Friday, December 27, 2019

Looking Back at 2019 - A Year Full of Challenges and Surprises

It became a habit for me to close the year with a final blog post, looking back at what happened over the last twelve months. It's one of the things I've learned to do that helps me internalize and acknowledge my own achievements. Once more the year is coming to an end - time to reflect!
  • Test Automation University was released! Many thanks to Angie Jones for bringing this amazing project to life and for asking me to do my first video course ever: "The Whole Team Approach to Continuous Testing". I've also watched several of the other courses myself and found them to be extremely valuable!
  • I have given 7 sessions at 7 conferences in 5 countries this year, 2 of them being keynotes, 2 others being talks that either opened or closed the conference. (Overall, that makes now 22 sessions at 16 conferences in 8 different countries since September 2017!) Besides that, I attended 3 more conferences this year. So much knowledge to take with me, and so many inspiring people to learn from! Being away from work for conferences, especially from my product team, was not always easy. The good thing here: we talked things over and found an agreement for us.
  • I've been accepted to give 7 sessions at 4 conferences in 3 countries for 2020 already. In addition, I've been asked by 3 companies to give talks and workshops for them in-house, with 2 of them arranged already.
  • I became part of the program team for Mob Programming Conference 2020. This is my first time on a program team for a public conference, and I'm sure I'll be learning a lot.
  • I've sketchnoted countless more talks. I can't believe I've only started this experiment last year, it already feels natural when listening to a conference talk! I didn't put in effort to level up my game here, yet it's amazing to hear positive feedback just because these notes exist and other people can benefit from them, too.
  • My first ever podcast episode got released! Huge thanks to Peter Kofler for inviting me as guest to Coderetreat Facilitation. I've had a few opportunities before that, yet nothing came out of them, so I was really glad this one worked out!
  • I've done my first Power Hour, my first introductory video as well as my first Testing Ask Me Anything session (and its follow-up) for Ministry of Testing - all on on the topic of collaboration, pairing and mobbing. Thank you Mark Winteringham for having me for the Dojo!
  • The "power learning group" initiated by my learning partner Toyer Mamoojee and me got really engaged this year! We all benefited a lot from our mutual support. Super looking forward to next year together with these wonderful people!
  • Toyer Mamoojee and I had the honor to share our learning partnership on Agile Testing Days' keynote stage. Even better: people got inspired to start their own learning partner journeys! In addition, partnerships that had formed last year had evolved this year, like the ones of Mor Korem and Thomas Rinke, as well as Viki Manevska and Eddy Bruin.
  • People got inspired by what I shared on my testing tour to start their own tours! Just to highlight two of them: Gem Hill formulated her tour around security and code, and Parveen Khan around becoming more confident as a tester and getting out of her comfort zone. I bet people did similar things before I've shared about my endeavor. The difference for me is that now I hear from people that they're up to something like that on their own - which is amazing! Please continue spreading the word, we all will benefit from learning with and from each other across company boundaries.
  • I've become code-confident, publishing my first ever GitHub repositories, and worked on code a lot more at work as well. A real biggie for me! Oh, and I already made another pact with my learning partner Toyer Mamoojee to challenge me even further in 2020! :)
  • I continued pairing sessions on the topic of security testing with Peter Kofler. To many more in the future! Especially as my next year's theme is all centered around security. :)
  • It's now officially 1.5 years that I'm on the "principal" seniority level at my company, with all the challenges that come with it. The position is quite a challenge in itself, and balancing my capacity between company initiatives and my own product team is tricky as well. Concerning that, I've found a method for me that mostly works and allows me to focus every day and week on what's right now the most valuable thing I can contribute with.
  • I ran a first experiment on our company's mission to improve the testing and quality culture of our product teams, learning a lot about the context of four other teams, helping them to help themselves.
  • I introduced the mob approach to a lot more people at my company. I ran three cross-team, cross-role, cross-location mobs as a proof of concept that remote mobs do work and we all can learn from each other, no matter our role or seniority level. I conveyed knowledge in hands-on mobs for other teams as well as our internal testing community.
  • I took on a formal mentorship for a colleague who asked me for it. Many people assumed I would have lots of experience with mentoring already - yet in reality I have not had many opportunities for more structured or formalized mentorships. I love having this chance to learn how to help another one grow on a certain topic, while I keep on learning myself!
  • I took my first personal coaching sessions at work, and they helped me tremendously. Sometimes the solution already resides in us, and a gentle nudge can help ourselves reveal it or re-state the obvious. I also got referred to join a series of leadership workshops next year. Really looking forward to learning how to improve my collaboration, communication and leadership skills!
  • I gained 1,349 followers on Twitter just this year, more than a third of the overall current number. I realize this number tended to increase faster the more followers I have, and still I really celebrated when crossing the mark of 3,000 followers. After all, Twitter is my main and most important social media platform.
  • I've started to re-share posts that mentioned me on LinkedIn. I'm not really active on that platform, yet it's my place to connect with former and current colleagues who now started to see more things that I do outside the company. The response is interesting to see, so I'll continue experimenting with it.
  • Counting this one, I've published 25 blog posts in 2019. Considering I wanted to cut down regarding blogging and experimented with more lightweight approaches to share on this medium, it's great to see I've still managed to post twice per month in average. The number of page views for my blog even climbed up to 207,275! Granted, I am probably heavily contributing to these numbers every time I look things up, yet still. ;-) And you know what's best? This very blog post is exactly my 100th post overall!
  • I realized that my energy level is not always at 80% and above (as I liked to think so). I had to learn that it can drop any time and I need to keep a constant eye on it. On the upside, becoming more conscious about it helped me to do a lot more self-care this year (like finally enjoying my passion again, playing computer games just for fun and the sake of it!). I've committed myself to increase self-care in 2020, ingraining it into my new challenge.
  • I got voted Most Influential Agile Testing Professional Person (MIATPP) by the lovely Agile Testing Days community. I couldn't believe I ranked third place in 2018, so you can imagine my disbelief this year! And yet it's a fact, the community really gave this award to me this year. I'm tremendously grateful for this wonderful feedback on my work of sharing back what I learn on my journey. Extremely encouraging!
All this was made possible by the continuous amazing support and encouragement by my community and company peers. Thank you all so much, I can only hope to pay it forward. Lists are never complete, yet some shout-outs simply have to be done here.
To everyone: have a healthy and happy new year 2020 - may it be full of wonders and growth!

Wednesday, December 18, 2019

My Pact for 2020 - Let the Next Challenge Begin

As you might know, my learning partner Toyer Mamoojee and I are committing ourselves to pacts between us, roughly one per year. A personal challenge that's scary, that's long waiting, or that's - well, simply challenging. We help each other out of our comfort zones, inspire us to grow, and hold each other accountable to what we committed to.

In 2017 our common challenge was public speaking. In 2018 I went on a testing tour, and in 2019 my challenge was to become code-confident. Now 2020 is knocking on the door. As Toyer would say: "Yes, it's that time of the year!" So let me reveal now what's coming next on my side.

Thoughts and Ideas Gathered Throughout the Year

Just as last year I already knew there will be another challenge after the current one. Once again I took note of any thought or idea that came to me throughout the year; just listing them as they occurred. Now it was time to review my raw notes and find out what would be my next challenge. My feeling was that some topics popped up more frequently than others, that there was a pattern to be found.
- contribute to an open source project
- live testing and coding on stage
- organizing Mob Programming Conference 2020
- running for AST board -->
- German Testing Day conference board
- dive deeper into security
- Santhosh and Dan: pair on security testing
- become an Agile Testing Fellow trainer :)
- write a book
- self care
- speak easy mentor?
- real technical talk / demo
- blog again more about day to day topics and discussions for reflecting better
- give a technical workshop together with Toyer!
- finding the real tester in me; think testing not collaboration or learning, how do I test?
- make a change? Take security serious for real. Same with accessibility.
- become more tool-savvy
- Agile Fellowship Trainer?
- continue pairing offer, on anything
- continue coding and publishing a coding journal a blog format; maybe also testing session notes
- create new pairing offer on Calendly, keep it generic whether testing or coding
- pause criteria / health indicators: play games, read books, do sports
- after my session with Santhosh: maybe select security as next challenge? or browser extension creation? or maybe next challenge is filling theoretical gaps, taking courses?
- go deeper with what you started, build on it
- health indicators: games, books, more sleep, fruit, clean flat
- take more time for books and courses again? Combined with hands-on practice?
- sharing knowledge from my code confident challenge
- observability!
- create a small app on stage based on audience input, maybe together with volunteers, do it as a workshop
- submit again to Test.bash(); with a technical talk!
- in general: give a technical session, could also be a workshop; don't limit yourself on the topic, could be coding, security, anything; maybe even beginner's round to become "technical" covering multiple aspects I picked up over the years (all helping testing and building quality in in the end)
- TestBash Manchester open space once more intrigued me to go towards contributing to open source, security, accessibility!
- tool creation
- dedicate to courses to fill knowledge gaps
- solve Juice Shop! Or WebSec Academy
- less is more
- take care of myself: sleep more, drink more water, way more vegetarian dishes, regular sports, enjoy life
- dream more!
- Think big, start small, start now.
- start your own meetup! Let's mob together.
- security is inherently investigative! combines testing and automation and tool support and tool development and pairing up and mentoring and everything I've done the last years :D and it's hugely important. Maybe the most important thing is to change my own insecure behavior -.- becoming paranoid? Might even make a great title ^^ no no. Doing this for the right reasons. (And it'll be fun, too. And scary. In so many ways...)
- or: "accessible security" combining 
security with accessibility? For all people? Or: explaining security for everyone?
- stay (become) safe and sound
- join Manchester InfoSec Hoppers? Already know three of them, remote was okay for them, too. Looking for underrepresented people.
- join Gem's testing tour on security!
- contribute to open source by testing
- let's face it! Educate yourself
- security is long on the list, eager to learn more; yet the behavior change that needs to come with it is scary
- local security meetups
- security testing workshops at work
- shadow our security team to see their work and learn, help spread the word
- the ethically right thing to do
- accessibility? --> diversity and inclusion
- environmental behavior change
- it's really about ethics, see Lena's Leetspeak talk -->
- getting better at collaboration, a topic you got known for..
- do threat modeling with your own team
- security is a great challenge as you have to understand a lot in order to get deeper here, combine lots of knowledge, puzzling together; exploring / investigating, coding, operations/administration, social skills, etc.
- performance testing; hands-on; finally learn how to do it
- quality coaching
- observability
- focus on key area of testing: discovering useful information
- problem solving, critical thinking, cognitive biases
- "If anyone reading this works in security, watch Gwen's talk and then start attending QA and dev conferences. We should be sharing knowledge"
- tool-supported testing (security, accessibility, observability, automation, performance, all of it!)
- observability
- ethics
- what scares me is where I feel I don't have much knowledge on (whether true or not), and that's mostly the -ilities or other quality aspects, or concepts from other areas of expertise like DDD, need to dig deeper
- set clear boundaries, respect health indicators
- confidence really increased so things are less scary to tackle
- what does self care mean for me?
- how observant are you? In real life and more
- cognitive biases
- asking questions
- what does scare me? Playing computer games together with others
- "Powerlifting is a good anti-stress solution for me. What works for you?"
- consider time for speaking engagements, new talks to create, MPC program, family and friends, me time to stay healthy
- have the courage to do what's right; the ethical thing
- focus on spreading knowledge and mindset change in the company
- make quality measurable and culture change impact tangible; really scary. Same as fundamental principles, manifesto. We don't assure, we do it together.
Going through the list, I realized there are a few things that I did already and that I will continue anyway. Like joining the Mob Programming Conference 2020 program team. Like creating a general pairing offer. Like fostering a culture of testing and quality at my company.

There are also a few things that repeatedly came up as topics; even more and more towards the end of the year when this list grew longer. I didn't want to rely on my gut feeling only, so I counted the mentions and references of the following aspects - and this way created my top 10.
  1. security (21)
  2. knowledge sharing (14)
  3. health (9)
  4. open source and coding (7)
  5. accessibility (5)
  6. observability (4)
  7. technical (4)
  8. ethics (4)
  9. cognitive biases (3)
  10. performance (2)
This made me see a clear winner where the focus of my challenge should be. Yes, my dear fellow colleagues and community peers who use to ask when my book is coming out - you still need to wait for it! ;)

Pact Number Four, Revealed

The Challenge
Security is my clear challenge for 2020. Even clearer: raising my awareness and skills around security and sharing my insights while always taking care of myself.

The fear - well, I have a whole list of fears around this topic.
  • The area of security is huge. I often feel you need to know everything about everything and also be able to make connections between all this knowledge. You cannot follow the book, hackers won't do that.
  • I'm feeling naive (or rather stupid). I have to admit, I know about certain risks and still ignore them with open eyes. I'm sure there are many more risks I am not aware of.
  • Even worse: I try to warn others while not doing it myself. What a hypocrite I can be... That needs to stop. I indeed fail at advocating for security. We had more obvious and less obvious cases at work. Someone from another team had to come both times and make the team fix it.
  • I fail at explaining security - which tells me I haven't understood it well enough myself! I feel dumb when I realize I cannot explain concepts. I really wished I'd memorize them!
  • On top comes another emotional dimension: Security testing can be extreme fun!!! Or... extremely frustrating. The latter part scares me. Maybe I need to find out how to make it more fun and less frustrating? Also for others who feel like me?
On a positive note: why security?
  • I believe security is one of the most important quality aspects ever, and it will become even more important in the future. Technology these days comes with so many more new and different kinds of risks than we saw ever before, risks that might have huge impact on people.
  • I really want to open my own eyes when it comes to security. Raise my own awareness, and hopefully trigger a behavior change in myself.
  • By sharing about security related topics and my own lessons learned, I hope to inspire more people to open their eyes as well, make them understand the risks and also what's in it for them when investing in security. I want to contribute and do something good. 
  • To be blunt: It wouldn't hurt my personal development and career either, as I can use all my current skills, advance them, and build up lots of new relevant ones. If you think about it, security testing does indeed combine a lot: exploration, coding, automation, tool creation, operations knowledge, you name it. I bet there is a lot to learn for anyone of us.
  • Oh well, and - not to forget the fun part of challenges, right? :-)

The Hypothesis
For this pact, I wanted to break down my challenge in smaller, easier chunks and reflect this in my hypothesis. I wanted to explore as I go, learn more, and only then decide on my next steps; not in advance. A more lean and flexible approach. After all, experiments should be small and frugal, right? I only wanted the overall outcome I hope for to be defined upfront; the hypothesis should not be too strict, yet stay measurable. Here's what I came up with.
I believe that running a series of 10 small experiments around learning more about information security, practicing security testing hands-on, and sharing my knowledge,
will result in increased capability to explain security related concepts and how to test for vulnerabilities.
I know I'll have succeeded when 10 people have confirmed that they learned something new from me in the area of information security.

The Probe
Let's add more details how to test above hypothesis.
  • One experiment lasts maximally one month.
  • At the end of an experiment I write a blog post sharing what I learned.
  • I will not predefine all experiments from the start, yet rather explore my way by performing one experiment and then design the next based on the insights from the former one.
  • Examples for experiment actions might be:
    • Practice hands-on security testing on practice applications.
    • Do the training on the Web Security Academy
    • Participate in a capture the flag (CTF).
    • Join a security related meetup and meet the community.
    • Read the Pushing Left, Like a Boss series from Tanya Janca
    • Create a tool to gather information about a product or site, e.g. a browser extension, a bookmarklet, a command line tool, a code snippet.
    • Get a mentor.
  • Any experiment might prove its underlying hypothesis false. This is not considered a failure as it still adds to learning.
  • Sharing knowledge could take many forms: blog posts, talks, workshops, conversations, anything counts.
  • The 10 people could be anyone. They can come from any background or work (or have worked) in any fields (not only software); they only have to be distinct.

Start Criteria
This time I plan to start working on my challenge earliest at the beginning of 2020, not before. I know I have a lot of other tasks I need to work on before, and also a few days of vacation that I want to use for self-care, not for more work. It might even turn out that I will only start way later in the year, and that's okay, too. I don't need to beat myself up for it.

Pause Criteria
The past years showed I cannot continue non-stop. Self-care is way too important, and I need to take better care of myself. The following are the health indicators I identified for myself over the year:
  • play games
  • read books
  • do sports regularly
  • sleep and dream
  • eat fruits
  • drink water
  • eat more vegetarian dishes than not
  • clean flat
  • enjoy life
  • balance engagements
Now, I would set myself up for failure if I'd chose to fix everything at once. So I chose my biggest indicators I wanted to look out for to make sure I keep my energy up. As J. B. Rainsberger shared with me: "your energy is your bottleneck; if you take care of yourself first, you will have the energy to share your knowledge with everyone else like an 8 year old wants to." He continued: "If saying yes means saying no to yourself there's a problem; we need to get rid of the guilt or shame we feel when saying no." He agreed that saying no to this thing means saying yes to another thing. So here are the things I'm now intentionally saying yes to.
  • Play computer games for at least two hours per week. I definitively want to keep up my streak from last year here and even increase my playing time. Last year it often came down to only half an hour per week - not much time spent on my passion.
  • Read at least 40 pages of my current novel per week. I love reading books! Yet mostly I only make good progress with my audiobooks; I tend to get stuck for very long time on the novels I prefer to read. I usually read in bed right before sleeping - and most of the times I fall asleep over the first page of my book. So this is an implicit indicator of my fatigue and how much I sleep every day. I need to be rested to be able to fulfill this goal.
  • Do sports at least three times a week. This metric implicitly influences my eating and drinking habits. Sports are my physical and psychological compensation. Afterwards I'm always feeling better and often also more energized, more creative. Yet with my conference speaking adventure of the last years I traveled a lot more and therefore did a lot less sports, especially a lot less regular than I used to. The last year my eagerness to go on with my challenge really made me do it - so this is the motivator I'm hoping for to change my habits back to healthy ones.
Each calendar week I need to have at least two of above three fulfilled. If not, then I stop my challenge until I fulfilled all three again within one calendar week. There's only one exception to the rule: I'm at a conference most of the week. These indicators should help me with my self-care, they are not meant to create additional stress, so conference weeks are excluded from the rule.

I hope this way I will do better work with less stress. Oh, and one more thing: I hereby appeal to my own common sense. If I feel I'm drowning (independent from whether this is true or not), I will pause my challenge and first resolve this feeling.

Exit Criteria
When is it time to stop my challenge and evaluate my experiment overall?
  • All 10 experiments are done and the lessons learned shared.
  • It's October 31st.
  • My health indicators clearly tell me to stop.
  • I decided the challenge is not worth my time anymore, e.g. I might have it replaced by a better one.

As always, lots of people influenced me on my way. All of the following have their part in why I chose this challenge for myself now.
  • Troy Hunt. I've first learned about security testing, penetration testing, ethical hacking back in 2016. I had the chance to watch part of Pluralsight's ethical hacking series which introduced me to the whole topic and made me realize that I could do the one or the other thing myself; that it wasn't all a big mystery.
  • Johannes Seitz. My first encounter with hands-on security testing that I remember was at TestBash Munich 2017. During the open space I joined a session by Johannes who introduced me to OWASP's JuiceShop, an intentionally vulnerable practice application. We solved several challenges together - and I was intrigued to do more! Gamification really works well for me. Ever since I've used that app in several workshops myself.
  • Santhosh Tuppad. I had joined Santhosh's workshop at Agile Testing Days 2017 about security testing. This year I even had a chance to pair with him! It was amazing. So much knowledge, shared in such few time. Now he even invited me into a group of people interested in security testing.
  • Peter Kofler. In 2018 I went on my testing tour and found Peter as my pairing partner for security testing. Back then we had three sessions together that showed us we knew more about security than we thought we did. We were eager to learn more and practice more, so we decided to continue our sessions roughly once per month in 2019 (and we did!).
  • Gwen Diagram. Right after Agile Greece Summit 2018 Gwen and I went sightseeing together and she shared how she gave company internal security workshops to teach people about security. I was intrigued to do the same! Yet so far I've done only two very basic ones.
  • Dan Billing. At Agile Testing Days 2018 I joined Dan's tutorial "Web Application Security". (I loved to see Juice Shop again in a newer version! :)) I had a lot of fun and realized I was further than other people in the room. Can't wait to pair with Dan! So happy this session is already scheduled.
  • Gem Hill. Gem is on her own testing tour for a few months now, and her topic is security testing. I loved that she chose that topic and she definitely has influenced me in picking the topic up as well.
  • Jay Harris and Saskia Coplans.  At TestBash Brighton 2019 I got to know Jay, and at TestBash Manchester 2019 also Saskia. Great knowledge sharing and great conversations all around security! I love their mission to make the infoSec community a lot more diverse and inclusive than they feel it currently is. (Side note: I just found out their group has a slack channel!)
There are a lot more people doing security testing these days that I know of, like Maaret Pyhäjärvi, Claire Reckless, Nicola Sedgwick, Lena Pejgan Wiberg; and probably a lot more I still need to learn about.

All this triggered me to do some security testing related mob sessions inside and outside my company in 2019 (obviously using Juice Shop as well). More are planned, and I'm curious how far we get together.

The Tag
For my past challenges, I always used a short identifier to be able to easily refer to it. When looking for a new tag to use, I realized most of my previous ones were alliterations! Well, maybe I need a another one then. :) Alliterations aside, I brainstormed lots and lots of potential short identifiers for my 2020 challenge. Short, expressive, not overly used already on Twitter as that's my main sharing platform.

So many candidates derived from brainstorming! Yet the winner is.... #SecurityStories! Why? Because I want to convey knowledge to people that is new to them. People relate to stories. Stories have a chance to stick!

I Don't Want to Be Forced To a Halt, I Want to Thrive

I've learned what works for me during my past challenges, and I usually kept what was working. This means that I've never stopped some endeavors from which I gained the most from. Still, this requires time and effort, which means capacity and energy in my free time. I still speak at conferences, I still pair with people on various topics, I still want to grow my GitHub repositories. Therefore: my own health and self-care grew more and more important as well. The balance part here is tricky and I need to take great care not to overdo it.

I'm super eager to start my challenge! Still, let's take care first. Together.