Wednesday, December 18, 2019

My Pact for 2020 - Let the Next Challenge Begin

As you might know, my learning partner Toyer Mamoojee and I are committing ourselves to pacts between us, roughly one per year. A personal challenge that's scary, that's long waiting, or that's - well, simply challenging. We help each other out of our comfort zones, inspire us to grow, and hold each other accountable to what we committed to.

In 2017 our common challenge was public speaking. In 2018 I went on a testing tour, and in 2019 my challenge was to become code-confident. Now 2020 is knocking on the door. As Toyer would say: "Yes, it's that time of the year!" So let me reveal now what's coming next on my side.

Thoughts and Ideas Gathered Throughout the Year

Just as last year I already knew there will be another challenge after the current one. Once again I took note of any thought or idea that came to me throughout the year; just listing them as they occurred. Now it was time to review my raw notes and find out what would be my next challenge. My feeling was that some topics popped up more frequently than others, that there was a pattern to be found.
- contribute to an open source project
- live testing and coding on stage
- organizing Mob Programming Conference 2020
- running for AST board -->
- German Testing Day conference board
- dive deeper into security
- Santhosh and Dan: pair on security testing
- become an Agile Testing Fellow trainer :)
- write a book
- self care
- speak easy mentor?
- real technical talk / demo
- blog again more about day to day topics and discussions for reflecting better
- give a technical workshop together with Toyer!
- finding the real tester in me; think testing not collaboration or learning, how do I test?
- make a change? Take security serious for real. Same with accessibility.
- become more tool-savvy
- Agile Fellowship Trainer?
- continue pairing offer, on anything
- continue coding and publishing a coding journal a blog format; maybe also testing session notes
- create new pairing offer on Calendly, keep it generic whether testing or coding
- pause criteria / health indicators: play games, read books, do sports
- after my session with Santhosh: maybe select security as next challenge? or browser extension creation? or maybe next challenge is filling theoretical gaps, taking courses?
- go deeper with what you started, build on it
- health indicators: games, books, more sleep, fruit, clean flat
- take more time for books and courses again? Combined with hands-on practice?
- sharing knowledge from my code confident challenge
- observability!
- create a small app on stage based on audience input, maybe together with volunteers, do it as a workshop
- submit again to Test.bash(); with a technical talk!
- in general: give a technical session, could also be a workshop; don't limit yourself on the topic, could be coding, security, anything; maybe even beginner's round to become "technical" covering multiple aspects I picked up over the years (all helping testing and building quality in in the end)
- TestBash Manchester open space once more intrigued me to go towards contributing to open source, security, accessibility!
- tool creation
- dedicate to courses to fill knowledge gaps
- solve Juice Shop! Or WebSec Academy
- less is more
- take care of myself: sleep more, drink more water, way more vegetarian dishes, regular sports, enjoy life
- dream more!
- Think big, start small, start now.
- start your own meetup! Let's mob together.
- security is inherently investigative! combines testing and automation and tool support and tool development and pairing up and mentoring and everything I've done the last years :D and it's hugely important. Maybe the most important thing is to change my own insecure behavior -.- becoming paranoid? Might even make a great title ^^ no no. Doing this for the right reasons. (And it'll be fun, too. And scary. In so many ways...)
- or: "accessible security" combining 
security with accessibility? For all people? Or: explaining security for everyone?
- stay (become) safe and sound
- join Manchester InfoSec Hoppers? Already know three of them, remote was okay for them, too. Looking for underrepresented people.
- join Gem's testing tour on security!
- contribute to open source by testing
- let's face it! Educate yourself
- security is long on the list, eager to learn more; yet the behavior change that needs to come with it is scary
- local security meetups
- security testing workshops at work
- shadow our security team to see their work and learn, help spread the word
- the ethically right thing to do
- accessibility? --> diversity and inclusion
- environmental behavior change
- it's really about ethics, see Lena's Leetspeak talk -->
- getting better at collaboration, a topic you got known for..
- do threat modeling with your own team
- security is a great challenge as you have to understand a lot in order to get deeper here, combine lots of knowledge, puzzling together; exploring / investigating, coding, operations/administration, social skills, etc.
- performance testing; hands-on; finally learn how to do it
- quality coaching
- observability
- focus on key area of testing: discovering useful information
- problem solving, critical thinking, cognitive biases
- "If anyone reading this works in security, watch Gwen's talk and then start attending QA and dev conferences. We should be sharing knowledge"
- tool-supported testing (security, accessibility, observability, automation, performance, all of it!)
- observability
- ethics
- what scares me is where I feel I don't have much knowledge on (whether true or not), and that's mostly the -ilities or other quality aspects, or concepts from other areas of expertise like DDD, need to dig deeper
- set clear boundaries, respect health indicators
- confidence really increased so things are less scary to tackle
- what does self care mean for me?
- how observant are you? In real life and more
- cognitive biases
- asking questions
- what does scare me? Playing computer games together with others
- "Powerlifting is a good anti-stress solution for me. What works for you?"
- consider time for speaking engagements, new talks to create, MPC program, family and friends, me time to stay healthy
- have the courage to do what's right; the ethical thing
- focus on spreading knowledge and mindset change in the company
- make quality measurable and culture change impact tangible; really scary. Same as fundamental principles, manifesto. We don't assure, we do it together.
Going through the list, I realized there are a few things that I did already and that I will continue anyway. Like joining the Mob Programming Conference 2020 program team. Like creating a general pairing offer. Like fostering a culture of testing and quality at my company.

There are also a few things that repeatedly came up as topics; even more and more towards the end of the year when this list grew longer. I didn't want to rely on my gut feeling only, so I counted the mentions and references of the following aspects - and this way created my top 10.
  1. security (21)
  2. knowledge sharing (14)
  3. health (9)
  4. open source and coding (7)
  5. accessibility (5)
  6. observability (4)
  7. technical (4)
  8. ethics (4)
  9. cognitive biases (3)
  10. performance (2)
This made me see a clear winner where the focus of my challenge should be. Yes, my dear fellow colleagues and community peers who use to ask when my book is coming out - you still need to wait for it! ;)

Pact Number Four, Revealed

The Challenge
Security is my clear challenge for 2020. Even clearer: raising my awareness and skills around security and sharing my insights while always taking care of myself.

The fear - well, I have a whole list of fears around this topic.
  • The area of security is huge. I often feel you need to know everything about everything and also be able to make connections between all this knowledge. You cannot follow the book, hackers won't do that.
  • I'm feeling naive (or rather stupid). I have to admit, I know about certain risks and still ignore them with open eyes. I'm sure there are many more risks I am not aware of.
  • Even worse: I try to warn others while not doing it myself. What a hypocrite I can be... That needs to stop. I indeed fail at advocating for security. We had more obvious and less obvious cases at work. Someone from another team had to come both times and make the team fix it.
  • I fail at explaining security - which tells me I haven't understood it well enough myself! I feel dumb when I realize I cannot explain concepts. I really wished I'd memorize them!
  • On top comes another emotional dimension: Security testing can be extreme fun!!! Or... extremely frustrating. The latter part scares me. Maybe I need to find out how to make it more fun and less frustrating? Also for others who feel like me?
On a positive note: why security?
  • I believe security is one of the most important quality aspects ever, and it will become even more important in the future. Technology these days comes with so many more new and different kinds of risks than we saw ever before, risks that might have huge impact on people.
  • I really want to open my own eyes when it comes to security. Raise my own awareness, and hopefully trigger a behavior change in myself.
  • By sharing about security related topics and my own lessons learned, I hope to inspire more people to open their eyes as well, make them understand the risks and also what's in it for them when investing in security. I want to contribute and do something good. 
  • To be blunt: It wouldn't hurt my personal development and career either, as I can use all my current skills, advance them, and build up lots of new relevant ones. If you think about it, security testing does indeed combine a lot: exploration, coding, automation, tool creation, operations knowledge, you name it. I bet there is a lot to learn for anyone of us.
  • Oh well, and - not to forget the fun part of challenges, right? :-)

The Hypothesis
For this pact, I wanted to break down my challenge in smaller, easier chunks and reflect this in my hypothesis. I wanted to explore as I go, learn more, and only then decide on my next steps; not in advance. A more lean and flexible approach. After all, experiments should be small and frugal, right? I only wanted the overall outcome I hope for to be defined upfront; the hypothesis should not be too strict, yet stay measurable. Here's what I came up with.
I believe that running a series of 10 small experiments around learning more about information security, practicing security testing hands-on, and sharing my knowledge,
will result in increased capability to explain security related concepts and how to test for vulnerabilities.
I know I'll have succeeded when 10 people have confirmed that they learned something new from me in the area of information security.

The Probe
Let's add more details how to test above hypothesis.
  • One experiment lasts maximally one month.
  • At the end of an experiment I write a blog post sharing what I learned.
  • I will not predefine all experiments from the start, yet rather explore my way by performing one experiment and then design the next based on the insights from the former one.
  • Examples for experiment actions might be:
    • Practice hands-on security testing on practice applications.
    • Do the training on the Web Security Academy
    • Participate in a capture the flag (CTF).
    • Join a security related meetup and meet the community.
    • Read the Pushing Left, Like a Boss series from Tanya Janca
    • Create a tool to gather information about a product or site, e.g. a browser extension, a bookmarklet, a command line tool, a code snippet.
    • Get a mentor.
  • Any experiment might prove its underlying hypothesis false. This is not considered a failure as it still adds to learning.
  • Sharing knowledge could take many forms: blog posts, talks, workshops, conversations, anything counts.
  • The 10 people could be anyone. They can come from any background or work (or have worked) in any fields (not only software); they only have to be distinct.

Start Criteria
This time I plan to start working on my challenge earliest at the beginning of 2020, not before. I know I have a lot of other tasks I need to work on before, and also a few days of vacation that I want to use for self-care, not for more work. It might even turn out that I will only start way later in the year, and that's okay, too. I don't need to beat myself up for it.

Pause Criteria
The past years showed I cannot continue non-stop. Self-care is way too important, and I need to take better care of myself. The following are the health indicators I identified for myself over the year:
  • play games
  • read books
  • do sports regularly
  • sleep and dream
  • eat fruits
  • drink water
  • eat more vegetarian dishes than not
  • clean flat
  • enjoy life
  • balance engagements
Now, I would set myself up for failure if I'd chose to fix everything at once. So I chose my biggest indicators I wanted to look out for to make sure I keep my energy up. As J. B. Rainsberger shared with me: "your energy is your bottleneck; if you take care of yourself first, you will have the energy to share your knowledge with everyone else like an 8 year old wants to." He continued: "If saying yes means saying no to yourself there's a problem; we need to get rid of the guilt or shame we feel when saying no." He agreed that saying no to this thing means saying yes to another thing. So here are the things I'm now intentionally saying yes to.
  • Play computer games for at least two hours per week. I definitively want to keep up my streak from last year here and even increase my playing time. Last year it often came down to only half an hour per week - not much time spent on my passion.
  • Read at least 40 pages of my current novel per week. I love reading books! Yet mostly I only make good progress with my audiobooks; I tend to get stuck for very long time on the novels I prefer to read. I usually read in bed right before sleeping - and most of the times I fall asleep over the first page of my book. So this is an implicit indicator of my fatigue and how much I sleep every day. I need to be rested to be able to fulfill this goal.
  • Do sports at least three times a week. This metric implicitly influences my eating and drinking habits. Sports are my physical and psychological compensation. Afterwards I'm always feeling better and often also more energized, more creative. Yet with my conference speaking adventure of the last years I traveled a lot more and therefore did a lot less sports, especially a lot less regular than I used to. The last year my eagerness to go on with my challenge really made me do it - so this is the motivator I'm hoping for to change my habits back to healthy ones.
Each calendar week I need to have at least two of above three fulfilled. If not, then I stop my challenge until I fulfilled all three again within one calendar week. There's only one exception to the rule: I'm at a conference most of the week. These indicators should help me with my self-care, they are not meant to create additional stress, so conference weeks are excluded from the rule.

I hope this way I will do better work with less stress. Oh, and one more thing: I hereby appeal to my own common sense. If I feel I'm drowning (independent from whether this is true or not), I will pause my challenge and first resolve this feeling.

Exit Criteria
When is it time to stop my challenge and evaluate my experiment overall?
  • All 10 experiments are done and the lessons learned shared.
  • It's October 31st.
  • My health indicators clearly tell me to stop.
  • I decided the challenge is not worth my time anymore, e.g. I might have it replaced by a better one.

As always, lots of people influenced me on my way. All of the following have their part in why I chose this challenge for myself now.
  • Troy Hunt. I've first learned about security testing, penetration testing, ethical hacking back in 2016. I had the chance to watch part of Pluralsight's ethical hacking series which introduced me to the whole topic and made me realize that I could do the one or the other thing myself; that it wasn't all a big mystery.
  • Johannes Seitz. My first encounter with hands-on security testing that I remember was at TestBash Munich 2017. During the open space I joined a session by Johannes who introduced me to OWASP's JuiceShop, an intentionally vulnerable practice application. We solved several challenges together - and I was intrigued to do more! Gamification really works well for me. Ever since I've used that app in several workshops myself.
  • Santhosh Tuppad. I had joined Santhosh's workshop at Agile Testing Days 2017 about security testing. This year I even had a chance to pair with him! It was amazing. So much knowledge, shared in such few time. Now he even invited me into a group of people interested in security testing.
  • Peter Kofler. In 2018 I went on my testing tour and found Peter as my pairing partner for security testing. Back then we had three sessions together that showed us we knew more about security than we thought we did. We were eager to learn more and practice more, so we decided to continue our sessions roughly once per month in 2019 (and we did!).
  • Gwen Diagram. Right after Agile Greece Summit 2018 Gwen and I went sightseeing together and she shared how she gave company internal security workshops to teach people about security. I was intrigued to do the same! Yet so far I've done only two very basic ones.
  • Dan Billing. At Agile Testing Days 2018 I joined Dan's tutorial "Web Application Security". (I loved to see Juice Shop again in a newer version! :)) I had a lot of fun and realized I was further than other people in the room. Can't wait to pair with Dan! So happy this session is already scheduled.
  • Gem Hill. Gem is on her own testing tour for a few months now, and her topic is security testing. I loved that she chose that topic and she definitely has influenced me in picking the topic up as well.
  • Jay Harris and Saskia Coplans.  At TestBash Brighton 2019 I got to know Jay, and at TestBash Manchester 2019 also Saskia. Great knowledge sharing and great conversations all around security! I love their mission to make the infoSec community a lot more diverse and inclusive than they feel it currently is. (Side note: I just found out their group has a slack channel!)
There are a lot more people doing security testing these days that I know of, like Maaret Pyhäjärvi, Claire Reckless, Nicola Sedgwick, Lena Pejgan Wiberg; and probably a lot more I still need to learn about.

All this triggered me to do some security testing related mob sessions inside and outside my company in 2019 (obviously using Juice Shop as well). More are planned, and I'm curious how far we get together.

The Tag
For my past challenges, I always used a short identifier to be able to easily refer to it. When looking for a new tag to use, I realized most of my previous ones were alliterations! Well, maybe I need a another one then. :) Alliterations aside, I brainstormed lots and lots of potential short identifiers for my 2020 challenge. Short, expressive, not overly used already on Twitter as that's my main sharing platform.

So many candidates derived from brainstorming! Yet the winner is.... #SecurityStories! Why? Because I want to convey knowledge to people that is new to them. People relate to stories. Stories have a chance to stick!

I Don't Want to Be Forced To a Halt, I Want to Thrive

I've learned what works for me during my past challenges, and I usually kept what was working. This means that I've never stopped some endeavors from which I gained the most from. Still, this requires time and effort, which means capacity and energy in my free time. I still speak at conferences, I still pair with people on various topics, I still want to grow my GitHub repositories. Therefore: my own health and self-care grew more and more important as well. The balance part here is tricky and I need to take great care not to overdo it.

I'm super eager to start my challenge! Still, let's take care first. Together.

1 comment: