Thursday, June 29, 2023

AskAppSec - On Late Beginnings, Distracting Struggles and Finding Community

The personal challenge I picked for 2023 is AskAppSec. I believe that joining and actively participating in at least one security community for a period of six months will increase my understanding of practical application security in everyday work situations. When I decided on my challenge end of last year, it felt it would be a perfect fit: scary and a worthy endeavor allowing me to grow while sharing hopefully useful content. It also fit well to what I set out to do at work, taking on more explicit advocacy for security in my team and the company.

Sounded all nice and well to me, and yet I struggled, more than I expected. I'm acutely aware that it's already the middle of the year, and where am I? Well, it's not that I didn't move at all, yet I'm clearly not where I hoped to be. I need to acknowledge it and accept just as it is in order to move on from here.

Biting Off More than I Can Chew

I've been learning in public for quite some time now, and I still enjoy when I can fully dive into a topic. This year I thought it's the time again to do just that, going full in! And then life happened. Now half the year is already over, and not so much was done yet. I'm struggling with processing this. I'm between trying to allow myself to go slower, and beating myself up that I actually didn't go slow so far but instead opted in for so many other things. Distractions. Valuable stuff, yet definitely distracting me from what I set out to do: my personal AskAppSec challenge. I've recently been at Agile Testing Days USA where Dr. Rochelle Carr dropped wisdom that heavily reminded me of my situation. In her fantastic keynote "The WHY you are", she told us to remove unneeded distractions to our own potential. Does it feed your "why"? If not, don't get off course.

So, let's face it. I took on too much this year. I declined opportunities, and yet said yes to others - including creating new conference sessions. I really forgot how time-consuming and energy-draining that is (although it can have a really nice return on investment). Plus draining life stuff happened on top of all this that also demands capacity. Work is very consuming as well, although it does give me back a lot, too.

So here am I again, trying to remove tasks from my to-do list and gain more headspace so I can do bigger things, like working on my challenge. Because I also realized, I continue doing things just because I started them once, they tend to pile up as obligations - and then I bear the pain of opportunity cost and never get to things that would grow or amuse me. 

At the same time, there are a few things I always wanted to do and be better at. Over and over in my life, I practiced them for a while and dropped them again, just to pick them up to start over again and again. Recently, I realized that I added most of these to my daily habits checklist. So I actually do work on them, even though only very little by little, yet mostly every day and I make progress. I did consider them distractions for some time, yet maybe these ones are indeed not.

Finally, I kept my public writing to a bare minimum. This blog usually helped me reflect by writing things out, like a public journal on non-confidential work and growth topics. I stopped doing so as well, only fulfilling what I had loaded on myself, like writing a blog post per on-site conference. With this one, I am again just writing down my thoughts which is more than I did the last months and it feels good.

So, here's where I am right now. This is my attempt in bringing a bit more order to the chaos of my thoughts. Maybe I am indeed slacking off on the things I care about and do too much of the other things that are rather distractions. It's time to reconsider and only keep what adds to my own why, respectively the goal I had set for myself. Gain energy, headspace, and focus on what moves me forward to get stuff done and learn from it as I go.

Starting Late in the Year

Back to my challenge. Beginning of the year I had gathered material to work with, like communities I could join, interesting resources, potential challenges, and so on. Only beginning of May, I could finally start acting on this material, though.

The first weeks went quite well. I joined a few online security communities and tried first interactions, more or less successful. I read more stuff. And yet, I still found this very hard. I thought about things I could do, and then - once again - lacked focus. Distractions came my way and I happily jumped on them. At times it helps me to find more headspace if I get things out of the way first, yet this time I instead ended up lacking energy to work on my personal challenge.

At the same time, I'm still scared of this challenge. How did I do this in the past years? I conquered my fear back then and did it anyway, so how about now? I guess the only way to do this, as last years, is go step by step and never hesitate or look back. I need to break this challenge down more clearly in my head, and then finish one step after another instead of jumping around between different tasks. Do small tangible stuff.

Whenever I leave the challenge be, it festers in my mind and gets even bigger than it is. Whenever I take a step, it becomes a step smaller and seems more doable. It becomes less scary and getting stuff done simply feels good. I guess one big issue with security is that I started this topic a few times already in the past and stopped again each time, hence I couldn't build on the momentum. Turns out,  consistency is once again crucial for me.

What Happened So Far, After All

My first goal was to join communities and find a new additional place for me to learn and share. I focused mostly on online places as I don't have capacity left for on-site events this year, and didn't want to rely on local meetups only. The three communities I joined so far are the following.

  • We Hack Purple. This community is initiated by Tanya Janca. I benefitted a lot from her content over the years and this community felt like a great fit to start. I actually already had joined back in 2021, yet then neglected it. This place had been quite welcoming so far, yet I feel I joined at a moment where there was not too much activity going on - I see it increasing these days. My first attempts to connect didn't receive too much response, yet it's still a promising community to be in and learn with.
  • OWASP Slack. Well, OWASP continues to be the one constant we keep hearing about again and again. It's a frequently used reference point when it comes to all things application security. Everybody I talked with who had joined local chapters mentioned that the community culture differed heavily depending on the chapter. So I decided to join the global Slack first, which is quite active. Also here, I had first interactions, nothing groundbreaking yet.
  • InfoSec Community Discord. A colleague brought my attention to this one. It's not been overly active these months and it felt the hardest to join in so far based on its structure and engagement. It's still good to be there and see what's going on and being shared.
I have a whole list of other communities I could join. In the beginning, I wanted to start with only a handful not to overwhelm myself, yet now I'm considering adding more. I'm especially interested in places people can recommend, so I started asking around for personal experiences.

I dived into further resources as well, which had been quite insightful so far. For example, I finally started reading Tanya's book "Alice and Bob Learn Application Security". It's really awesome and I can already recommend it. Tanya manages to explain security concepts in a comprehensible, digestible and engaging way. Theory, examples, stories, and actionable exercises - all included. For me it's perfect to see what I already know and what not yet, and for which concepts I had a grasp yet lacked the official term for.

At work, mobile application security is my topic of the year as well and quite some stuff got moving there already. For example, we aligned in the team on an application security strategy to get where we want to be, and already took steps to get closer. I had a few sessions together with our awesome InfoSec folks to build security in, test together, and gain more clarity on specific topics. Also, I joined my very first security audit and officially took over the role as security champion for my team. More is in the making.

Finally, I still continue having monthly security testing sessions with Peter Kofler. We kept doing these ever since my Testing Tour back in 2018, we just never stopped! We're not moving fast yet continuously. This way, we could already cover lots of ground in theory and practice together. Well, there's always more to learn and always something new going on, we won't run out of topics any time soon. It's been great to see how much we can build on the insights we gained over the years.

Probable Next Steps

Well, I don't know what life and this challenge brings, yet I have a rough plan on my next moves.

I'll see what I can do to get more active in the communities I'm already in, seeing where I can find help and inspiration, and also practice giving back as much as I can already. I'm considering joining more communities, so I'll continue seeking recommendations. I'm also looking out for events that might still suit my schedule this year, and probably bring my topics to the events I'm already going to.

It'll soon be time to decide on my first hands-on challenge around mobile application security that I can share about and get feedback on. This will also include finding safe ways to practice and share without causing harm.

Finally, I'm still gathering and consuming more resources on application security in general.

Reflections for Moving Forward

This year was full of distractions so far. Over and over, I allowed myself to be pulled away from my personal challenge. Then my brain got so tired that I just kept working on these distractions which I perceived way easier than doing the scary thing, and they kept me nicely busy anyways. Yet also more guilty with every step. Especially considering my usual timeline for personal challenges from January to October. Seeing so much time having passed already without much progress is frightening and paralyzing. Having too many options what to do next, is too. The last months, my brain kept jumping between too many threads, and not producing the clear structure I dearly need to hold on to and not get lost.

Also, why didn't I ask more of my existing network connections yet, as I do know several folks who work in security? For other topics I did that a lot, so why not here? After all, I'm not alone - and the whole topic is about reaching out!

Well. This challenge is indeed scary for me. 

Is it because security is such a vast area of expertise? Or maybe because it's difficult to impossible to share about real everyday work challenges? I liked to believe so, yet on the other hand I had similar situations already where there was always a way to still learn and share. I wonder if it's because I interrupted my streak of personal challenges and can't build on the past momentum of learning in public to the same extent. Maybe it's because it's very long time ago since I had to join a new community, especially online compared to mingling at on-site events - and it's difficult to have to prove myself all over again. Or it might just be a tough year for me, and that after a few years of drained energy - which might cause my fear overshadow my curiosity and hope. Heck, maybe I'm once again overthinking way too much. Probably it's all of it combined.

Maybe it'll get easier once I can focus my head on hands-on challenges. Right now, consuming resources and practicing would feel closer to my comfort zone than making my way into security communities. But that's exactly what I am aiming for.

I should indeed take my own advice and do a bit every day, just a few minutes, yet every day. Tiny steps go a long way and still result in lots of practice in the end. For that, I have to be okay with good enough for now, and not worry too much about my originally envisioned timeline that clearly didn't work out this time - which is fine.

So be it. Slow steps it is, and I'll become okay with it. As long as I do take the next step it still keeps me moving in a generally good direction. At AgileTD Open AirJanet Gregory shared a quote by Paulo Coelho that really hit home for me: "An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties, it means that it’s going to launch you into something great. So just focus, and keep aiming."

No comments:

Post a Comment