Tuesday, December 20, 2022

New Year, New Pact - Time for Another Personal Challenge

 Finally, it happened again: a new pact for 2023 had been born! If you're following my journey, you know I've done four big personal challenges so far, learning in public outside my comfort zone. In 2017 it was all about conference speaking, in 2018 I went on a Testing Tour, 2019 was focused on becoming #CodeConfident and in 2020 I set out to share #SecurityStories.

2020 was also the year I decided to pause my personal challenges due to so many other things happening, both in the world as well as in my career. In the past two years I've been working very intensely with two teams at both my former as well as my current company. Now that I'm settled in, I do need more stability in my relationships to ground me and navigate uncertainty and change from. This is what I expect and hope from 2023 and will do my best to make happen. 

With all that in mind, last Friday it was finally time to sit with my learning partner Toyer Mamoojee again and strike a brand-new pact, just like we did for the first time back in 2016. This time, while our endeavors have a different focus, we indeed even have a common theme again!


Brainstorming

Like every year, I took note of potential topics for a new pact and personal challenge over the course of the year. Anything that came to my mind, anything that intrigued me to invest more time on, and especially topics that scare me. Why that? To get out of my comfort zone and grow. It's been a common theme since I started with my personal challenges and while these are indeed challenging and scary, they got me far. So: scary it is again!

Here's my quite raw and only minimally edited list of ideas for 2023, with points noted down as they came to mind without re-ordering.

- open source contribution
- security
- accessibility
- app development
- call for weekly 90min ensemble creating an open source app together
- a project a month
- build intentionally insecure mobile app for practicing
- "everyday security" series
- "accessible security"
- asking for help; see Ady Stokesidea: "Maybe your next tour could be asking for help?"
- initiate pairing / ensembling with others
- deep dive focus weeks: learn foundations for a topic and share - deepen my generalist me
- series of how I test things, especially backend etc.
- anything that contributes to my vision of systemic inclusion and growth?
- feeling I'm doing the same over the past years, over and over again, also re-using a lot of what I've built before; yet there's so much more to learn and grow into, like Maaret continually does, expanding (see alos when she shared "When I do #ExploratoryTesting, I have hundreds of options I can generate on the fly. I’m again appreciating that some people see barely one option and we need to teach how to generate options.")
- do something I haven't done before, truly grow again; I've used lots of approaches the last years that had worked before, just built on them and refined them; yet didn't really reinvent myself anymore
- really do need my own topics again, not being driven from conference to conference alone, neglecting my goals and blog
- bug stories / debugging stories; maybe similar to 
Valerie Aurora's systems programming stories
- similar to observation notes taken at work: take live notes while working hands-on to convey approaches and thoughts
- how about: tackling any security practice challenge I come across, take notes as I go and publish them, join the community (actively!) and ask for help and pairs to work with (doing what scares me, joining this community always did, also asking for help)
- security could be complemented with at work practice and pairing with security folks
- accessibility could be covered by work initiatives; honing development skills could be combined with security or run on the side
- security makes a good talk / workshop topic as well, and grows career options
- join security conference
- with security I would pick up the theme started in 2020, revised
- theme for the year and overarching experiment worked better than having to come up with something new all the time
- a lot of brainstormed topics could just be smaller blog posts without such a big commitment (even recurring as series like my conference reports): how I test, debugging, bug stories, learning topics, etc.
- asking for help and security doesn't exclude each other either; security was scary enough I didn't join a community last time; could be practicing asking good security questions
- really about the question what scares me most that also grows me in the direction I want to grow (e.g. solo open source contribution might or might not help)
- I'm fueling my generalist skills every work day, I'm on it already, not scary
- what scares me most is security and building things
- could use Tanya Janca's Cyber Mentoring Monday
- join OWASP chapter
- use training budget to go on security conference
- mobile security would be new angle and relevant in AppSec
- nothing is as scary as showing my face in front of security people and communities
- joining and actively participating in at least one security community will let me understand application security better and allow me to solve five mobile security challenges
- practice debugging strategies and approaches (like Julia Evans shared), exercises; fixing bugs in unknown systems (hence requiring investigating and learning the system)

Now, what do you think made it as my chosen challenge for next year?


My Pact for 2023

My last personal challenge was on the topic of security, and I stopped it in favor of more important topics emerging in 2020. The topic is by far not over and I continued keeping it in my head for the next years, always growing myself a bit further. Still, it's a huge area and requires more focus to dive in properly. So here's what I'm setting out to do in 2023.

The challenge: Application security is my focus - especially everyday hands-on practical situations when designing, developing and building a mobile app. For security in general, the main reasoning from back in 2020 why security is scary remains. Yet I learned that security just like development is a team sport. So on top of the general scariness of the vast security field, my challenge now also includes people - especially joining new communities, as well as asking for help and feedback. Yes, I've done that in other areas in the past, and yet for security this feels different. This is a jump I didn't manage yet, as much as I'd like to. So yes, scary. 

The hypothesis: I believe that joining and actively participating in at least one security community for a period of six months will increase my understanding of practical application security in everyday work situations. I've proven the hypothesis when I have...
  • solved five mobile application security challenges,
  • explained how I solved them, and 
  • asked community members for their review and feedback to learn from.

The experiment: To prove or disprove the hypothesis, let's get more concrete.
  • I can join one or more communities, yet it's about staying six months and actively participating in any of them.
  • Challenges could be a variety of practice exercises on topics like threat modeling, SAST activities, security testing and more - as long as they would help me in everyday work, hence the focus on mobile.
  • Mobile application challenges cover the whole mobile system and architecture, including backend services.
  • To explain how I solved the challenges, I will write blog posts. I will edit my explanations based on the received feedback.
  • People to ask for review or feedback could come from the communities I freshly joined or the wider global community - yet it should be people I don't know in person yet at this moment in time.

Time line criteria: It always proved valuable for me to think about when to start, when to pause, when to stop.
  • Start: I will start only in 2023 as there are more todos on my desk before and I want to dive in with more focus.
  • Pause: Whenever I realize I neglect the self care I committed to (for three years I'm now using those defined in my last challenge), I pause for the week and take care of myself before continuing with the challenge again.
  • Stop: It's time to stop my challenge and evaluate my experiment overall when I've either proven the hypothesis or ten months have passed.

The Tag: I've made good use of a short identifier to be able to easily refer to my challenges. This time I thought about going for #LearnWithAppSecPeople. While it's not short like all my past challenges, it's expressive enough and not in use yet. And then I discarded the idea for not being snappy and sticky enough and went instead for #AskAppSec. Short and again an alliteration, what would be the chance!

That's it! Yet I'm already working on my security skills, so what exactly is scary here for me again? People, new communities, asking for help. Feeling inadequate and fearing I won't belong as much as I hope I would. And security being such a vast and complex field it's easy to feel very dumb, so building more confidence to be able to figure this out is required.

So, what's in it for me? I hope to increase my confidence, hone my skills, grow my understanding, increase my career options, grow in general thanks to scary things and new people, and also to apply my gained knowledge at work.

I shared that Toyer has a similar theme - and yes, he's now also focusing on security, eager to learn more. I'll leave it up to him to share more detail if he wants to, and if we're all lucky his journey might end up with a talk out of his lessons learned. What helps both of us is that security gained importance in both our work contexts and we're both hoping for certain synergy effects.

There's More for 2023

Although speaking itself won't be my priority next year, I will continue speaking at conferences, to keep learning together with various communities, and also create at least a new talk. I will start new initiatives at work, trying my best to use the foundations built this year to help us thrive more next year. I'll also try and continue not to forget myself and the rest I need next year - keeping my boundaries and energy levels in check as well as exercising self care.

It's not going to get a boring year, it might get busy. And still. I'm truly excited (and scared enough) for this new pact and challenge!

No comments:

Post a Comment