Wednesday, December 20, 2023

2023 - Another Year in the Books

All in all, this was quite a tough year. Stabilizing my work situation, picking up more conference speaking again after changing jobs and hence more traveling, restarting my personal challenges, facing lots of family issues, more sickness, the list goes on. A lot more challenges overall, both subtle and obvious, which made it a demanding and exhausting year. I observed myself mostly just pushing things to later, trying to hold on a bit longer, telling myself to just get that one thing over the finishing line, then it'll be calmer again. Well, the end of the year is here, and here I am, having finally realized it was overall still too much. There was one day end of November where I felt that moment of "finally, I recharged my energy, all is good now!" - and very shortly after I was in the hamster wheel again, feeling tired. Just last week, a colleague told me that we always need twice as much rest as we thought we would. Oh, the wisdom in these words.

I made it my own tradition to write a year in review blog post to reminisce about the last twelve months, and I don't want to spend too much on all the challenging parts. Instead, I want to look back and see all the good things that happened that I need to remember, especially at times when things are not shiny. Therefore, here are the highlights of 2023 for me to remind myself of in later years.

  • My team at work is in a good place. There's always room for improvement, yet the culture we fostered and continue to evolve makes me proud. We managed to steer clear of lots of trouble we still faced beginning of the year. We introduced and implemented tech initiatives that had a heavily positive impact on how we move our legacy system forward - kudos to our manager for having our back! We're working in a much more sustainable pace nowadays with more autonomy. All that with seriously awesome people! I'm curious what we can achieve together next year.
  • I found a new place in my team. Once again, I could reinvent myself and my role. It's a generalist, shapeshifting, druid-roleplaying, gap-filling role anyways, and I love it! What made a difference this year: This is the first team that managed to really own testing and quality together over a long period, always striving to get better, together. This freed me up to contribute in lots of new ways. It allowed me to hone and practice different skills and contribute hands-on on all kinds of topics. Hence, the last half year I've been taking tasks and working on changes like everyone else, and learning and growing on each and every one of them. I gained lots of insights from this perspective and some of the challenges that come with a developer's job! Now, I might still jump in on certain high-risk topics where I see the need, yet usually I know my team got this. And we're anyways not leaving anyone alone. Personally, I just love this. Still doing what's currently most valuable for the team (and company), while continuing to grow myself just as well.
  • A difficult work relationship that started with broken communication turned into a trusting and supportive one. This was a hard one for me this year, yet I'm really glad we both didn't give up and worked our ways towards each other and with each other. I'm very grateful for that, and it's been a very insightful lesson in life in general.
  • It's been an honor and pleasure to work with my fellow quality engineers this year, especially those in teams closer to mine. Lots of pairing and ensembling across teams, lots of learning together - I wouldn't miss it. Thanks a bunch to all of you.
  • My fellow teammate and I kicked off an accessibility guild this year. People feared it might become another fluke, yet we have an awesome core group really engaged and going strong, keen on spreading awareness and actually increasing accessibility of our products as well as our workplace as such. More people raised their interest to join us next year, and I can't wait to see where can take this together!
  • This year was my first time as an official security champion for my team. Creating and driving our mobile AppSec strategy was a great experience. Collaboration with our security folks got a lot closer. I experienced my very first security audit! Overall, I learned a whole bunch about what works and what doesn't to advocate for security topics and to make things happen. What tools are there to use, what are actual domain-specific risks and priorities, and what else is going on in the world out there. Huge shout-out to our awesome InfoSec folks for being so open and collaborative, it's been a real pleasure.
  • After taking a two years' break, I finally dared to restart my personal challenges. Which means I've done 5 overall by now! This year, I aimed for connecting with folks of the security community. In the end, it took longer than I intended to, and it was scarier than expected, yet I made it! My network grew, my knowledge as well. These challenges once again helped my own growth for real.
  • My very first security conference is in the books. Something I wanted to do for quite some time now, and this year it happened with BSides Munich! Just loved the experience.
  • I created a new recommended resources page on all things security. I have 8 overall by now on various topics.
  • I spoke at 7 conferences and gave 10 sessions (3 of them brand-new ones), along 4 other speaking engagements like webinars and podcasts. This makes it overall 91 speaking engagements since I've started speaking in September 2017! What a number. At conferences alone, I gave now overall 40 sessions at 24 conferences in 10 countries. This year, I also had my first appearances for LeadDev, which is also something I strived for. I still can't quite believe the amount of speaking things I've done so far; I never would have thought I would when starting out. But I received so much from the community, so I tried to give back and pay forward where I can. I've invested a lot in this, and I got a lot out of it as well.
  • During on-site conferences, I created sketchnotes again. This year, I received a shout-out for the alt text I'm adding to them nowadays - which really was a highlight for me. I'm still learning how to do them even better, yet what I learned from Cakelin Fable was seen and acknowledged and I'm just happy I found a way that's feasible for me while making a whole difference for people.
  • I wrote 15 blog posts in 2023, including this one. Part of it was thanks to my personal challenge that often makes me write more, and I'm thankful for that. It's been while since I learned about myself that I'm thinking in writing - I need to write things down and see them in front of me to help clear my thoughts and come up with new ideas, especially as I can always come back to them. So, these blog posts are mainly for myself to process and digest, remind my future self, and also gain new insights. If anyone else gets something out of it, it's a real nice bonus.
  • Last year a group of amazing folks kicked off a code reading club. This year, we had a bunch of new people joining and a lot more sessions. While I didn't make all of them, it's just been awesome to practice our skills together. Highly recommended!
  • Ever since my Testing Tour in 2018, I had monthly pair testing sessions with Peter Kofler on security, and they are still going strong. We finished our deep dive on the OWASP Top 10 and now started with the mobile application security guides to explore and discover more. Invaluable.
  • I've deepened long-lasting friendships, I've found and evolved new ones, and also met family members again I haven't seen for a very long time. I might not mention these things enough, yet I am really grateful for the foundation I have in some very special folks.
  • I finally picked up playing computer games more again. Still not as much as you would think, as that hamster wheel always tries to push me to run one more round (until I'm too tired to play). And I can run in that wheel for a long time - yet I would do it a lot better when resting more, play more games, do more other things I enjoy in life. I'll do my best to keep reminding myself of it.
  • I continued to revive other passions I have that bring me joy, like drawing, and especially my passion for volleyball. I've learned so much from this beautiful team sport for life, for work, for me personally. And I still can't get enough of it.
To all those people who accompanied my journey in 2023, I'm truly grateful for everything. For all ups and downs, for support and challenge, for you being there with me, for us learning together. Thank you.

All is settled for 2024 now. I have a bunch of conference speaking engagements lined up (stay tuned). I have my new personal challenge ready. I'm even working on a few things with amazing people already, while trying to keep it slow enough to get the rest I need. And oh my, do I need some rest. As my colleague would say: twice as much as I think, so remember to double your time to rest.

Saturday, December 2, 2023

AskAppSec - Finding Closure

My personal challenge of the year, AskAppSec, came to an end and I finally found closure. Here I'm looking back to see what happened and what I can take with me for my next endeavors.

What I aimed for

The personal challenge I set out to in 2023 was to connect with security folks and related communities to grow my application security knowledge and skills. I've detailed things out in another blog post, so let me just re-share my original hypothesis here.

I believe that joining and actively participating in at least one security community for a period of six months will increase my understanding of practical application security in everyday work situations. I've proven the hypothesis when I have...
  • solved five mobile application security challenges,
  • explained how I solved them, and
  • asked community members for their review and feedback to learn from.


What happened

Due to a lot of other things happening in life privately and at work, plus me taking up my conference speaking endeavors again more seriously since the pandemic broke out, I had a really late start with my personal challenge only in May this year.

I looked around for security communities to join and asked a lot of folks for recommendations. At first, I wanted to only join a choice selection to fully focus my engagement on those. Relatively soon though, I opted for a different path and joined as many communities as I found in order to figure out those where I found value for myself, that were open for newcomers, and that felt welcoming for me to participate.

Feeling overwhelmed by options, I started doing more of what I found valuable right now in the moment, and that gained me some dearly needed momentum. I also managed to secure a ticket to my first security conference, BSides Munich 2023, which in itself added to said momentum.

In my previous challenges, I used to take one action, work on one topic, instantly blog about it and then take the next step. This time around, I realized I did lots of things at the same time, overlapping with each other, and then wrote my blog posts rather at the end in a row. Here are the posts that matched the five main topics I chose to work on.

Besides sharing these blog posts on my usual social media platforms, I also asked explicitly for input in the communities I've joined. Sometimes just in one of them, sometimes in multiple, depending on where it felt safe enough and if I've practiced asking strangers enough already to dare it. Sometimes I received feedback from folks on these posts, sometimes even feedback that added to what I already wrote so I edited my blog posts to reflect it there as well.

Through all this, I did make new connections to security folks. These new bridges between specialty roles and also fostering previously existing relationships really helped my own growth and offered opportunities for me to contribute back to community.

I've built up a new recommended resources page on all things security. It's still growing, yet hopefully already useful for others as well.

Finally, I'm ending my challenge later than planned and granted myself the freedom to do so - even though this broke my original constraint of ending it by end of October.

So, did all this increase my understanding of practical application security in everyday work situations as I believed in the start? Based on the conversations I ended up having at work and getting closer to our InfoSec team as well, I believe it did indeed.

Where I struggled

To be frank, I really struggled with this challenge. On the one hand, I'm supposed to struggle with my personal challenges, otherwise they wouldn't get me enough out of my comfort zone. On the other hand, this one felt particularly difficult to me.
  • My late start really weighed on me, as usually I make use of the fresh energy of a new year to get things moving and then build on the momentum.
  • I realized once more that it's only a subset of folks being engaged in communities. This is the same for all kinds of professions, something I've seen in testing and quality, development, architecture and so on just as well. It's a bubble in a bubble. This made getting recommendations harder than I thought it would be.
  • Originally, I aimed to focus on mobile specific security. Sometimes this was the cases, yet mostly my topics were not super specific to mobile and instead applicable to other areas as well.
  • Asking communities felt super daring. I am proud I managed to do so. While knowing I might not receive a lot of responses, of course I hoped for feedback. Well, I mostly didn't receive much input at all, which can be quite discouraging. Mostly it was either feedback through social media from communities I'm already in - after all, this seems like a natural thing. They know me, we're already well connected, and I still value the provided feedback a lot - I'm grateful. In other cases, it was feedback from new communities that merely stayed on the surface and unfortunately didn't add to what I already wrote or gave me new pointers. Sometimes, though, there was just brilliant feedback that really helped me and triggered new thoughts, so I'm trying to cling to that.
  • I took on too many commitments next to my personal challenge and really struggled with my capacity. I neglected personal constraints I usually have on my personal challenges to keep some part reserved for self-care, and it drained my energy.

What I learned

This challenge taught me quite a few lessons. That fact in itself already really made it worth it. I'm definitely richer in experiences and knowledge than I was before. Here's what I'll take with me on top of the gained knowledge, skills, and connections.

  • Sometimes life takes over and has unplanned demands, and that's okay. That could either lead to pivoting like I did with my challenge in 2020, or still pursuing it while being more flexible about like I did this year, and that's okay as well. I do need to take my own advice of good enough being actually good enough more often.
  • It doesn't matter that I didn't do everything as I envisioned, as long as I learned valuable things - and I did. It's not about reaching everything; it's about taking actual steps instead of just wishing I would be the person who had taken those steps.
  • As outcome of this challenge, I do have more connections to security folks now. Not a whole lot of them, yet valuable, deeper ones. Once again this shows me that quantity is not everything.
  • Connections made face to face, be it remotely in a video call or in person, are way easier for me to make and they tend to hold longer. Therefore, I'm looking for joining more meetups and conferences that offer the opportunity to speak with one another.
  • I really should not start too many new unrelated things at the same time overlapping the personal challenge I set out to take on. This year, I overdid it. I had unlearned how to enjoy myself for myself and overstepped my own boundaries which left me drained. The recent weeks where things finally got closer to the end really showed it to me: my body told me to stop and finally take the rest I need.


While I did really enjoy diving into security further again and this will definitely not be the end of this journey, I really needed closure on this specific challenge. There's always opportunity cost to consider and I need to free myself up for new things. I already took on topics reaching into the next year, and I am already looking forward to these next endeavors, so I want to make time for them without feeling overwhelmed. Therefore, one personal challenge a year is still a good thing to force myself out of my comfort zone while also keeping it within limits.

Having focused on my AskAppSec challenge during this year, there are still so many topics on my list of things I could do or write about. The good thing is, just closing this challenge doesn't mean I cannot pursue them anymore. It just means I'm leaving this open for myself, and I feel that's a good thing. And it also grants space in my life that's not just commitments to others, but commitment to myself.

Now, before revealing what I'm up to in 2024, I'll indeed take some time for myself. But looking back at AskAppSec, it's overall been a good challenge at a good time for me. So, let me close this post with a huge round of applause and gratitude for all those folks who talked security with me this year and hence helped me on this part of my journey - my sincere thanks to you!