Thursday, June 29, 2023

AskAppSec - On Late Beginnings, Distracting Struggles and Finding Community

The personal challenge I picked for 2023 is AskAppSec. I believe that joining and actively participating in at least one security community for a period of six months will increase my understanding of practical application security in everyday work situations. When I decided on my challenge end of last year, it felt it would be a perfect fit: scary and a worthy endeavor allowing me to grow while sharing hopefully useful content. It also fit well to what I set out to do at work, taking on more explicit advocacy for security in my team and the company.

Sounded all nice and well to me, and yet I struggled, more than I expected. I'm acutely aware that it's already the middle of the year, and where am I? Well, it's not that I didn't move at all, yet I'm clearly not where I hoped to be. I need to acknowledge it and accept just as it is in order to move on from here.

Biting Off More than I Can Chew

I've been learning in public for quite some time now, and I still enjoy when I can fully dive into a topic. This year I thought it's the time again to do just that, going full in! And then life happened. Now half the year is already over, and not so much was done yet. I'm struggling with processing this. I'm between trying to allow myself to go slower, and beating myself up that I actually didn't go slow so far but instead opted in for so many other things. Distractions. Valuable stuff, yet definitely distracting me from what I set out to do: my personal AskAppSec challenge. I've recently been at Agile Testing Days USA where Dr. Rochelle Carr dropped wisdom that heavily reminded me of my situation. In her fantastic keynote "The WHY you are", she told us to remove unneeded distractions to our own potential. Does it feed your "why"? If not, don't get off course.

So, let's face it. I took on too much this year. I declined opportunities, and yet said yes to others - including creating new conference sessions. I really forgot how time-consuming and energy-draining that is (although it can have a really nice return on investment). Plus draining life stuff happened on top of all this that also demands capacity. Work is very consuming as well, although it does give me back a lot, too.

So here am I again, trying to remove tasks from my to-do list and gain more headspace so I can do bigger things, like working on my challenge. Because I also realized, I continue doing things just because I started them once, they tend to pile up as obligations - and then I bear the pain of opportunity cost and never get to things that would grow or amuse me. 

At the same time, there are a few things I always wanted to do and be better at. Over and over in my life, I practiced them for a while and dropped them again, just to pick them up to start over again and again. Recently, I realized that I added most of these to my daily habits checklist. So I actually do work on them, even though only very little by little, yet mostly every day and I make progress. I did consider them distractions for some time, yet maybe these ones are indeed not.

Finally, I kept my public writing to a bare minimum. This blog usually helped me reflect by writing things out, like a public journal on non-confidential work and growth topics. I stopped doing so as well, only fulfilling what I had loaded on myself, like writing a blog post per on-site conference. With this one, I am again just writing down my thoughts which is more than I did the last months and it feels good.

So, here's where I am right now. This is my attempt in bringing a bit more order to the chaos of my thoughts. Maybe I am indeed slacking off on the things I care about and do too much of the other things that are rather distractions. It's time to reconsider and only keep what adds to my own why, respectively the goal I had set for myself. Gain energy, headspace, and focus on what moves me forward to get stuff done and learn from it as I go.

Starting Late in the Year

Back to my challenge. Beginning of the year I had gathered material to work with, like communities I could join, interesting resources, potential challenges, and so on. Only beginning of May, I could finally start acting on this material, though.

The first weeks went quite well. I joined a few online security communities and tried first interactions, more or less successful. I read more stuff. And yet, I still found this very hard. I thought about things I could do, and then - once again - lacked focus. Distractions came my way and I happily jumped on them. At times it helps me to find more headspace if I get things out of the way first, yet this time I instead ended up lacking energy to work on my personal challenge.

At the same time, I'm still scared of this challenge. How did I do this in the past years? I conquered my fear back then and did it anyway, so how about now? I guess the only way to do this, as last years, is go step by step and never hesitate or look back. I need to break this challenge down more clearly in my head, and then finish one step after another instead of jumping around between different tasks. Do small tangible stuff.

Whenever I leave the challenge be, it festers in my mind and gets even bigger than it is. Whenever I take a step, it becomes a step smaller and seems more doable. It becomes less scary and getting stuff done simply feels good. I guess one big issue with security is that I started this topic a few times already in the past and stopped again each time, hence I couldn't build on the momentum. Turns out,  consistency is once again crucial for me.

What Happened So Far, After All

My first goal was to join communities and find a new additional place for me to learn and share. I focused mostly on online places as I don't have capacity left for on-site events this year, and didn't want to rely on local meetups only. The three communities I joined so far are the following.

  • We Hack Purple. This community is initiated by Tanya Janca. I benefitted a lot from her content over the years and this community felt like a great fit to start. I actually already had joined back in 2021, yet then neglected it. This place had been quite welcoming so far, yet I feel I joined at a moment where there was not too much activity going on - I see it increasing these days. My first attempts to connect didn't receive too much response, yet it's still a promising community to be in and learn with.
  • OWASP Slack. Well, OWASP continues to be the one constant we keep hearing about again and again. It's a frequently used reference point when it comes to all things application security. Everybody I talked with who had joined local chapters mentioned that the community culture differed heavily depending on the chapter. So I decided to join the global Slack first, which is quite active. Also here, I had first interactions, nothing groundbreaking yet.
  • InfoSec Community Discord. A colleague brought my attention to this one. It's not been overly active these months and it felt the hardest to join in so far based on its structure and engagement. It's still good to be there and see what's going on and being shared.
I have a whole list of other communities I could join. In the beginning, I wanted to start with only a handful not to overwhelm myself, yet now I'm considering adding more. I'm especially interested in places people can recommend, so I started asking around for personal experiences.

I dived into further resources as well, which had been quite insightful so far. For example, I finally started reading Tanya's book "Alice and Bob Learn Application Security". It's really awesome and I can already recommend it. Tanya manages to explain security concepts in a comprehensible, digestible and engaging way. Theory, examples, stories, and actionable exercises - all included. For me it's perfect to see what I already know and what not yet, and for which concepts I had a grasp yet lacked the official term for.

At work, mobile application security is my topic of the year as well and quite some stuff got moving there already. For example, we aligned in the team on an application security strategy to get where we want to be, and already took steps to get closer. I had a few sessions together with our awesome InfoSec folks to build security in, test together, and gain more clarity on specific topics. Also, I joined my very first security audit and officially took over the role as security champion for my team. More is in the making.

Finally, I still continue having monthly security testing sessions with Peter Kofler. We kept doing these ever since my Testing Tour back in 2018, we just never stopped! We're not moving fast yet continuously. This way, we could already cover lots of ground in theory and practice together. Well, there's always more to learn and always something new going on, we won't run out of topics any time soon. It's been great to see how much we can build on the insights we gained over the years.

Probable Next Steps

Well, I don't know what life and this challenge brings, yet I have a rough plan on my next moves.

I'll see what I can do to get more active in the communities I'm already in, seeing where I can find help and inspiration, and also practice giving back as much as I can already. I'm considering joining more communities, so I'll continue seeking recommendations. I'm also looking out for events that might still suit my schedule this year, and probably bring my topics to the events I'm already going to.

It'll soon be time to decide on my first hands-on challenge around mobile application security that I can share about and get feedback on. This will also include finding safe ways to practice and share without causing harm.

Finally, I'm still gathering and consuming more resources on application security in general.

Reflections for Moving Forward

This year was full of distractions so far. Over and over, I allowed myself to be pulled away from my personal challenge. Then my brain got so tired that I just kept working on these distractions which I perceived way easier than doing the scary thing, and they kept me nicely busy anyways. Yet also more guilty with every step. Especially considering my usual timeline for personal challenges from January to October. Seeing so much time having passed already without much progress is frightening and paralyzing. Having too many options what to do next, is too. The last months, my brain kept jumping between too many threads, and not producing the clear structure I dearly need to hold on to and not get lost.

Also, why didn't I ask more of my existing network connections yet, as I do know several folks who work in security? For other topics I did that a lot, so why not here? After all, I'm not alone - and the whole topic is about reaching out!

Well. This challenge is indeed scary for me. 

Is it because security is such a vast area of expertise? Or maybe because it's difficult to impossible to share about real everyday work challenges? I liked to believe so, yet on the other hand I had similar situations already where there was always a way to still learn and share. I wonder if it's because I interrupted my streak of personal challenges and can't build on the past momentum of learning in public to the same extent. Maybe it's because it's very long time ago since I had to join a new community, especially online compared to mingling at on-site events - and it's difficult to have to prove myself all over again. Or it might just be a tough year for me, and that after a few years of drained energy - which might cause my fear overshadow my curiosity and hope. Heck, maybe I'm once again overthinking way too much. Probably it's all of it combined.

Maybe it'll get easier once I can focus my head on hands-on challenges. Right now, consuming resources and practicing would feel closer to my comfort zone than making my way into security communities. But that's exactly what I am aiming for.

I should indeed take my own advice and do a bit every day, just a few minutes, yet every day. Tiny steps go a long way and still result in lots of practice in the end. For that, I have to be okay with good enough for now, and not worry too much about my originally envisioned timeline that clearly didn't work out this time - which is fine.

So be it. Slow steps it is, and I'll become okay with it. As long as I do take the next step it still keeps me moving in a generally good direction. At AgileTD Open AirJanet Gregory shared a quote by Paulo Coelho that really hit home for me: "An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties, it means that it’s going to launch you into something great. So just focus, and keep aiming."

Sunday, June 18, 2023

AgileTD Open Air 2023 - Welcome to Unicorn Beach

It's been my second time to the AgileTD Open Air, the beach edition of the Agile Testing Days. I'm really not an outdoor person, yet once again I thoroughly enjoyed this event.


Directly when arriving in Cologne, it felt like coming home when spotting first folks in the hotel. After initial conversations with Sophie Küster and Micha Kutz, and yet another practice session for my new talk, it was time to go for speakers dinner. Food and company were amazing and I enjoyed our table conversations. I finally had a chance to speak with Tariq King and his wife - loved it! We got into deeper discussions around certifications and whether they make sense or not. We had fun laughing about past conference stories (anyone remember "table 2"?). We celebrated new speakers at the table, like Mazin Inaad who decided to start conference speaking at Toyer Mamoojee's and my learning partner workshop back in 2018! So proud. We got drawn into the "pen game" to practice our observation and critical thinking skills - ask me about it in person, I won't spoil it here. We had deep meaningful conversations about life struggles; I just love how communities like these support each other all the way. And so much more. Many thanks also to João Proença, Richard Bradshaw, Zeb Ford-Reitz, Paul Holland and Patrick Van Enkhuijzen - it was a brilliant evening!


Micha Kutz invited a bunch of us to go sightseeing together before the conference officially started. Who can say no to that? Also, a great opportunity to re-connect with Heather Reid and Steph Desby! We really enjoyed our time discovering Cologne.

Then it was time, the conference was about to be kicked off. We took the bus to the event location Blackfoot Beach and had sufficient time to meet folks before the official opening.

  • Keynote "Invasion of the Gummy Bears: Fighting Back" by Janet Gregory. This was a great opening keynote on a very important topic. I loved the angle on it and can relate so much personally. It once again reminded me about all the coping mechanisms I already make use of, and provided me more ideas of what else to try. Finally, it provided an additional nudge to get out of my mental fatigue - easier said than done, yet I'm on it.
  • Bonus session "Puzzle your way to group success" by Patrick Van Enkhuijzen. I just loved this session! Each of us had been given one or two pictures that only we were allowed to see and not show anyone. We were tasked to figure out the pattern in order to place all images in one order  - just by speaking with each other. What a great exercise in communication and collaboration. I'm amazed it worked out so well, too! This gave a lot of food for thought to reflect on.
Dinner at the beach was great and the evening flew by. Special shoutout to Marc Kalmes and Ada Pohl for insightful conversations!


Originally, I wanted to start the conference day with a lean coffee session, as I often do. I had some topics in mind to bring, and looked forward to the evolving conversations. Well, it didn't work out as planned and I missed the first bus that would have gotten me to the venue in time. Guess I should have used that time for extra sleep, yet it was how it was.

  • Key-speech "Visibility of Testers" by Huib Schoots. It's a recurring topic that people dedicated to testing and quality are asked to justify their position and demonstrate their value-add. Yet I've seen the same apply to other roles as well, so making our contribution and impact visible is a topic for everyone. Transparency indeed often helps to do a better job, not only because it helps the team work closer together, yet also because you need to spend less headspace on justifying your value that you can use to deliver value instead.
  • "Cross Team Ensembling" by Christian Rucinski and Zeb Ford-Reitz. This topic is very dear to my heart and I hope more people get to hear about it. I loved this talk as it was an experience report, and the angle of cross-team collaboration gives yet another perspective how working as an ensemble can be valuable. I hope people got inspired to give this a try!
  • "The 8 ‘Commendments’ for Maintainable Test Automation" by Mazin Inaad. Can't believe Mazin just started out speaking at conferences - he delivered well! I believe also in 2023 more testers need to hear the presented "commendments" (a word play between recommendations and commandments), especially when automating tests through the whole tech stack. I really liked how he pointed out that this is not carved in stone as things depend on context - while still providing very tangible and actionable advice including examples.
  • "Data Driven Decisions in Testing" by Heather Reid. This talk was awesome, Heather rocked it. We really need to be advocating for using more data at any time for making more informed decisions - real data can indeed be a super power to bring to the table. Loved all the stories that made this talk very tangible!
  • "Team Transformation Tactics for Holistic Testing and Quality" by me. This is the third time I gave this brand-new talk and I felt I had practiced it well. Yet once again, real life situations differ! I was struggling a bit to find my rhythm and took more time than expected. I felt drained afterwards and wasn't sure if the message came across. Therefore, I was even more grateful when a bunch of people came to me afterwards and told me what they got out of it! Really, if you've been listening to a talk and it was helpful for you, please go and tell the speaker - we dearly need this feedback.
  • Keynote "Combining Force Multipliers to Improve Quality" by Tariq King. Just loved the emphasis on force multipliers, how they could be applied and combined! Great examples, too. Especially appreciated that Tariq emphasized how culture is a big multiplier in itself. I totally relate to this, have seen it over and over again. Quite some food for thought in this keynote!
  • Bonus session "Code Reading Club Session at the Beach" by Samuel Nitsche. I am part of a regular code reading club together with Sam and a bunch of other awesome folks, and I couldn't resist this opportunity for additional practice. I also always felt the testing community needs more of this - so I can only encourage folks to seize the opportunity when it presents itself. This was an amazing session indeed, it fully re-energized me. The whole group practiced together and the resulting exchange was really insightful.
  • Bonus session "Smoke Tests & Mirrors" by Benjamin Bischoff. What a magical session - literally! Just loved the combination of Benjamin doing a really awesome magic show (despite very tricky stage conditions for magicians) and showing how magic principles relate (or not) with principles in testing. Both educational and entertaining!
Wonderful conversations throughout the day just happened. Like with Stefan Scheidt on why we both love Star Trek and how it relates to our work in tech teams. Or with Rick Scott, whom I ended up sitting next to in talks a lot which enabled us to instantly exchange thoughts! Or with Sam and Gabrijela Hladnik talking about getting closer to other communities like the domain-driven design (DDD) or software crafter communities. Or with Maria Olga Raimondo about our origin stories; there are so many amazing ways to end up in tech and excel there. I loved the experience people bring in who don't take the straight way.

The conference day concluded with a party with a live band made out of a bunch of speakers and friends! Loved it. Loved the more quiet and private conversations afterwards even more. Like with my dear friends Anne ColderVincent Wijnen and João Proença! One main insight was again that we can learn a lot of things. Everyone has a different learning curve and time when we plateau, though. Yet one thing is for sure, without practicing no one gets far. Behind skill there's usually a lot of practice and effort. 

At first glance, the program didn't seem too full that day, yet the day was over again very quickly being filled to the rim with awesome experiences.


Second day, second chance to get to lean coffee! Or not. My body already complained about lack of sleep, so it was rather not.

  • Key-speech "How do we stay relevant?" by Paul Holland. Paul reconnected this back to Huib's key-speech by sharing that if we're adding value yet aren't visible we might not stay relevant. Paul encouraged people to stop doing what automation can do, and instead start doing what only a human can do. This triggered a great conversation over lunch on which skills and behavior we assume will still continue to be relevant and which not.
  • Workshop "Let’s Get Into Coding" by Stefan Scheidt and Micha Kutz. While this was targeted at beginners, I made it a point for myself to catch as many hands-on coding sessions as I can, as usually I can always practice no matter the overall level. And I was not disappointed! I loved the setup and instructions provided, especially that it was close to real-life situations and that struggling through while also supporting each other and receiving support was an integral part of it. This made it not only very authentic yet also encouraging to go further and learn more - together.
  • Keynote "What I thought I knew about the status of testing" by Lena Nyström. I loved hearing all the misconceptions Lena had been holding or overheard in the past, and what she learned instead throughout her career. Awesome and authentic storytelling, very relatable, and I totally agreed with the provided advice. And hearing Lena say "I'm priceless because I care" really got to me, it's exactly feedback I recently received from a developer teammate (so I'm clearly biased), yet I truly believe people have to hear this more to make better career decisions.
  • Workshop "Ensemble Exploratory Testing" by me. I've given this workshop over and over again and it doesn't get boring yet for me or the participants from what I can tell. Most often, people have never had the opportunity to try any of the included components. Seems they also had a great time and took value out of it! What else can I want.
  • Bonus session "Bug Hunting - Explored" by Patrick Van Enkhuijzen and Jarno Lapere. This session was a perfect segue from my own workshop as we again explored in ensembles - and this time I had the opportunity to practice as well. It was great to learn about what's important for facilitating bug hunts, and then instantly experience one ourselves. It was especially awesome that we tested a real product so we could also provide real value. It worked really well to find a lot of issues in short time. This session was both educational and really fun. The chocolate prizes were much appreciated as well, especially as my group shared the first place with another group. :D
  • Keynote "Knowledge Gaps and the Quest For Rapid Feedback Loops" by Richard Bradshaw. I really liked Richard's angle on thinking in gaps together with feedback loops, encouraging people to spot gaps and fill them quickly. I really think this is so at the core of what we're doing and trying to achieve in teams, and that more people need to hear about that. Richard provided actionable ideas how to implement this, so people could start doing so right away. The delivery was also very entertaining! Perfect to close this conference.
Another live band played, even more conversations were to be had. One person really made my day sharing how they love my blog (I'm feeling honored they really go through these lengthy writings!) and that especially my post "I Am white" was very impactful on them, letting them dig into resources and start changing behavior. Just wow.
Saying goodbye is always hard and people didn't want to let go until the last bit - me included.


The day of going home had come. I took the opportunity to meet up with one more community friend who happened to be in the city: Janina Nemec. It was lovely to catch up before each of us headed home.

Returning from a conference like this usually needs me to sit and digest what I heard and what I learned, the conversations we had and the thoughts they inspired. I'm sad for the people I've missed to re-connect with more deeply, I'm glad for those I had the opportunity to do so, and I enjoyed getting to know all the new folks I had not met before.

I'm grateful to have been in such good company for the last days, people that we can have deep meaningful conversations with each other. I'm grateful for all the inspirational experience exchange. I'm grateful for practicing together for our personal growth. Looking back over the last years, I've been growing with every conference I've been at. I hope more people can make this experience as well, so I will continue paying it forward.