Saturday, December 2, 2023

AskAppSec - Finding Closure

My personal challenge of the year, AskAppSec, came to an end and I finally found closure. Here I'm looking back to see what happened and what I can take with me for my next endeavors.

What I aimed for

The personal challenge I set out to in 2023 was to connect with security folks and related communities to grow my application security knowledge and skills. I've detailed things out in another blog post, so let me just re-share my original hypothesis here.

I believe that joining and actively participating in at least one security community for a period of six months will increase my understanding of practical application security in everyday work situations. I've proven the hypothesis when I have...
  • solved five mobile application security challenges,
  • explained how I solved them, and
  • asked community members for their review and feedback to learn from.


What happened

Due to a lot of other things happening in life privately and at work, plus me taking up my conference speaking endeavors again more seriously since the pandemic broke out, I had a really late start with my personal challenge only in May this year.

I looked around for security communities to join and asked a lot of folks for recommendations. At first, I wanted to only join a choice selection to fully focus my engagement on those. Relatively soon though, I opted for a different path and joined as many communities as I found in order to figure out those where I found value for myself, that were open for newcomers, and that felt welcoming for me to participate.

Feeling overwhelmed by options, I started doing more of what I found valuable right now in the moment, and that gained me some dearly needed momentum. I also managed to secure a ticket to my first security conference, BSides Munich 2023, which in itself added to said momentum.

In my previous challenges, I used to take one action, work on one topic, instantly blog about it and then take the next step. This time around, I realized I did lots of things at the same time, overlapping with each other, and then wrote my blog posts rather at the end in a row. Here are the posts that matched the five main topics I chose to work on.

Besides sharing these blog posts on my usual social media platforms, I also asked explicitly for input in the communities I've joined. Sometimes just in one of them, sometimes in multiple, depending on where it felt safe enough and if I've practiced asking strangers enough already to dare it. Sometimes I received feedback from folks on these posts, sometimes even feedback that added to what I already wrote so I edited my blog posts to reflect it there as well.

Through all this, I did make new connections to security folks. These new bridges between specialty roles and also fostering previously existing relationships really helped my own growth and offered opportunities for me to contribute back to community.

I've built up a new recommended resources page on all things security. It's still growing, yet hopefully already useful for others as well.

Finally, I'm ending my challenge later than planned and granted myself the freedom to do so - even though this broke my original constraint of ending it by end of October.

So, did all this increase my understanding of practical application security in everyday work situations as I believed in the start? Based on the conversations I ended up having at work and getting closer to our InfoSec team as well, I believe it did indeed.

Where I struggled

To be frank, I really struggled with this challenge. On the one hand, I'm supposed to struggle with my personal challenges, otherwise they wouldn't get me enough out of my comfort zone. On the other hand, this one felt particularly difficult to me.
  • My late start really weighed on me, as usually I make use of the fresh energy of a new year to get things moving and then build on the momentum.
  • I realized once more that it's only a subset of folks being engaged in communities. This is the same for all kinds of professions, something I've seen in testing and quality, development, architecture and so on just as well. It's a bubble in a bubble. This made getting recommendations harder than I thought it would be.
  • Originally, I aimed to focus on mobile specific security. Sometimes this was the cases, yet mostly my topics were not super specific to mobile and instead applicable to other areas as well.
  • Asking communities felt super daring. I am proud I managed to do so. While knowing I might not receive a lot of responses, of course I hoped for feedback. Well, I mostly didn't receive much input at all, which can be quite discouraging. Mostly it was either feedback through social media from communities I'm already in - after all, this seems like a natural thing. They know me, we're already well connected, and I still value the provided feedback a lot - I'm grateful. In other cases, it was feedback from new communities that merely stayed on the surface and unfortunately didn't add to what I already wrote or gave me new pointers. Sometimes, though, there was just brilliant feedback that really helped me and triggered new thoughts, so I'm trying to cling to that.
  • I took on too many commitments next to my personal challenge and really struggled with my capacity. I neglected personal constraints I usually have on my personal challenges to keep some part reserved for self-care, and it drained my energy.

What I learned

This challenge taught me quite a few lessons. That fact in itself already really made it worth it. I'm definitely richer in experiences and knowledge than I was before. Here's what I'll take with me on top of the gained knowledge, skills, and connections.

  • Sometimes life takes over and has unplanned demands, and that's okay. That could either lead to pivoting like I did with my challenge in 2020, or still pursuing it while being more flexible about like I did this year, and that's okay as well. I do need to take my own advice of good enough being actually good enough more often.
  • It doesn't matter that I didn't do everything as I envisioned, as long as I learned valuable things - and I did. It's not about reaching everything; it's about taking actual steps instead of just wishing I would be the person who had taken those steps.
  • As outcome of this challenge, I do have more connections to security folks now. Not a whole lot of them, yet valuable, deeper ones. Once again this shows me that quantity is not everything.
  • Connections made face to face, be it remotely in a video call or in person, are way easier for me to make and they tend to hold longer. Therefore, I'm looking for joining more meetups and conferences that offer the opportunity to speak with one another.
  • I really should not start too many new unrelated things at the same time overlapping the personal challenge I set out to take on. This year, I overdid it. I had unlearned how to enjoy myself for myself and overstepped my own boundaries which left me drained. The recent weeks where things finally got closer to the end really showed it to me: my body told me to stop and finally take the rest I need.


While I did really enjoy diving into security further again and this will definitely not be the end of this journey, I really needed closure on this specific challenge. There's always opportunity cost to consider and I need to free myself up for new things. I already took on topics reaching into the next year, and I am already looking forward to these next endeavors, so I want to make time for them without feeling overwhelmed. Therefore, one personal challenge a year is still a good thing to force myself out of my comfort zone while also keeping it within limits.

Having focused on my AskAppSec challenge during this year, there are still so many topics on my list of things I could do or write about. The good thing is, just closing this challenge doesn't mean I cannot pursue them anymore. It just means I'm leaving this open for myself, and I feel that's a good thing. And it also grants space in my life that's not just commitments to others, but commitment to myself.

Now, before revealing what I'm up to in 2024, I'll indeed take some time for myself. But looking back at AskAppSec, it's overall been a good challenge at a good time for me. So, let me close this post with a huge round of applause and gratitude for all those folks who talked security with me this year and hence helped me on this part of my journey - my sincere thanks to you!

No comments:

Post a Comment