially what other people around you perceive and think. Also at SoCraTes, this session was a blast! Loved how people engaged and shared their own interpretations and pieces of knowledge which really helped figure things out together. There's always learning something new in these kinds of sessions. If you want to learn more about this whole topic, Marit offers a whole page of resources on reading code that's worth checking out.

Next up, I joined Thierry de Pauw's training on "Trunk-based development for regulated environments". Very relevant to me as I'm working on a regulated product at my current company. I've had the pleasure of reading lots of Thierry's excellent articles on the topic, like the "The Practices That Make Continuous Integration" or the "On the Evilness of Feature Branching" series. Already the beginning of their training resonated a lot with me. Thierry shared how often organizations conflate their approach to regulations with "regulation" - which is not the same thing at all! They pointed out that what folks mostly want to see is "do you do what you say you do", and the more rigorous ones add to that "get two people to look at it" and "have an audit of what happened". Thierry showed throughout their training how regulation and continuous integration principles aim for the same thing: risk reduction. They also emphasized that the deployment pipeline has three purposes: every part of the process is visible, it improves feedback, and it empowers teams. We also had the opportunity to craft our own pipelines using Emily Bache's pipeline game and a scenario as constraint. Lots of great conversations emerged from that!

Finally, it was time for my own training. Lots of people joined, more than I hoped for. It's always exciting to give a workshop for the first time at a conference, you never know if things will work out regarding the general concept - while the audience will always differ. I'm thankful to my dear InfoSec colleagues Tarik Kobalas and Honey Susan Kurian for their input which helped me improve the workshop before this first edition. Based on the feedback received from participants, I can say it went well! People enjoyed their time learning about threat modeling, secure coding principles, security testing approaches, and how we can detect malicious activity on our production systems. I'm already looking forward to the next opportunity to give this workshop.

After the trainings ended, it was dinner time. Loved the conversation with Michelle Avomo and her partner. It was a pleasure to reconnect with Claudius Link and Janina Nemec, two of my fellow organizers for the upcoming Open Security Conference, an idea that started at last year's SoCraTes. Playing the game SET together, of course! Just before that, we had a nice world café session as the official opening to the main conference. Three rounds with different groups of people, exchanging what brought us to SoCraTes, what this conference means for us, how we widen its impact. I met lots of first timers this way and we had a good time together.

 

Open Space Day 1

After a wonderful introduction to the open space and its principles by the amazing Juke Trabold, the first marketplace started and people began to queue up to share their session ideas and build the program together. Once again, it quickly became clear: there will be tons of interesting sessions, and I will only get to see a fraction of them. That's the beauty and the pain of any multi-track conference, yet for big open spaces like SoCraTes, it's showing even more. On the bright side of things, there will be sessions for everyone, no matter which topic, format, or experience level. We can all grow and learn from each other. 

Here are the sessions I've joined. If you're interested what other sessions had been offered this year, check out the schedule.

  • "Priorities, Priorities, Priorities" by Yorgos Saslis. So many things compete for our attention and claim to take priority - so how to decide what to do next? This challenge resonates a lot with me as it fits to the experience of nearly all the teams I've been at, and never so much as in my current team. In this session, people came together and shared their approaches of gauging what to tackle first, what's the most valuable thing right after - and to communicate accordingly and manage expectations. Wardley maps were brought up to help decide what to build ourselves and what not. An approach that stood out to me were business decision records - basically architecture decision records (ADRs) for business to document the reasoning of decision making at that time. If circumstances changed since then, we know more clearly if we can change the decision as well. The cost of delay was mentioned to help prioritization; I like to think of opportunity cost yet costs like this should be considered as well. People reminded each other that value is not always money, enabling or unblocking another team provides value as well.
  • "Making better decisions as a group" by Tobias Mende. After thinking about prioritization, this seemed a fitting session to continue with. Tobias gave a dry run of his upcoming new talk around collaborative decision making. I really relate to him sharing that poor decision making is costing companies a lot - seen that too many times when we sunk too much time and effort into a feature that didn't return the value we hoped for before pivoting (sunk cost fallacy, anyone?). But how can we make better decisions, together? From the options presented, two stuck out for me: consent with integrative objecting handling which focuses on said objections, and systemic consensing which brings forward the resistances of various levels that exist within the group. Tobias encouraged us to make decisions smaller, safer and more often - I can't agree more.
  • "Security card deck game" by Philipp Zug, Martin Schmidt and me. It was time to present our security card deck game project to a wider group, for the first time! Where better to share this than at SoCraTes, the very place the idea originated at? We were stunned how people showed up to see what we created so far. Philipp presented the background of the project. Martin demoed a first round - and we already received so much valuable input and lots of ideas how to evolve the game further. The crowd seemed to like the idea a lot, it was really encouraging to see such interest. We are also happy to have gained a new contributor in Julian Michelmann and are curious where the game will end up until SoCraTes 2025. Stay tuned!
  • "Capture the flag together - Security Testing" by me. I had already given this session at SoCraTes 2023 which made lots of enthusiastic folks show up and ended up in many fun follow-up sessions throughout the conference. Therefore, I was eager to bring this session to this year's edition just as well. I hoped to find again like-minded folks to practice security testing in a collaborative setting. You can imagine how happy I was when lots of people showed up once again, some from last year, lots who had not joined yet before. We had good fun practicing on Hack The Box!
  • "Baba is you" by Marco Emrich and Michel Grootjans. A few days ago, someone had mentioned a game to demonstrate and teach the mechanics and practices of ensembling, aka working on the same topic, same place, same time, same computer together. That game is Baba Is You, an endearing puzzle game that I can only recommend trying out yourself. It's been interesting to watch group dynamics unfold as the ensemble tried to work effectively together and solve the puzzles.

Dinner time! Yet beforehand, it's time for folks to announce what sessions they offer for the evening. Because the conference doesn't end as long as people don't let it! Lots of fun options were presented from playing boardgames, doing sports, learning Rust, solving coding katas, to whatever you can imagine. Well, SoCraTes 2023 taught me that I love doing capture the flag exercises in a collaborative setting, and that I find lots of enthusiastic people here to join me. My afternoon session confirmed that once again, so I offered to do even more of this in the evening. I was stunned how many people joined the evening edition, even a lot more than in the afternoon! We had such a good time. Just as last year, it got late! We didn't care, it was a blast.


Open Space Day 2

The second day started, another marketplace took place, offering even more awesome sessions to join. I took it slower in the morning and allowed myself to be kind and not join the first slot, yet rather engage in conversations, and prepare for my first session as facilitator.

  • "Smart Workshop Setups (Pull)" by me. A pull session in an open space is where you ask folks for their expertise, knowledge, or help on a topic you'd like to learn or a challenge you're facing. In this case, I decided to pull for support on smart setups for technical workshops, especially if it requires a more complex setup while folks might not be able to prepare a lot in advance. How to make these workshops as accessible and welcoming as possible so people can quickly get to a working setup and focus on the actual practice content? This is especially relevant for my next workshop on "First Steps in Mobile Security Testing"; my original setup idea unfortunately does not work out anymore, and while I have ideas how to make it work, I was curious what other folks would suggest. Lots of great ideas were gathered! I'm grateful for people taking time. I'll ponder more over them the coming weeks and might share more after said workshop. For now, let me say that pull sessions are awesome.
  • "Next Level Spring Boot for Hipsters with Kotlin" by Chris Welcz. It's always interesting to see what tools, libraries and approaches other folks use. In this case Chris demonstrated his usage of Kotest providing convenient test structuring and property testing capabilities. He also showed his preferred mocking library Mockk. You can find examples in his hipster-tdd and kotlin-beer repos. Good input to consider for the Snack Shop project I'm collaborating on!
  • "Passion Personality Test" by Gabrijela Hladnik. Models are flawed, and some can be helpful - especially to reflect about oneself. That's how I see personality tests as well - flawed, sometimes helpful. Gabrijela presented the personality test from Clarity on Fire around different passion profiles and how it helped her. This was the starting point for a very insightful conversations about personality tests as such. How much do we box ourselves in? Are labels we put on ourselves helpful? Why shouldn't we use tests to categorize others? How can companies misuse these kinds of tests? Which tests have scientific research as background, what are the driving motivators behind them, and especially what systems of oppression do they foster? Lots of food for thought.
  • "Securely saving passwords" by Fabian Blechschmidt. In one of my capture the flag sessions we came across the topic of rainbow tables, which inspired Fabian to give a talk on passwords and ways to store them. A great session to recap hashing algorithms, rainbow tables (of course), salting and peppering, and key derivation functions. Always good to brush up on foundations!

This concluded the open space part of the conference. It's traditionally closed with a retrospective. We had a really great conversation in our group, with lots of highlights and lots of things we'd like to see improve - and how we as participants can help improve them. Especially for an unconference, participants are essential to co-create the conference. This means that participants are also responsible for creating a safe and inclusive space and taking care that everyone gets that safe space to contribute if they want to. We collected various ideas for how we can do so better. These ranged from how to notice that I am overtaking a conversation and should shut up to give space, to ways to navigate a dominant conversation among few people and open it up to the rest of the room, to options to indicate to the whole group that space is lacking and we're currently not hearing everyone who might want to contribute.

Dinner time again, and then - who would have guessed - capturing even more flags together! Yes, as evening session hosted by me. And once again, folks came and tackled a fun challenge together. We built on the knowledge and approaches we learned about the day before, we tried a lot of things, got closer, got stuck, took hints, moved forward - and in the end found the flags. What a learning journey! A late night one as well again, yet so much worth it. Many, many thanks to everyone who participated, it was a real blast. Can't wait for more of these sessions next year!


Workshop Day

The last day arrived way faster than expected - time is flying at conferences like these. Traditionally, the last day is the workshop day, where people offer hands-on sessions of various lengths throughout the day. Already being very tired, I skipped the marketplace - I knew which session I wanted to go to this year anyway: the Code Retreat, hosted by Janina Nemec and Micha Kutz. I ended up arriving late, and already felt bad when entering the room seeing all tables being full and everyone being deep into the first exercise. Huge kudos to Janina and Micha for welcoming me in, recognizing my struggle and going to lengths for making me feel it's okay to stay and still join in. That mattered a lot to me and helped calm my brain down. Micha arranged a new table and offered to pair with me (thanks so much!) - until even more folks joined, and space was made for them as well.

Time to focus on practicing hands-on together in pairs. We tackle the challenge of Conway's Game of Life, which can be solved in countless ways so you will always learn something new in each round. Programming language, approaches, modeling, communication, and so forth. Always using TDD, and usually having additional constraints to consider each round. Always deleting the code at the end of each round and starting all over again with the next pair. There's a lot to learn about oneself as well in this exercise! In our case, we were given the constraints of strong-style pairing, then we were allowed at maximum one level of indentation, then we tried it as ensemble, and finally the rules changed. In my last rounds, I was part of a small ensemble together with Janina Nemec and Hadrien Mens-Pellen. I loved it as we brought up any misunderstandings as they arose, clarified them instantly, and aligned quickly on the way forward - super effective! We also made use of the Code Retreat card deck designed by Janina, and we pulled the card to use Object Calisthenics as our constraint during these rounds. Overall, I can really recommend joining code retreats; no matter which level of experience you currently have, you can take a lot with you from them.

To add to this: We were all really, really tired. That alone can teach a lot of lessons about ourselves, and how we cope with stressful situations then. Each round was challenging in its own way, one was especially challenging for me emotionally. I for one learned again that kindness, respect and consideration go a long way - for each other, and also for oneself. Very grateful to both Janina and Micha for granting us this space!

After the code retreat ended, many people had to leave the conference while some like me stayed until the next morning. We were all tired, so we decided to break things up a bit and get some fresh air. We went on a short walk in the beautiful moor surrounding the venue, visiting the famous Heidschnucken, moorland sheep from northern Germany. I was glad to get the chance to see them this year as I've missed out on them the last two years.

We had dinner, we had more conversations. People decided they still had the energy to come together for a round of lightning talks - some of the short like lightning, some rather ending up as longer thunderstorm sessions. All of them great! We learned about IntelliJ IDEA's AI assistant from Marit van Dijk, how cognition principles apply to software from Corstian Boerman, how things that start in noise get organized over time from Martin Schmidt, and about the power-law distribution and Adam Tornhill's work detecting it in code from Christoph Kober.

Even more tired, we decided to play What Beats Rock - which stuck with us for the rest of the evening until we finally called it a day.


Departure Day

Last chance for final conversations and final goodbyes. Everyone super tired, everyone very happy. The post-conference blues was being held off a bit longer while chatting on the train. More ideas were exchanged, plans for next year made. Until we finally had to part, taking a lot with each of us from this wonderful community space.

My head is energized due to new inspiration and ideas what to try. My heart is full of connections and the community spirit we experienced. My soul is calm thanks to the validation received through feedback and kudos cards, and smiling thanks to all those folks for whom I wrote kudos cards myself. Physical kudos cards are such an awesome concept! I'm ever grateful for each person who took the time to write a kudos card for me this year, you really make this conference even more special to me, and I can't even tell you how much your card means to me.

Next year, this conference will be a month earlier than usual. I plan to be there. Looking back at what happened between each SoCraTes instance I've been at since 2022, all the good stuff, all the growth, all the strong connections - I'm already curious what will happen until 2025.