Monday, January 6, 2025

Calm and Steady as She Goes

Personal challenges serve me well as my themes to focus on in a year and grow with them. It's that time of the year again to reveal what I'm setting out to do in 2025!

As it turned out in the past years, my brain already starts thinking about the next year's big challenging scary endeavor before finishing up the current one. To enable myself to keep going and completing that first, I'm taking notes for next year whenever any thought pops up. And as usual, I share these raw notes for my future self, mostly unedited. Here are those I took during 2024.

Consider security certificate as next year challenge (as I want to start speaking at security conferences, and grow into security related jobs, or just be taken seriously, or just prove it to myself)

Just reading books - catching up on all

Start a capture the flag (CTF) team, finally

Maybe just continue new contributions anyway - at least 3 of them will continue overlapping into 2025

Definitely include fun activities and self-care, like games, books, volleyball and fitness, just rest, and more - was way too few this year

Focus on the fun in learning (while continuing ongoing 2024 endeavors)

  • fun: gamify things (participate in 1 CTF)
  • frequent: deliberate regular practice as a habit (including CTF teams, solo puzzles, programming exercises, etc.)
  • foundations: learn theory for conceptual foundations, e.g. using flashcards, for “prove and show yourself” situations, potential interviews, and certifications (do 1 security related certificate to validate yourself and increase your market value)

Theory and practice: a flag a week, a cert a year - security first, development second

Journal

Fun, practice, theory - integrated in everyday, leaving space, in this priority

Focus on new job

Practice and theory, emphasis on fun. Security and development. Only constraint: 15min on anything every day, computer games every week.

Have two buckets, do one of each every day - depending on energy that day:

  • security or development, play or theory (CTF, book, flashcards, kata, build, ...), alone or with others
  • joy for self-purpose and care: play (not casual), draw / paint, read fiction

Make use of what works even on bad days: habits and streaks

Be mindful of other tasks and commitments: conference speaking, work, open security conference (osco), leadership workshops, card deck game, accountability partnership

Build in system so I can't automatically fall back on the exact same easiest thing every day

Blog every week what I learned, allow myself to post in bullet points only to still learn in public and share insights, also for my future self

Idea from Tobias Geyer for keeping myself accountable regarding self-care: accountability buddy :)

You'll notice duplicates and different formulations of roughly similar ideas. I usually just add notes as I go on purpose so I see how my thinking evolved over time. Also, some ideas I've listed in 2024 had been overhauled and outdated by reality in the meantime. For example, I don't need to prepare for my entry in a security role and related interviews any longer, I already had to do them without said prep - and I made it! I'm still so grateful. Certificates would still be useful of course for market value and some seem to be actually useful regarding their content. Maybe something to head for the year after.

That aside, looking at my notes, can you see the red thread showing up for 2025 already? The things that repeated in my head over and over? I see it and yet I need to write it down and formulate it out. Why? It helps me get down to the core challenge, forces me to structure those thoughts into a clear hypothesis and allows me to check in with myself from time to time to see how I'm doing and hence keeping myself accountable. This way I can also make it public, which again holds me accountable in a different way. And another one is to have a learning partner to check in with from time to time (thanks for being there, Toyer Mamoojee!). Or maybe multiple, e.g. one per topic or realm, and why not? Whatever works. I'll figure out what will work for me this year.

 

The Challenge

What is the actual challenge for me this year? Well, this one needs some background and explanation.

I got challenged throughout my career, even life, regarding what I'm doing, what I'm not doing, or not doing enough of it, or not be enough, or be too much, and whatever. Be it the evergreen "you're not technical (enough)" while certain people will keep moving the respective goalpost just for the sake of gatekeeping and keeping me busy and preoccupied with trying to reach an unreachable goal, no matter how often I've proven I am indeed technical. And where I'm not yet, I'm capable of becoming more technical. It doesn't stop with this classic, though. I've also heard "you're not your job" a lot of times. While in general I agree, this one stings just as well, given how much I enjoy tech and work on a variety of tech-related things in my non-work time. My identity is manifold and at the same time parts of it are indeed deeply rooted in my job. I'm fine with it. I'm super privileged to love what I do for a living and gain a lot from it for the other parts of my life. 

There are more challenges like these two examples. I've actively invested in unlearning my people pleasing tendencies for some time now. It's hard. On bad days, I fall back to old behavior patterns. On some days, I get past them without feeling overly selfish. And yet they come back to me time and time again. My inner critic is very trained on getting loud whenever I might disappoint people and their expectations to me. No matter how conflicting they might be (hence setting me up for failure), or whether I concur at all in the first place. I don't want this inner fight anymore that costs so much energy and focus when it's not needed (there are valid topics where the inner critic is a very useful mechanism, it doesn't exist without a purpose).

I want to set out to calm these inner voices that are especially strong in moments when I feel dumb, that I'm not knowing my own craft well enough, or that I'm not being allowed to enjoy my craft no matter my current abilities. I've once again had quite a few of these moments in 2024, like during a code retreat at a conference, in a work situation with a former teammate, and more. They sting, they hurt more than they should, and I take them to heart way more than is helpful. They linger in my head and take up way more space than they deserve instead of me just acknowledging that this happened and moving on. Instead of just building on the countless positive indicators that I am going my way the way I do and it's fine like it is.

One particular case when my inner critic gets too loud is the following. Whenever other people use specific terminology related to what they're doing, e.g. techniques, patterns, strategies, you name it - my brain struggles to remember what it was about. That doesn't happen for things I've been most used to as I've had plenty of opportunity to practice over the years, let's say "exploratory testing". But if someone says "dependency injection" I'm beating myself up for not instantly being able to provide its exact definition even though I've also had plenty of touch points and made use of this concept over and over myself. And that's what's nagging me: my inner critic shouting "I'm blanking out, but I should know, I should be able to explain!" and certain outer critics pointing out "see, I told you you're not technical". While at the same time knowing that first, there are lots of folks who don't judge me for it. Second, I've just not had the same opportunity to learn and practice certain concepts compared to others who focused on it. And third, my brain and body need a lot of repetition to memorize anything, I've learned that already in my childhood. So now I could do lots of different things; I could keep whining about it, I could stop bothering, or I could give myself more opportunities based on my specific needs and calm those voices. For 2025, I'm choosing the latter.

A dear community friend told me that haters gonna hate - whoever wants to put me in any corner will do so. No matter what I do. I can only control what's in my realm, which is my own inner critic demanding to prove myself to myself and others. Therefore, I need to focus on myself.

That is exactly what makes this challenge scary for me. It's about facing my inner demons and taking action instead of just letting them roam around. It's about focusing on me and not on what the rest of the world tells me or I assume they would tell me. It's working on myself. My last challenge of 2024 was very outward facing, contributing to community. This one is contributing to myself.

One more thought. Going back to my previous challenges, a whole lot of them are about gaining confidence. To speak on stages. To go deeper into coding. I also have a whole talk on gaining technical confidence. See a pattern? Even after 15 years in tech I'm still seeking for that inner and outer peace of a calm mind. This year it's on. On my own terms, in my own ways, I'll find a way to become calm enough. Never jump to perfection, right? Just continuously do steps to become better. And calmer.


My Needs

This year, I took additional time to reflect on my new challenge, goal setting, and especially my own needs. Here are a few things that really helped me gain further clarity.

  • Cosima Laube shared a great technique, the "W.I.N. manual" (W.I.N. = What I Need). She asks to note down our answers to a few questions. The core one is "What do I need to do well, enabling me to be the best version of myself?" Daily, weekly, monthly, a few times a year? And lastly, what are things that are not helpful at all, that drain my energy? This exercise doesn't take long, doesn't have to be overly comprehensive, and yet reveals a lot of insights. For me my needs are focused around taking care of my body and brain, managing my cognitive load, giving myself calm space and time where I can think, taking continuous tiny steps. Allowing the pieces of the puzzle that I pick up as I go form a picture over time. Giving myself joyful and playful moments. My energy drainers and detractors revolve around pressure: due dates, social expectations (or my interpretation of them), allowing myself to be pulled in other directions, my ambition setting myself up for failure and getting angry at myself for it, my brain trying to puzzle out incompatible input and getting stuck, my body alerting me on neglected needs or even forcing me to stop.
  • This reflection made me remember an exercise I had done already in 2023, thanks to a dear former teammate who worked on making our company's work environment more accessible. She introduced the idea of creating an "inclusivity passport" to gain clarity on our own needs and offer a way to communicate those of them that we want to share with our colleagues. It asked us to think through our needs when it comes to touch, vision, hearing, speech, cognition, and anything else. It was immensely helpful for me and I gained further insights about myself. For example, I found myself listing most of my own needs in the cognition category. Here are some excerpts, that are especially relevant for my personal challenge: "I need time to think without too tight constraints. I can only focus on one thing at a time. If my cognitive load gets too high, I literally won't be able to think at all anymore, everything slows down to a halt. I can get very anxious, hence I'm trying to keep myself in a calm place as much as possible - that's where I do my best work and in general am the best human I can be. Hands-on repetition helps me learn new things."
  • I have a magnet board at home. Over the years, I just added to it, leaving whatever was there before. A few days ago, I decided to redo it, and look what I came across as reminders from my past self: "Calm is a choice". "Sometimes we need to stop to be able to think". "Energy is limited". Yep, so very fitting. 
  • Last week, I happened to listen to a podcast with Brook Schoenfield where he dropped a few gems which resonated heavily with me. Let me incompletely paraphrase some core points here: "Keep listening. Just because you don't know what's going on doesn't mean your brain won't get enough of the background over time to begin to reveal the form. Don't be in a rush, let it happen, it takes a while (unless you're naturally predisposed). For us mere mortals we gotta wait and do the time, eventually it takes form."
  • Mark Techson posted a video on how to nail the goals you set yourself. He asked three questions. First, what was holding you back in the past from getting this done? Well, for me it was often no action just talking, plus investing time in other things that drained my energy and capacity - basically not keeping space for this and especially my own needs. Second, what do I stand to gain if I actually hit this goal? What's in it for me? My response was peace of mind, calmness, the "I got this" feeling, confidence. But also less worry, less anxiety etc. over things that are not worth it. Gaining back control over my own mind and the things I have in my own hands. Finally, what do I stand to lose? Phew. My self-belief, confidence and trust in myself. Hence, all the things I could do and have impact on where I need exactly that. Control over my life as I allow other people to dictate it.

Listing all these needs and thoughts and seeing them right in front of me, I realized that these are all things that I have in my own hand. Phew... I can literally gain back control and choose to be calm and slow and steady. Or whatever else is helpful in the moment.

Last year's challenge was very fruitful and yet turned out to be very stressful as well. This year, knowing there will also be a lot going on in life in general, I want to take it slower. Because that's what my brain and body really need. As ambitious as I am, I want to start taking things in ways I can take them best. Slowly, steadily it is.


The Hypothesis

I believe that learning in ways that fit my own personal needs, every day for just a bit, combining theory and practice, will soothe my inner critic, and allow myself to focus on the joy of (re)discovering knowledge and skills while holding space for whatever else I want to use my time for during the year. 

I've proven the hypothesis when my inner critic focuses on their original task again to alert me on actual concerns, and I've had a good time with what I learned and worked on.


The Experiment

I like to keep my hypotheses on a higher level, rather overarching and generic while crisp enough, yet I also yearn for concrete details that will guide me on my first steps and also help with evaluating the hypothesis in the end to prove or disprove it. Here's the tangible experiment I have in mind to test the above hypothesis.

  • The learning topics pay into application or cloud security in some way. Narrowing things down a bit should provide focus while still being broad enough to provide plenty of flexibility to see where my energy is going.
  • It's completely up to me whether I go for theory or practice on any day, as long as both parts are represented every week.
  • For theory, I'm going for systems that helped my brain learn back in formal education - like using flashcards to memorize terms and definitions. I acknowledge that I need repetition first before I grow understanding.
  • For practice, there are lots of options to choose from, like capture the flag challenges, developing a practice project, contributing to open source, building tools for myself, and so on. These can be very temporary throw-away projects or things that have long-term value. Anything counts as long as I apply my knowledge and practice deliberately.
  • To support my brain, I build a habit of doing something every day. Can be as tiny as a 1-minute effort or as big as spending hours. Just something to do and focus on. It doesn't have to bring me further and I don't have to make any perceivable progress of sorts.
  • Every week, I check in with myself if what I'm doing brings me joy. As simple as that. If yes, great keep going, if not, I change one thing and then see the following week whether this improved the situation or I keep experimenting.
  • I take note of moments when my inner critic gets loud again on things where there's no need. I just take note, there's no need for further reflection (it'll happen anyways without myself forcing it in). I just acknowledge this happened.

To capture the last two, and maybe also my basic needs, I'll probably start journaling again. I might or might not blog about what I learn as well. I think in writing, so stuff like that really helps me. I'll figure out what works, I can make up my mind any time during the year.


The Timeline

I'm officially starting my challenge right after publishing this post. I keep it running for at least 4 weeks. I'm stopping latest at the end of October 2025. This time it's a hard stop wherever I will be at that moment in time, there's no prolongation. I might stop any time beforehand whenever I see it's not helpful, or causing me a miserable time.

This year, I've tried a few things out already before posting this. See what might work, set up a basic structure to start with. Weighing a few things in my mind, see how it feels. Not overdoing anything, as whatever I come up with should also fit in a very busy day. Experimenting a bit upfront just helped me formulate this challenge.

 

The Hashtag

Why is a hashtag or tag line important to me? This is how I refer to my challenge in my own mind. It's also how I describe it to others, so it helps to make it descriptive, crisp, and concise. It took me a while to figure out a good one for this challenge yet it was crucial to gain further clarity of its core. Sometimes it's about trusting the process and believing I'll get there. 

After trying out lots of different variations, I settled on #CalmAndSteady. That's the phrase my mind kept coming back to. It already sticks. I can just as well let it stick. Yes, I'll be learning stuff as I go. Yet the core is all about me and how I approach things and how I respond to things. It's about which system and space I create for myself, catering to my own needs and caring for myself. Calm is about grounding myself, finding that inner peace and quiet, freeing myself from anger and anxiety where possible. Calm my inner worries and give me back the time and energy to focus on what's important to me. Calm that critic. Steady is about keep on keeping on, taking tiny step by step. Not overdoing, not jumping to perfection, just consistently keeping at it. Progress and growth will follow.

I wanted to formulate things positively, so "calm and steady" works. It also works for other parts in life. For example, I really want to get healthier again while my body reminds me of my age every day. I need to take it a lot slower than many years back, and not rush at all; otherwise, I'll have to pay a price and be even more patient with myself again. So yes, this year is a "work on myself" year. Calm and steady includes that patience that I'll need with myself to wait until pieces come together and fall into their places. It also includes that peaceful inner state of mind that keeps me enabled to act, no matter what else might come on the outside. I'd very much like that. Especially given the state of the world.


Anything else?

Oh, there will be plenty of "elses" throughout the year! Lots of things will happen. Life itself, a new job, a new role, conference speaking, sports, games, books, travel, friends, family, the world, whatnot. 

This challenge is intended to fit neatly into life and still be helpful. Let's see how it goes. Off I go!

Friday, December 27, 2024

2024 - What a Wild Ride

At the end of each year, I sit down to look back and take account of the past year in writing. I've made it my own tradition to help myself acknowledge all the things that happened during the year, especially any achievements of sorts.

I started the year with lots of hope of great things to happen (they did), lots of challenges to tackle (that sentiment nailed it), lots of joy on the way (not as much as hoped for), and lots of energy replenished (phew... nope). The year was an unexpectedly wild ride and it really drained my energy reserves. The good news is that I'm ending the year on a very positive note with a lot of hope for the future. The struggles paid off and I'm grateful for my past self that I've pulled through.

Dear future self, here are my accomplishments of 2024.

  • My sixth personal challenge of courageous new community contributions really took off, took quite a toll, and was still so much worth it. I've helped bring lots of things to life: a whole new conference, a practice app, a card deck game, a leadership workshop series - and I've given conference sessions on security for the first time. It's been massive and I've dedicated a whole separate post on closing the challenge, so I won't repeat most things in detail here.
  • One thing I will indeed repeat, as it was a true #AchievementUnlocked moment for me: I've spoken at my first security conference this year, BSides Munich! Super grateful for this opportunity, and it came at a perfect time right when I kicked off my job search, for which this specific speaking engagement paid off even more. One interviewer shared they watched the recording and liked it (phew, yay!). My future manager was sitting in the talk (I can't make this up)! When it comes to the community, this talk helped me make further connections. For example, I had a call with a new acquaintance to exchange inspiration and ideas to evolve a security champion program further. I got invited to participate in university research around DevSecOps. And you can imagine my surprise when I've discovered my very own talk been referenced in Katilyst's security champion newsletter that I had subscribed to earlier this year! Mind-blowing. By the way, in case you'd like to hear about how my work as security champion evolved over the last years, check out the recording.
  • I've had 12 speaking engagements this year, which makes it overall 103 since I've started out in 2017. Crossing the threshold of over 100 gigs is definitely something to celebrate! Looking at conference sessions alone, I've given 8 sessions at 6 conferences in 3 countries this year. In all time, that makes it 48 sessions at 27 conferences in 12 countries. I really have to count and see these numbers for myself, I'm still in awe that I really did all this. My past self wouldn't have believed me one bit.
  • Including this one, I've written 10 blog posts this year. This number still surprises me as I remember that next to everything else going on this year, there was little to no time left at all for writing. A pity, as I do think in writing, and I do write this blog for myself in the first place, for sharing in the second. Maybe there's more space for it in 2025, I'll see it when I'll do that year's review.
  • My main social media platforms this year had turned out to be still Mastodon on first place, followed by Bluesky (especially after the recent wave of folks joining). Instagram surprisingly landed on third place (being a lot better than I ever expected it to be). My LinkedIn presence grew as well. It's by far not my favorite platform to consume content, yet it has its very own purpose for career networking endeavors. Overall, I'm grateful for everyone out there posting meaningful content over the course of the year that made me think, made me read, made me listen, made me learn. I'll continue curating my own feeds hoping to pay it forward.
  • I've invested in a few other community endeavors over the year as well. Like continuing my accountability and learning partnership with Toyer Mamoojee, security pair testing sessions with Peter Kofler, joining a few code reading club sessions (unfortunately a lot less than I had hoped for). I've also had several calls and even on-site meetings with other dear community friends over the year, with us sharing on various topics ranging from learning cybersecurity, to startup ideas, to community dynamics, to anything and everything that moves us.
  • At work, this year was a wild ride as well. My team and I had a tough time deciding on all the incoming requests and their actual priorities, and catered as best we could to those with highest importance given the circumstances. Compliance of all kinds was a big topic, too. We had several incidents which allowed us to learn how our system could fail in new and surprising ways and implement respective mitigations. Lots of tricky data migrations to get right. Quite some team fluctuation as well, people leaving and coming. In the end we were a smaller core team still doing our best to keep up with occurring demands from all sides, and getting our valued legacy product back in shape. Given the circumstances, we've mostly smashed it. Well, until things changed completely.
  • Me, my team and lots of other colleagues had been laid off due to the company's business pivoting. I'm very proud of my team, on the sound culture we've built and fostered for us, how we showed up for each other over time, and how we even in the moment when everything came to an end celebrated what we had and gave each other feedback along on our ways. Kudos to everyone! We really had a good ride together. It's never nice to go through layoffs, and yet it's actually been surprisingly good to get laid off as a whole team, just having it end together at this moment in time. It's been like a band-aid being ripped off. Based on our talks, we all preferred this option over a slower and potentially more painful end, like getting chipped away at and dissolved over time.
  • My amazing network really stepped up in words and action, spreading the news of my unexpected job search, sharing opportunities, making connections. This kind of invaluable sponsorship, plus me putting a lot of effort into a high intensity search, plus my personal challenge endeavors (again building on my network) this year, allowed me to find a new job within 6 weeks, contract signed within 8 weeks. I have to write these numbers down for my future self, and even for my present self as I still can't believe this happened so fast, especially given the current market. Closing everything just before the end of the year. And not just finding just any job but one that I really, really want. And on top of that, a role change that I hoped for in the next years to come. Now it's already here, and I'm so ready for it. I've witnessed the magic of "one door closes and many other doors open" before, yet this year this phrase became a whole new meaning for me.
  • This year's personal challenge was all about new community contributions. Here's a new work-related contribution that I didn't foresee beginning of the year. From next year onward, I'll continue my path as a security engineer. When looking back at the kinds of contributions I've done this year and how many had security at their center, it does make a lot of sense, though. I just thought it wouldn't come to it that fast. There will be many more new challenges awaiting me on this next part of my journey, and I bet a few well-known ones as well. I honestly can't wait.
  • It feels like a milestone in my career to get this new role and hence opportunity to explore next year. A dear community friend helped me put up a mirror for myself: she said all this is not coming suddenly for me. I've been building this up over many, many years, the knowledge, the network, the path for myself. Lots of little building blocks all over the place providing the foundation for this next step that now has a big meaning. It's been about persistence, continuously moving forward, little by little. About pushing myself also in times I didn't feel like it, like just right after the layoffs that came at a time when I just wanted to breathe and rest. She heard me saying how tired I was all over the year. She's been celebrating this huge step for me, it's all coming together. I'm very grateful for having such dear friends offering reflections in times I really need to see them. And she's been right: the compounding effect of all the little things I've done in my career is indeed real, and very impactful now for me. I'm grateful for my past self pushing through.

Here I am. It's the end of the year again. It's been once again helpful for me to look back and see all of the above. Now I'm already super curious what my review for 2025 will look like!

Tuesday, December 17, 2024

Contributing in New Ways - Finding Closure among New Opportunities

Finally, there's time and space to close my personal challenge of 2024 by looking back at what happened and what I learned from it. Setting out beginning of the year, I had the following hypothesis.

I believe that contributing to communities in new, courageous ways will add value to the communities I'm part of and grow my own knowledge and skills. I've proven the hypothesis when...

  • I have contributed in three new ways,
  • other people engaged with these contributions, and
  • I have learned three new things from each.

Little did I know just how much this turned out to be true! Here are the new kinds of courageous community contributions I've done during the year and what I learned from them.

 

Open Security Conference (osco)

What was it about? Launch an open space security conference together with Claudius Link, Dave van Stein, Janina Nemec, and Ulrich Viefhaus. We set out to create a people-centered international gathering for everyone interested in cybersecurity, aiming to remove gatekeeping and barriers where we can to make security more accessible. The idea of the Open Security Conference (#osco) was born.

How did it go? There are so many things going into organizing a conference, let alone launching a whole new one. We had to make a few hard decisions what to do for this first instance already, and what to park only for later editions if that first one proved our concept. The biggest trouble we had, though, was a topic we didn't have on our radar at first that we completely underestimated. For a few months, the whole conference was on the edge as we had to solve the problem of handling money without having any organization (yet). This took us nearly to a halt; until we figured out a way together with our amazing venue to have all money-related topics, including sponsoring, go through them. Having made it over that big hump, we actually made the whole thing happen: the first ever Open Security Conference (#osco) took place on October 4-6 in Rückersbach, near Frankfurt/Main in Germany! We had two amazing keynotes to kick it off the event, followed by the open space as main part of the conference. We worried if things would work out with a small first group and were very relieved that people really enjoyed it. Read for yourself how the first osco went! People raised a lot of interest in an #osco25, so we can already confirm that we will have a second edition in 2025. We even found five more organizers to grow it further, we're very grateful for their trust and support. Currently, the whole organizing team is on a break to recharge energy, so our website is still on the state of 2024. Yet if you're interested, you can already save the date of 2025, October 2-5 for our second edition! Follow us on social media, Mastodon and LinkedIn, to get all latest updates once we're regrouping next year.

Which three things did I learn for myself?

  1. Investing in creating an inclusive space from the start pays off. More often than not, this vision needed us to go the extra way. While we're keenly aware of what we're still lacking (plus the things we're not aware yet), we received really good feedback that the effort and positive impact was noticed and appreciated - it was so much worth it. 
  2. It is invaluable to have a mid-sized and diverse enough group to get a big endeavor off the ground. While it wasn't always straightforward what the most effective solution to a problem right now was, we managed to play to the strengths of our different personalities and experiences in the end.
  3. Having regular and frequent opportunities to reflect on how we're doing and trying out different approaches is crucial. This applies to any group you're working with. We postponed our retrospective to after the conference, while it would have really been worth doing them a lot earlier and regularly throughout the year.

 

Security Card Game

What was it about? Create a security card game together with Martin Schmidt and Philipp Zug. This idea has its origins at SoCraTes 2023 where I brought the topic of security to the conference and loved seeing lots of folks engage, like Martin and Philipp who invited me to their idea to create a game for fun and practice. 

How did it go? We have the main concept, a constantly evolving set of rules and deck of cards. Thanks to Martin, we also have a way to play the game remotely; who knows if we'll also turn it into a physical card deck at some point (it would be great, wouldn't it?). In any case, we hope to bring it to open space conferences and the world. Check out our Security Card Game Github org in case you want to follow along, and make sure to read Martin's SecCardGame post to get a first impression of the game. Having played it a few times, we were keen to present it to others at SoCraTes 2024. To be frank, we were positively overwhelmed by all the folks coming to our session, showing lots of interest, and providing concrete feedback for us. We also found a new contributor as well to evolve the game further with!

Which three things did I learn for myself?

  1. Early and fast feedback is invaluable. Not a new learning in itself, and yet it turned out to be just as true in this space as well. We made it a point to try out the gameplay and different rules early on and continuously, without investing development time when it wasn't needed. This really paid off! Same as showing our rough and raw game already to the public without polishing it.
  2. Sometimes it's just fine to contribute in one way only. For example, for this card game I've mostly focused on the content of the cards, instead of the actual implementation. It was something I could do in between everything else, and it still helped as asynchronous contribution until we met again - when we could think of all kinds of things and ideas while being together.
  3. A little, relaxed, non-stressing, fun side-thing is a really nice side-thing. This initiative was the least stressful of all the things I've worked on throughout the year. We had set ourselves up for a great pace, continuous yet not overbearing, things moved further, not much investment was required in between, I really looked forward to our little sessions. It's nice to have things like this on the creative, energy-providing, playful side.

 

Project Snack Shop

What was it about? Build a full-stack open-source practice platform as an ensemble with Ben Dowen and Vernon Richards. We were taking the roles of the employees of the fictive company "Make-Believe Labs", taking on "Project Snack Shop" for a customer who wants to digitalize their well-running snack shop business by offering an online shop. This was intended as an as realistic as possible practice platform for all kinds of development activities. From our own vision, to the actual project offer and context, to the first proof of concepts, to team agreements, to design documents, to architectural decision records, exploring walking skeleton options with code, and more. 

How did it go? This had been a fascinating endeavor I really wouldn't miss. It's been both fun and challenging to mimic the described scenario and act accordingly. Sometimes taking on certain roles we knew we wanted to play on, like team dynamics and patterns we've observed. Wait, did I just commit a change without telling anyone (he-he-he)? Was that commit message omitting quite a big relevant change? And more! Not everything is publicly shared, but you can follow our main Snack Shop repository to see the latest state. I really appreciate having a project from the scratch where we can try things out, do some things properly, do some things in quick and dirty ways, leave some problems in the system intentionally while discovering others as we evolved it. We also had planned to bring this more to the public in the sense of webinars or streams, getting ourselves even more out of the comfort zone. Ben managed to get us a webinar where we could use our little project to work on specific challenges that are likely to get asked in an interview situation. This was a big driver for us to evolve it just to that stage where we could do the session. Afterwards, we all lacked the time to drive our snack shop much further, yet it'll always be there to work on as a nice practice playground which is closer to a real work situation already by its setup.

Which three things did I learn for myself?

  1. Building things allows me to use skills I have, yet rarely have opportunity to hone. At the same time, doing so really boosted my confidence that I indeed can figure things out. 
  2. Sometimes you have to build it yourself. There are so many practice apps out there for all kinds of purposes, it's wonderful. What we were aiming for, though, was rather unique, and I'm still not aware of any similar project. Especially doing it as an ensemble taking on different fictive roles and leaving trails and artifacts as it could be! 
  3. Constraints can be really helpful to evolve a thing further. The webinar due date helped us massively to invest time for real, make tough calls on what to leave out, and have the thing shippable. While it's nice we don't have any pressure on the project anymore, now it's lying dormant. Constraints can really be liberating.

 

Leadership Workshops

What was it about? Offer Shiva Krishnan's and my leadership workshop series to the community. This program proved to be valuable to lots of people in the past, and it definitely helped both us grow immensely. Finally, the time had come to spread the word further and transform our workshops to an open community offer. This year we wanted to try it out with a small cohort. 

How did it go? For this first community proof of concept, we decided not to have public registrations, yet to build on our networks. We thought if this goes well, we can plan for more afterwards. We tried to think of lots of things needed to bring these existing (and continuously evolving) workshops to the broader audience, like tools, communication channels, and more. We found lots of interested people. We hosted Q&A sessions to answer most frequently asked questions right away so everyone knew what to expect and what they would sign up for, especially given that this is a series of six workshops with quite some time investment required from participants. What we didn't expect was that all of the above was quite fine for folks, yet the real struggle was hidden in our vastly incompatible schedules! It took us a very long time, staying patient and trying lots of different approaches, to figure out the slots for the first two workshops. Especially as we had to split these workshops up into smaller parts, given that it wasn't happening during working time, but in addition to work for everyone. We're really happy that we found a small cohort of four people who stayed enthusiastic and dared taking this journey with us. The first two workshops are completed, four further ones will take place next year. While we originally aimed to complete all six this year, we're glad we can still do this and learn from fresh community feedback to evolve them further and hopefully bring more value to community.

Which three things did I learn for myself?

  1. It's hard to live up to your own values and leadership beliefs yet the impact of doing so matters. Especially when you give workshops on exactly this topic. Leading by example most often means not taking the easy route and finding ways that work for people while staying true to what you preach. It's been worth it big time, and I'm glad people now have a space that fits and continues to adapt to all of our needs.
  2. Community editions can be different to work sessions in unexpected ways. This turned out to be very true when having people co-create the space instead of just proclaiming a date and leaving it up to people whether they can join or not. Scheduling is a hot topic also in work contexts, especially across different roles and departments at the same company. The fact that we're working for very different companies in different modes, with very different private lives and personal needs as well, made our schedules even more diverse.
  3. Make the decision, especially when it's difficult. Originally, we wanted to start with a cohort of six people. Small and doable, while still viable. We had to make the tough decision to reduce the group to four folks to make it work at all, and communicate it accordingly. This was no easy decision at all, and at the same time the outcome shows us that it seems to have been the right decision in the end. We have a great group of engaged folks where the whole concept really works for everyone.

 

Conference Sessions on Security

What was it about? Give conference sessions on security. Ever since I've had my first pair testing sessions on security in 2018 I've been diving deeper into the area each year. I've given several sessions in company settings and at open spaces. This year it was time to extend my conference speaking to security topics and hence contribute in new ways in that space as well. 

How did it go? At the beginning of the year, I felt I could at least try to submit security-related proposals to some conferences. It would already be worth daring the mere submission and learning from it. And then it was actually working out, way more than expected! The Software Teaming Online Conference gave me rather free rein, so I made use of it and hosted an ensemble session to Capture the Flag Together: Security for Everyone, co-facilitated by Lisa Crispin. This idea was based on sessions I've given many times at various open space conferences and at work as well, so I was on familiar ground to start with. Then Agile Testing Days accepted both of the new security sessions I've dared to submit! Hence, two brand-new sessions, the workshop First Steps in Mobile Security Testing and the talk A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day had to take place. And then SoCraTes also came and asked me to give a training again this year - maybe I could do something about security? I was so happy when I read their message, it seems all the security related sessions I gave at last year's SoCraTes had really caught their interest. So I decided to create yet another new workshop that would fit well as a foundational training: Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day. Overall, these four different security-focused sessions had been accepted by conferences, and I was very excited about these opportunities. Yet another highlight was to come. Encouraged by all this, I dared to submit my brand-new talk to my first security conference ever, BSides Munich - and it got accepted for their main stage! Speaking there was definitely one of my biggest achievements unlocked for this year. There's a recording of this inaugural talk which makes me even happier. And as it goes with speaking at a conference, it also helped me massively to get further connections in the security space.

Which three things did I learn for myself?

  1. It's worth daring to share what you've already learned on your journey. A lesson I've re-learned for myself. You never know who's going to be in the committee or audience, it might just be a great fit. And you don't have to wait to be in an exact role, position, time at life, or whatnot to start sharing. It will help you gain confidence and a clearer understanding of the topic as you need to convey it in approachable and digestible means.
  2. Sometimes, the answers are already within you. I've learned this the hard way: just because you've seen a workshop setup play out nicely, doesn't mean you can replicate it that easily. My mobile security workshop haunted me for months, not because of the content, yet due to the complex setup that I needed to break it down and make it as accessible to beginners as possible. I've asked lots of people at the conferences I've been to how they would tackle it and gained lots of good hints and tips. And yet, in the end, none of these really solved my problems. Instead, the answers were already within me, I just needed to build up the confidence to remember all the pieces of the puzzle that I've already worked with throughout my years in tech, and bring them together in a way that it solved this one. And indeed, once I had gathered further confidence, I managed to figure everything out. Even during the workshop when I still needed to debug a few things live. It worked, and I can use this to ground myself in what I actually know and trust myself more.
  3. Putting yourself out there on stage creates so many new connections and hence opportunities. Again, not a new learning, yet a re-validated one. Especially my new talk helped a lot with this, initiating lots of interesting conversations already at the conferences and also afterwards on social media. It also led me to having a dedicated call to talk about security champion programs and how to overcome struggles with someone I unfortunately missed at the conference, yet was lovely to meet online! Connections with like-minded folks are just invaluable. This talk even helped my job search - that I wasn't even aware was needed when daring to submit the session in the first place. Lots of good came out for me so far from giving back to community.

 

Running out of Capacity

Obviously, there were more ideas for even further new contributions to community this year. Creating an own capture the flag (CTF) team, contributing to an existing open-source project, maybe even really start writing a book. I'm glad I held back with these. First, there are further years to come. Second, well... taking on this challenge to contribute in manifold new ways was already filling my schedule to the rim.

So, what did I learn overall? That this year was wild. It was a constant hamster wheel. Having work being very stressful as well did not help at all. Private life was okay, though not that easy to navigate either. Overall, it was wildly too much and I really need a break now. I could have chosen a break in between at any time, yet it would have meant letting a lot of people down, including myself - so there's little to no surprise that I didn't take any break. Yet looking back at a year when I neglected most of my pure self-care activities like playing computer games (only picked it up again this month), reading fiction books (lay dormant for months as well), drawing (I remember I did it once during this year for a gift and that was about it). All of these bring me a lot of joy, and that source of energy became non-existent. At least I still invested a bit in exercising, yet as I'm doing team sports it would have also meant letting others down so of course I didn't cut short in this area. Well, it really helps my own health, so I'm still happy I didn't. But the big personal lesson for me here is that for a year that I intentionally set out with "energy & joy" as my motto but that was exactly what I lacked most - is that I must not repeat this. Whatever I do next, for any challenge, I need to build in self-care once more deliberately. Otherwise, I'll trick myself, just as I did this year. 

The second big lesson? Each of these new contributions could have been a personal challenge of the year. Cramming them together in the same year meant I had less focus on each of them, and over-committed myself, hence putting artificial self-made stress on myself when life was already stressing me out enough without me adding to it on top.

One more final lesson: anything you say yes to means you have to say no to something else. I'll have to see what other endeavors that I used to do are those I have to say no to next year, as many of the above community contributions are to be continued in 2025 - they don't just simply stop now. At the same time, I need the capacity and freedom to also go new ways and have actual slack time.

 

In Conclusion

My 2024 personal challenge is hereby officially closed. Looking at all the things I've worked on this year as part of it, I can definitely confirm that I have contributed in more than three new ways this year, that other people engaged with each of these contributions, and that I have learned at least three things from each.

I'm very grateful for all my co-conspirators in all of the endeavors described above. Without you all, my pieces alone would not have completed the puzzles we were working on together. Many, many thanks to everyone! 

This year's personal challenge to contribute in new ways had been quite a heavy one for me, and yet it helped me set myself up for good things to happen in 2025 - and I'm here for it!

Saturday, December 7, 2024

Agile Testing Days 2024 - Reunion for Quality

I started this post right after returning from the Agile Testing Days, yet I've only come around to finish it now. It's been yet again such a great conference with amazing folks, and it just deserves a proper blog post to share and remind my future self what it was like this year.

 

Monday - Arrival Day

This year, the conference started only on Tuesday of the week. Traveling on Monday, I could already build up the usual excitement before this conference that back in 2015 was my very first conference ever which laid so many foundations for my career. With its content, yet even more with its amazing folks and the space it created every year since. A space to bring your whole self, to explore what could be, to truly connect with people, and to grow beyond what I thought was imaginable.

Arriving at the hotel, I was greeted with a huge banner that welcomed me home. And as a returning alumna, this indeed hit home and resonated more with me than I already knew it would. It's one of my homes indeed and I'm grateful I discovered it so many years ago for myself.

Thank you ❤️💕 #agileTD

[image or embed]

— Alex Schladebeck (@alexschl.bsky.social) November 21, 2024 at 4:13 PM

Arriving day also means that meeting the first folks - including those I've met many years ago the first time and we've built strong connections ever since. Folks like João Proença, Elizabeth Zagroba, Thierry de Pauw, Anne Colder, Vincent Wijnen, Michael Kutz, Dragan Spiridonov, and so many more. Also meeting people I haven't had the chance yet to fully connect with, so we made up for it this year! Like with Filip Hric, whom I had the pleasure to have dinner with on this first evening, and going full circle having dinner on the last evening as well. It's been lovely to see first-timers as well and have them slowly introduce to the wider community. Agile Testing Days can feel wildly overwhelming with everything going on, so having a chance to make things smoother for those who experience it for the first time is just great.

This evening was full of wonderful conversations over dinner, ending up in the bar, and then going to bed with a renewed sense of this community where I so much belong even though (or actually because?) I never fitted in completely. Which is perfectly fine.


Tuesday - Tutorial Day

Whenever I have the opportunity to do so, I opt for taking a full-day tutorial. This year, the tutorial I chose was "Empowering Inclusive Testing: A Guide to Accessibility" by Laveena Ramchandani. I really enjoyed this training on all things accessibility. It provided foundations as well as where and how to go deeper. Laveena explained regulations, tools, and set the space for us to practice preparing for difficult conversations advocating for making our products more accessible and hence more usable for everyone. She did a great job structuring and facilitating the tutorial, equipping us with concrete actions to take back to work. Obviously, we can't solve or know everything just after a one-day training, and yet there's a lot we can take with us and start doing right away to make things better.

After the tutorial, the conference unofficially opened with the first keynote "To Heck With Your Automation Principles" by Vincent Wijnen and Paul Holland. What an entertaining start into the conference! Well presented, getting the audience to think, engage, and see how context needs to influence which heuristics to try.

Finally, time for dinner. I love that dinner groups are getting organized for everyone, not just the speakers. In my case, I did join the speakers dinner, which was lovely as always. I really enjoyed the insightful table conversations on lots of deep topics with Ash Coleman Hynie and Vernon Richards (both of whom were such a pleasant surprise to see at this conference!), Dr. Rochelle CarrJoão Proença and Sérgio Freire.

#AgileTD speakers dinner. Always special!

[image or embed]

— João Proença (@jrosaproenca.bsky.social) November 19, 2024 at 8:03 PM

 

Wednesday - Conference Day 1

The first full conference day was there, and with it came the full frenzy of Agile Testing Days! And also re-meeting so many awesome folks. Like Toyer Mamoojee and his whole family, who's been my learning partner since 2016 (can you imagine?). Like Janina Nemec, my co-conspirator for the Open Security Conference and long-time SET playing buddy. Like Gitte Klitgaard, whose wisdom, courage, and kindness had a huge impact on me ever since I've met her first here at Agile Testing Days. Here are the sessions I've joined on this day.

  • Lean Coffee by Ashley Hunsberger and Lisa Crispin. Ever since the first Agile Testing Days I've made it a tradition to join the very first day's lean coffee session. It's quite hard for me to get up that early yet I know it's always worth it - and I still have most energy on the first day. Once again, I had a really nice group of folks we discussed interesting topics with. If you have a chance to catch a lean coffee session anywhere, bring your topics and let it surprise you. This time I've asked what are other ways to spread information and connect people beyond communities of practice that people experienced working. The gathered insights: spread information to read where people are like Google's "Testing on the toilet" initiative (that now became "Tech on the toilet"), go on mystery lunches, offer shadowing so folks can see the actual work, publish newspapers instead of only newsletters, have a marketplace with a booth to present yourself, and use the coffee kitchen (or remote analog) which is just never getting old.
  • Keynote "Playful Leadership" by Portia Tung. Great opening keynote that people could relate with, setting the scene for the conference to play, dare something, grow with others around you, and listen to your physical responses. Very confident, authentic, and playful stage presence, love how Portia was leading by example.
  • "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" by me. Just one week ago I've given the inaugural instance of this brand-new talk at BSides Munich. This second time I've had a very different kind of audience in front of me - yet was it really that different? The talk worked just as well, and I loved all the kinds of insightful conversations and new connections that evolved based on it during the next days. For anybody who missed the chance, the BSides edition's recording had been published already.

    Make things a bit more secure than yesterday every day! That would help us all! „A Security Champion‘s Journey“ - a great talk by @lisihocke.bsky.social at #AgileTD ! Thank you!

    [image or embed]

    — Jens Höft (@jenshoeft.bsky.social) November 20, 2024 at 11:26 AM
  • Keynote "Breaking Accessibility Barriers" by Laveena Ramchandani. I really liked that Laveena used the stage to raise awareness on critical issues we encounter every day, with many sites and products not being accessible for way more people than you might think - including yourself! The best part was when she let the audience feel the frustration and emotional roller-coaster of something not behaving as expected. A crucial topic very well presented!
  • Workshop "Collect your explorer badge" by Udita Sharma and me. We were honored to get asked to repeat this workshop this year after we've given it last year at Agile Testing Days for the first time. Once again, we had an engaged group to explore this different approach to come up with exploratory testing ideas which are easy to grasp and quick to convey to anyone else. I've made great experiences with this approach also with my own team this year, having people come up with great ideas to learn more about our product, new features or anything else we needed more information on to make better decisions. Many thanks to Udita for coming up with the original idea to this workshop and doing it together with me this year!
  • Keynote "The Obvious, the Obscured, and the Illusion: Navigating the Noise of GenAI in Testing" by Rahul Verma. I liked the call for action to get to know tools for what they are and how you can combine them to solve actual problems that they are fit to solve. This is too often forgotten over the hype that new technology can bring with.

It was time for dinner. I've always had great conversations over food and drinks at conferences, this one wasn't any different. The first conference evening is also reserved for the big costume party (where everyone without costume is just as welcome, which I personally just love). Hence, we could already enjoy the amazing costumes folks came up with on the theme of time traveling. Just loved it. My special kudos go out to Anne Colder and Vincent Wijnen who came up with the brilliant idea to take their amazing costumes from last year, traveling back in time - yet having the device fail in the most curious ways including a body swap! Absolutely hilarious and ingeniously implemented.

Time travelling women! #agiletd

[image or embed]

— Alex Schladebeck (@alexschl.bsky.social) November 20, 2024 at 7:29 PM

Then it was time for the big thing that everyone had been waiting for: "The Owl Problem", the first ever musical that Agile Testing Days (and any other conference?) has ever seen. Fully composed, enacted and brought to life by community folks. What an amazing event, so much effort in there, so much courage! Huge shout-out and kudos to the whole crew, you've moved mountains with your performance. The whole audience was in awe of you all bringing everything you got on the table and make it such a memorable event.

The Owl Problem @ #AgileTD ! 🦄🦄🦄🦄🦄

[image or embed]

— Jens Höft (@jenshoeft.bsky.social) November 20, 2024 at 9:49 PM

 

Thursday - Conference Day 2

Next conference day, and I could already feel the tiredness in my bones. Agile Testing Days can be a lot, and no matter how much I can easily advise others on taking it slow and skip sessions and take the rest you need, I fail badly at the same advice for myself. Every year again. Probably because I don't regret going full in and getting the most out of it, and yet it might still not be the wisest decision I make in a year. This day, I've joined the following sessions.

  • Keynote "Technical coaching development teams using the Samman method" by Emily Bache. Loved this keynote by Emily, so many important points delivered in such a concise way. Even though I knew the Samman Method already, I've still taken new insights with me when it comes to skill building which triggered thoughts related to my own situation. Emily delivers her content in such a professional and relatable way, I just love that she took the Agile Testing Days stage and people had the opportunity to learn from her.
  • "Make a fearless start with security testing" by Sander van Beek. Sander did a great job breaking down important security concepts to provide digestible starting points for beginners to continue their own security journey from. I always enjoy learning from others how they convey such topics, and also taking sketchnotes so this kind of content can be spread further.
  • Keynote "Testing, Identity, and Symbols" by Jenna Charlton. Jenna really made me think with their keynote about my own identity, or rather identities I gathered so far in my life, and those I'm about to add to all of this. Where I feel I belong already, where not, where not yet. And where others might struggle in different ways than I am.
  • Workshop "First Steps in Mobile Security Testing" by me. My third and final session to give this year was a brand-new workshop. Probably the most daring one, definitely the most complex one I've ever given. I've had the concept in my mind for quite a long time, yet what made this workshop so difficult to prepare for that it haunted me for many months was the setup. This should be a first steps workshop for everyone who was new to either mobile, or security, or both. With an unknown audience and an unknown range of their existing knowledge and skills. In just two hours of time. Well, I might write a separate blog post just on the setup part to fully grasp the extent of this, and hopefully help others find a suitable solution quicker. All in all, this workshop helped me gain insights on how I can reduce the struggles even further for folks. And despite the struggles we still had, it seems to have helped folks to take their first steps in mobile security testing - and giving them this experience was exactly what I set out to do. Special shout-out to Andrej Thiele who wasn't only so kind to share feedback with me afterwards, yet also took time to listen to me on some personal struggles I've been facing - hugely appreciated!
  • Keynote "I'm managing just fine!" by Lena Nyström and Heather Reid. Such a great presentation of such fundamental questions and situations I could really relate to. I loved how Heather and Lena weaved their own experiences and stories in and how they delivered them in re-acting parts of their actual conversations and their insights gained. It triggered lots of thoughts on my own situation and decisions, what made me go this way so far and why I opt for what to be my next step.

There were lots of great evening activities offered. This year, I chose to prioritize self-care and instead opted for having dinner out in Potsdam together with a bunch of folks. Sometimes, getting out, having a smaller group, having a differently loud environment, just helps. This time it was such a good opportunity to also check in with Ashley Hunsberger and Richard Bradshaw

Returning to the conference, we've found the brilliant Sophie Kuester and the outcome of her late night snack exchange. Just loved her idea last year already to ask folks to bring special treats from their regions and have all of us enjoy each other's delicacies! Really brings people together. This year I've missed most of it, and yet still enjoyed so many of these sweet and savory explorations. Many thanks to Sophie for this amazing edition in the purest spirit of Agile Testing Days!

Hey #AgileTD friends (and if you're wondering, yes, you ARE a friend) help yourselves to the greatness that is our collaborative candy bar! #SnacksSnacksSnacks #CrewLove #SnacksAreAwesome #TummyAche #HeartBurn

[image or embed]

— Mlle Sophie Pofie (@mllesophiepofie.bsky.social) November 21, 2024 at 11:00 PM

This was also the night when I finally had the opportunity and pleasure to spend more time with Tobias Geyer and talk a lot about things that are moving us, like what impact we have on other people's lives and the systems we live in, and what else we can do to make the spaces we're in more inclusive, using our privilege. Thanks a lot for sharing these thoughts also beyond the conference boundaries! It's a continuous effort and we all need to continue learning and unlearning.

 

Friday - Conference Day 3

There it was already, the last conference day. Agile Testing Days is a whole week, and at the beginning time seems to extend, we have so much of it in front of us together. And suddenly the last day already arrived and time had just flown by. In addition, the tiredness came to the forefront on this day. This year, Agile Testing Days was hosted as a hybrid event, with the main part on-site as usual, yet all the talks being recorded and streamed, plus online activities happening as well. I didn't have any energy to join online at the same time, yet I knew I could come back to sessions also afterwards. Which allowed me to make a wise decision and skip the first sessions on this day to catch at least some sleep. So here are the sessions I did participate in this day.

  • "Mistaken Identities" by Sanne Visser and João Proença. Such a deep and crucial topic, delivered in such an entertaining way. Awesome stage performance of both Sanne and João telling all the stories how their identities got mixed up and what they tried to cope with the situations thrown at them. I loved that they used the opportunity to remind people of how quickly things can go wrong, even without bad intentions, and how tools we have can be used for malicious purposes as well. We need to be mindful and considerate when building these tools.
  • Keynote "Diamonds in the Rough" by Ashley Hunsberger. This keynote really made me think - what fuels my motivation nowadays? I have crafted my jobs in the past, yet what job would I craft myself right now and here? What potential is still lying dormant that would really relight my fire? So many more questions, based on the research and models presented. I loved that Ashley showed both deep vulnerability and such strength on stage, what a role model for all of us to learn from.
  • "Love in Bytes: QA Engineering for Work-Life Symphony" by Toyer Mamoojee and Reumaysa Mamoojee. How often do we transfer lessons learned from one area of our lives to another? Well, in this talk I learned we should do it more often! We don't learn strategies, techniques and tools for our work context alone. Toyer and Reumaysa showcased how we can benefit from them in our everyday personal life just as well - and vice versa. The stories made the content very relatable, and the paired presentation worked out really well.
  • "Test like a developer, develop like a tester" by Filip Hric. We need more people spreading the word! I really appreciate Filip for showcasing how we don't need to have such a divide between roles in the same team when we're working on the same goal together. And how much we can learn from each other as well. Very well presented, too!

And there it was. The closing session, the many thanks and appreciations to organizers, volunteers and everyone. Final pictures, of course also with the unicorn we all shared the stage with. It was done. Such a happy sad wonderful feeling, it gets me every time.

Lots of people had left already at this point. Some people were staying around, clinging to this community spirit, not willing to let go just yet. Another amazing dinner group, enjoying awesome food together. My chance to also get to know Elizabeth Simister - loved our conversation!

Enjoying more snacks at the hotel. Having an absolute blast witnessing Elizabeth Zagroba run her by now infamous No Vehicles in the Park game with us. Having the day fade out on such insightful conversations on work places, careers, opportunities and more together with Thierry de Pauw, Toyer Mamoojee, and Janina Nemec. Many thanks to all of you.

 

Saturday - Departure Day

Another Agile Testing Days in the books. One that was brilliant in content. One where I once again still got most out of the hallway track, together with all these amazing folks. One that helped me immensely on my current situation searching for a new job, exploring new possibilities. One where I gave back once again to this community I continue to receive so much from. This conference is a very special reunion for quality in all kinds of aspects. We're truly stronger together.

Me: "I really have a lot of mugs, maybe I should get rid of some..." Looks at mugs and keeps all. Gets mug in speaker gift from #agileTD Me: "ok I need one more mug" :)

[image or embed]

— Gitte Klitgaard (@nativewired.com) November 25, 2024 at 5:31 PM

Saturday, November 16, 2024

BSides Munich 2024 - We Belong

Last year, I've attended my first security conference with BSides Munich. It was an awesome experience connecting with the community. This year, it was clear to me to come back as participant. Yet when the call for papers started, I figured: why not try my chances? I dared to submit my brand-new talk "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" to BSides Munich. You can imagine my joy when it was indeed accepted! So, here's my recap from this year's conference as participant and speaker.

 

Workshop Day

Tickets for this conference are usually quickly gone, so I made it a point to decide on my workshops early on and then grab the tickets as soon as they went online. It worked! This time, I decided to go for two half-day workshops.

In the morning, I joined "Backdoors & Breaches: Simulating Cyber Security Incidents" by Klaus-E. Klingner. I wanted to give the Backdoors & Breaches card game a try for quite a while, so here was my chance. Klaus started setting the scene describing how classic incident response simulations can be tedious and require a lot of preparation effort. In contrast, using game-based learning, like playing a round of Backdoors & Breaches, can be done very quickly and provide playful insights. Backdoors & Breaches is designed based on the tabletop role-playing game Dungeons & Dragons. Instead of a game master, you have an incident master. They choose the attack scenario that led to the incident, which the group has to figure out - how did the attackers manage to compromise the system, move deeper, maintain persistence in the system, and finally exfiltrate data? What happened? The group has procedures they can use to find out more about what happened - yet depending on how they roll the dice, they won't always succeed! There's a bit more to it, just check out the complete rules for yourself. What a fun game; it led to really insightful conversations in my group. There are expansion packs already enabling further scenarios, and you can also play it online, either using Klaus' version or the official one.

In the afternoon, I participated in the "How to Hack your Web Application" workshop by Janosch Braukmann. I really liked his introductory web app hacking challenges offering simple yet not uncommon mistakes to exploit. A really nice hands-on connection to the topic, allowing him to gauge the context of the audience just as well. It made his point very clear: don't trust anything coming from the client side, it's not in our hands. We've walked through the OWASP Top 10 together and how to mitigate the respective risks. Then it was time for practice again: we got our hands on a vulnerable web application he provided for the duration of the workshop. It's usually insightful and fun to see what people find and what approaches they come up with to do so. Practice didn't stop here, how do we prevent these issues in the first place? The most effective and simplest way Janosch has seen so far are malicious user stories: user stories from a malicious actor's point of view. We then just need to flip the acceptance criteria to build an implementation that prevents the threat actor from being successful with their attempt. This can easily be done along with any usual ideation and refinement activities as part of the development life cycle that teams tend to be used to. Even though I've heard the content before, I like joining these workshops in order to get surprised of what I didn't know yet, and to learn about different approaches to convey the respective concepts and skills to folks.

All in all, the workshops were great. Even better, this day already granted space to check in with people! It was awesome to meet Claudius Link again in person, my Open Security Conference (osco) co-organizer fellow. It's been great to re-connect with a few folks I've met at last year's BSides. And I really enjoyed getting to know Yin Yin Wu-Hanke and Lisa Aichele!


Conference Day

The day started very early for me. Being a local meant commuting to the venue, and being a speaker meant showing up at 7:30 am for the tech setup check. If you've met me, you know I'm a night owl, so this hurt quite a bit. And yet I was excited to have this opportunity at re-connecting with the community and also presenting my own content at the event. 

This conference has an amazing organizer team and so many people volunteered to help and ensure it's running smoothly. Many thanks to all of you for creating and holding this space for us! This year's main organizer was Sneha Rajguru. When she opened the conference officially, she emphasized that this event is for all of us in all our diversity, and her words stuck with me: "You belong." Last year was my first BSides. This year, I've really felt I do belong indeed. We all do. 

Overall, BSides Munich had once again a lot to offer. More than I could try out myself! A hardware hacking village, a CTF, a retro-gaming area, the sponsors exhibition, and more. I mostly focused on the talks myself, while at times taking a break to chat with folks in between. Here are the presentations I've attended.

Finally, a huge shout-out to lots of amazing people I've connected with during the day! I really appreciated meeting Van Nguyen, Clara Kowalsky, Sujaritha, Dagmar Swimmer, Morton Swimmer, Tobias Schuster, Julien Reisdorffer, Konstantin Weddige, Stuart McMurray, and Rudolf Kaertner whom I've first met at osco this year.

At the end of the day, the organizers invited all speakers to a fabulous speakers dinner where we enjoyed great food in great company. What an amazing closing for the day.


BSides Munich 2025

One thing is for sure, I'll do what I can to make it to BSides Munich next year as well! If you have the opportunity, seize it to experience it for yourself. Maybe even submit a proposal to share your own stories with the community, or offer to be a volunteer. It's been a great event once again this year and I'm happy to have been part of it.

Need more reasons to join? The recordings for this year had already been published! Have a look by taking the direct links from this year's agenda, and check out past years' recordings on the BSides Munich YouTube channel.

See you in 2025!