Tuesday, September 12, 2023

AskAppSec - Input Validation

Input validation is a topic that's been following me around for years. I've came across countless resources speaking about the importance of input validation, or input filtering as it's called at times. What stuck with me is the recommendation to validate any input coming from any source, no matter if we're speaking about third parties, public interfaces we offer ourselves, internal services behind a firewall or accessible only from inside a private cluster. No matter if the input comes via clients, APIs, messages, data sources, or anything else. Based on my experience of working in testing and quality focused roles for over 14 years, I couldn't agree more. All that makes a lot of sense to me. Not only from a security point of view, yet also from a holistic quality perspective as input validation can help prevent errors, improve usability, increase observability, and more.

Here are a few interesting resources speaking about input validation from a security standpoint.

Well. Seems convincing people to validate input is also a common challenge in AppSec; it definitely is in my bubble advocating for better quality outcomes. Most frequently I've seen these discussions when working with backend for frontend (BFF) services. This architectural pattern is often applied when you develop mobile applications, yet not limited to it. It is usually found along with having a bunch of downstream services that are all tasked with different duties. The BFF acts as the main entry point or proxy for a single client (e.g., the mobile app), hence only this API is public to the outside world. Any requests are routed through the BFF to the respective downstream backend services (which are usually protected further). Doing so, the BFF orchestrates incoming requests to different services; it can take care of authentication and authorization, as well as filter and aggregate data in order to respond with the needed information.

If you'd like to learn more about BFFs and see visual or code examples, I found the following resources useful.

What about input validation for BFFs now? What I've heard frequently from colleagues can be summarized in the following statements.

  • "The BFF is just an API gateway."
  • "The BFF should not contain any logic, just pass through anything it receives to the backend services and vice versa."
  • "Only the downstream backend service behind the BFF should validate input as it's their responsibility, otherwise we replicate the same logic everywhere."
  • "Well, it's okay for the BFF to do sanitization, yet not validation."

Here's my viewpoint, and I'm very curious to hear further opinions.

Any modular component of our system needs to sanitize and validate input coming from outside in order to prevent falling into an unknown state. This is both causing poor user experience as well as presents an attractive situation for malicious actors looking for further insights that can be used for exploits. Components include frontend clients in favor of usability, even though malicious actors can easily circumvent them. As long as there is an interface accepting data from another source, there should be validation. Under that premise, I do think that also BFFs should validate incoming data, especially from the public facing side, yet also from internal backend services or other data sources. The BFF is one of the first layers of defense we have, hence if input is validated, we leave the door less wide open. We cannot rely on underlying backend services having foreseen anything that could enter the system from the outside and having sufficient mitigations in place; especially if they are developed by other teams in other contexts who might not even realize the impact of their local decisions. Also, lots of people tend to underestimate threats coming from within the company, like malicious insiders or mere human mistakes. I do understand that it's not always pragmatic or feasible to validate input on all boundaries. Yet if we have to decide, I choose validation at trust boundaries, like between the BFF as public interface and the outside world, as a minimum.

That being said: context is crucial, as always. Maybe the policy to only validate on the most downstream service works well in your situation. Maybe this is considered way too dangerous as you might be aware that specific services are not in good shape. Or maybe your product domain's nature means you're dealing with lots of confidential, sensitive data and you are more invested in keeping people out right at the door (aka the BFF API) without letting them any farther in. As usual, it depends on the risk appetite of the company, combined with your own ethics of what potential impact and harm you deem acceptable or not.

One thing I learned over and over again in my career is that arguments might convince rationally, yet they often don't reach people in a way that they change their behavior. They usually need to experience it, and usually a few times (and I'm not excluding myself in this equation). The trouble with security and similar quality aspects: I want to prevent the experience of harmful impact as much as possible. Speaking of the topic of whether it makes sense to validate input also for BFFs. I could of course invest in exploiting lack of validation, or showcasing a close to real situation, yet it's effort that still does not easily change the narrative and then behavior. If you have any further idea or tactic for these kinds of situations, your input is appreciated.

All in all, I do have a strong opinion on this topic, yet I hold it loosely enough to allow myself to be convinced by better ones. I did find posts that support my standpoint, like "Web App Security: Understanding The Meaning Of The BFF Pattern" by Syed Wahaj - yet that might be pure confirmation bias. So, I'd sincerely love to hear your thoughts and experience about this and learn more: should BFFs validate input?

UPDATE: I've shared this question with the wider community and received some validating feedback. My appreciation to everyone who offered their thoughts!

What I found especially insightful was the following input from a We Hack Purple Community member, hence sharing it further with their permission so it can help more folks besides me. I think they nailed it, so I mostly maintained the original take with slight format editing from my side.

I think the answer to "Should BFFs validate input?" really depends on what it does with the data. The BFF will need to validate some input, but not necessarily all of it.

Generally, anything that looks at the data, parses it or interprets the data in any way will have to validate input.

A BFF will likely look at the HTTP request headers, so it has to validate those. It cannot assume that the request headers will be sensible, or not malicious. It may also have to decide how to deal with duplicate request headers, etc.

But maybe the BFF does not look at the request bodies, and just passes them through to the backend.

It probably would not make sense to duplicate lots of application logic in the BFF to perform application specific input validation on data the BFF itself does not process. Unless, maybe there are very common things that may make sense for a BFF to filter out before bothering the backend with it. But that would then be a bit more like a WAF that may do some general input validation, like looking for common SQL injection patterns. And this still does not absolve the backend from its input validation responsibilities.

The backend services will always have to validate the input they are handling, but even backend services may pass some data through to other downstream backend services. The important thing is that everything that looks at the data and processes it performs validation, whether that is a web server, an API gateway, a web API, or a BFF.

My deepest thanks go out to the person who took the time and energy to elaborate on this. They made the distinction I was looking for (without knowing I was): what exactly makes sense to validate where and why, given the specific context at hand. I think this is what I struggled with myself and hence struggled to convey more clearly to colleagues. Taking this explicit distinction, I feel enabled to map it to our context to make better informed decisions, and I also feel equipped to bring more clarity to the next conversation on input validation!

As a bonus, here's one more thoughtful response allowing us to weigh further aspects against each other.

Friday, September 1, 2023

SoCraTes 2023 - A Place Where I Belong

I nearly didn't go to SoCraTes this year, the "International Conference for Software Craft and Testing". My speaking budget was already strained, my schedule overbooked, and it would have meant going on vacation time. But then the organizers reached out and offered me yet another slot on the training day this year. They were even fine with me giving a workshop I already had prepared, and I changed my mind. I seized the opportunity and went to SoCraTes on vacation. What can I say, I don't regret it one bit! Granted, I'm super tired, and at the same time I'm super happy. It was so much worth it and convinced me to reserve this time of the year for 2024 as well!

Coming Back

It's always super exciting to join a conference for the first time. The second time around, a few things are already clear - you know the venue, more people, the procedures and other things that reduce your cognitive load. Still, the second time is curious as well - how will they welcome me this time? How easily can I reconnect to where we left things last year?

The first moments are awkward for me, at any conference. At SoCraTes, this very quickly vanished into a feeling of belonging. I felt welcomed, I was included, I had a right to be there. This is the foundation for everything coming afterwards.

My first contact after seeing familiar faces at registration was a person being there for the first time, Lydia Leifels - such a pleasure right from the start! At dinner, I met dear people I already know for a while, like Tobias GöschelThierry de Pauw (along with their daughter), Juke Trabold, and Woody Zuill. There were so many awesome folks I got to know or meet again over the course of the conference! Like Janina NemecMarc KalmesStefan ScheidtClaudius LinkLea RosemaWaldemar TommeMartin Schmidt, Markus Tacker - well, the list could go on and on.

Training Day

The second edition of the training day was even better than the first one. Trainers were amazing both times, yet for this year organizers listened well to the feedback and crafted a schedule of three tracks with each session having enough time to dive into the topic and generous breaks in between. Just awesome. Here's the choice of sessions I made.

  • "Enforcing Architecture Using Tests" by Javiera Laso. This was the first time I heard about ArchUnit, a library to check for conventions like file names, structure, dependencies and more.  Writing tests was quite straightforward, and I can see how these could support maintainability and reduce friction by codifying agreements.
  • "Modernize CI/CD Session" by Raimo Radczewski & Chris Neuroth. Very interesting talk sharing fundamental principles for a pipeline optimized for quick feedback while going small, safe steps. They demonstrated live how fast a change can be on production. A few statements I really related to were these: "minimize the time from code written to code on mainline, deployed to real users, running in a real environment, ready to be evaluated - there is no other way to develop software sustainably", "influence the loops you can", "the moment we stop slicing we deliver slower", "skip the review, pair with someone".
  • "Ensemble Exploratory Testing" by me. Fun fact, I've given this workshop now for the 10th time so it became my most repeated conference session ever so far. Good thing is, it seems it doesn't get old! This time again, people were eager to join and seemed to enjoy the learning experience (which hopefully convinced them to try new approaches back at work). Well, I had fun observing people having lots of aha moments together.
  • "Take a mess, make a mess, fix the mess" by Aki Salmi. A very interesting session on refactoring code that's untestable and contains hidden domain concepts, code that's still valuable yet needs to be modified. How? Together, we tried an approach many of us had not seen before: not even trying to understand the code in the first place. Instead, using the IDE's automated refactoring tools to slice it up first, turning hard to test code into easy to test code. Then we can document its behavior in tests, and hence gain our safety net to make the required changes. Check it out, you can follow every small commit Aki made. Nicolas Carlo also wrote a great post on this where you can follow an example: "Another way of refactoring untested code" (by the way, his newsletter is super insightful and a clear recommendation).

After the training day ended, the main part of the conference was opened with a world café. Find a group of people you don't know, take a question as starting point, see where the conversation leads you and doodle your insights on a shared canvas. After a given time box is over, everyone find themselves new groups besides one person staying at the table and getting the newcomers on the same page. Repeat until you finished three rounds. Really nice exercise, perfect to get to know first people ahead of the main conference part and have interesting conversations emerge. One main theme we had was on people, community, culture and how that's foundational. In case you're wondering where to start, I have a resource collection on inclusion that really helped me.

That's not the end of the day, of course - SoCraTes goes all in! Everyone is at the same place, we're together the whole time, so of course there's an evening / anytime during the night / morning schedule with bonus activities suggested by anyone. Such a good thing our hotel rooms are right there to retreat and rest any time. I love how Juke as facilitator and also organizers continuously emphasized the importance of caring for your needs and taking breaks.

Having learned from last year that joining all sessions can be quickly very exhausting, I decided to use the evening time for conversations and enjoying both atmosphere and company of wonderful people.

Open Space Day 1

Days start early at SoCraTes for me being a night owl, yet it's worth it. In its core it's an unconference offering an open space for everyone to bring their topics. Things they want to share, conversations they'd like to have, apps they want to build, tools to try out, skills to practice - and also challenges they'd like to get help on. With so many different people, there's a whole range of topics offered, covering a spectrum of deep dive tech topics to humans and culture as foundation for everything. No matter if it's very personal, related with our professions, challenges in society, or all combined, everything is represented. There are also sessions like doodling together, painting your nails, talking about sheep, whatever is most valuable to people right now. Be prepared to be surprised! This format of building your own schedule together on the fly works amazingly well. It definitely worked out well for me again this year.

  • "Web accessibility - building beautiful web sites that don't make you puke" by njan Völker and Lina Sievering. I had hoped to learn more about accessibility at the conference, and already the first session was right on spot! Awesome workshop focused all around motion sickness induced by websites and apps. A topic close to my heart as I'm affected myself. Njan and Lina provided mindful and enlightening exercises to convey the problem and think of more accessible options together. Thanks to them, I also learned about the European Accessibility Act becoming effective as of 28 June 2025 - which means accessibility will be enforceable in Europe which hopefully gives us more leverage for accessible solutions when making product decisions.
  • "Capture the flag together" by me. As part of my personal AskAppSec challenge, I recently tried out further services offering hacking labs like TryHackMe and Hack The Box to practice penetration testing. The first challenges were good fun to me, so I thought why not offer a session and do it together during the open space. I was positively surprised how many people came and joined me! I opted for Hack The Box and their starting point machines. It worked super well, people were engaged, shared lots of knowledge and we captured a flag together (the second we missed only due to my VPN interfering). A very insightful experience, validating my assumption that there's interest and these could be great sessions for more people to learn about security in a fun way.
  • "Security for devs (& everyone)" by Claudius Link and me. The more security sessions the better, right? So why not host another one, together with Claudius who had the same idea. We had a great conversation with people bringing up all kinds of insights and common challenges. Nothing was immediately new for me, and yet it was validating to hear experienced people share similar views.
  • "Documentation as Code" by Markus Decke. We work together at the same company, and we are transitioning to having more and more documentation as code, so I was curious about other people's ideas, struggles and in general experiences. We talked about benefits and use cases, shared tooling options and their limitations. One of the main themes was around what problem we're trying to solve and then aim for tackling exactly that, nothing else not to document only for the sake of documentation.

What about the evening? Well, after open space is before open space! As mentioned, there's always an evening schedule people are building up. Once more, I opted for dinner, conversations and more fun time! Last year I discovered that Janina Nemec is an absolutely pro in playing Set, a card deck game I've learned to love through the testing community. At first we didn't spot any deck so decided to opt for a round of Exploding Kittens (so much fun) - and finally discovered a Set deck in the end. Well, next year we're prepared to bring our own decks. Such a good way to close the day.

Open Space Day 2

New day, new schedule. Every day starts a tiny bit later, which is still early for me. And yet it was awesome again and worth the early start.

  • "Stop being a superhero!" by Janina Nemec. She did an early dry run of her upcoming talk to be presented at Agile Testing Days this year - which is your chance to catch this talk, you'll be in for a treat! Janina has vast experience of working in an ensemble full time for many years. In her talk she describes (superhero) behavioral patterns she's observed (like the architecture wise or the coding wizard - way too relatable) and the pain points that result from them (like lots of work in progress without things getting done, or the behavior not helping the team grow and work sustainably). There's a solution for this: working together as an ensemble, or team programming as she calls it - saving the world together.
  • "Build a minimal showcase app" by me. I have a recurring argument around a security topic and wanted to finally start building a minimal app to demonstrate good security practices. So what could be better than get this started together right at the conference? Nonetheless, I nearly didn't dare to suggest the session. And then I thought no one shows up (I didn't realize it was break time). Until people did show up and we formed a wonderful little ensemble helping me get started on a good way. Everyone else enjoyed setting things up and realizing that we all struggle in certain areas. When doing it together, however, we usually have the missing piece of knowledge in the round to avoid friction, solve problems without frustration, learn with fun, and get to value fast. A pleasant experience, would have loved to continue together.
  • "Security scanning in pipeline" by Raimo Radczewski & Chris Neuroth. Both wanted to try out security scanning tools like Trivy, Syft and Grype on a real case example and see how they work and what value they bring. A really interesting session that then also sparked a serendipitous hallway conversation on why attack trees might work better compared to threat models in order to get people to think like malicious actors and consider risk.
  • "Security games" by Claudius Link. He brought a whole bunch of games to teach security in a safe space with fun. We could try out a few of them and gain experience how they could be used for educational purposes. Games like Elevation of privilege and OWASP Cornucopia, yet also [d0x3d!] and a lot more I can't remember. Now I know there are a lot more out there to try out!

This was the last day for the main part of the conference, so we closed it with a retrospective. The best part here was that it didn't merely gather feedback for organizers and Juke as facilitator, it also was  intended to provide feedback for each other as participants. Over half of my group were here for the first time, and I just loved hearing their feedback and also input to make it even better for each other.

A gratitude round followed. The challenge was to thank five people we have not thanked yet. Honestly, this experience was a bit overwhelming, in all the best ways - and more than one feedback took me by surprise. I haven't mentioned yet, this conference goes big on hand-written kudos cards you can hand out any time for anything you appreciated the other person doing. The ones I received I will keep with me for long, they present such a dear memory.

Dinner followed with more great conversations. Then further sessions were hosted (remember, the evening schedule). I had a great time joining a code kata ensemble. We did the "Vending Machine Kata" which was an insightful exercise itself, yet my main takeaways were on the collaboration part. It was fascinating to see an ensemble start off quite free style and converge to more structure like having a dedicated navigator, using a timer for rotations, having the navigator stand up to be more prominent, etc. It just worked better with folks who have never worked with each other in this way. Also, we used the fish-bowl approach to ensembling, having outside observers and always open spots to join the ensemble. This exercise made me realize once again that this approach is simply not for me, despite having super kind and safe people around me it felt exclusive. I'm very sure it's actually more inclusive for other people to opt in. For me I much prefer the "all together just one ensemble without observers" format.

Last but not least, a retro gaming session! We played the old adventure game "Zak McKracken and the Alien Mindbenders" all together on a C64 system provided by Tobias Göschel - how awesome was that?

Workshop Day

Have I said the conference is over? There's still the additional workshop day! And what better format to have than asking people to bring their topics for hands-on sessions also on this day. It's also the time of the traditional code retreat, practicing the whole day solving the same kata in various ways. Originally, I was adamant to join the code retreat again, it was simply an amazing experience last year. And then Claudius Link came and suggested the only thing that could possibly lure me away: co-facilitating a security workshop. Well, what shall I say? I couldn't resist, this fit way too perfectly to my personal AskAppSec challenge this year.

We aligned on our main thoughts of what to aim for, pitched it to a fellow participant, incorporated the feedback, and came up with a workshop on "Painless Security". We crafted the agenda shortly before and went ahead with it, playing it by ear and experience in giving workshops. Having co-hosted a session the other day helped, too. Co-facilitation worked super well together, we often thought along the same lines and built on each others ideas. People shared many painful experiences and we gathered potential things to try out and what we related with most to bring back to work. I took a lot with me myself.

During lunch time, the security theme continued for me. First thinking about security conferences and ideas to contribute to the space together with Claudius Link and Susanne Neunes. Heading back towards the conference rooms, I noticed another table where Martin Schmidt and Philipp Zug, who also both participated in our security workshop, were scheming on a new security card deck. I loved the idea and they were so kind to invite me in. Well, it seems I got myself involved in two new topics - and yet I feel these are very much worth it.

I decided to check out what other sessions might still run that I could join. First, coffee though - and that's when Matthias Klass approached me and asked whether we might have another capture the flag session together, as a couple of people expressed their interest. Well, I didn't need to check the schedule anymore, security theme it was for the whole day! Of course I'll host another capture the flag session. What can I say, it was awesome! We spent the whole time until we officially had to leave the room and head for dinner. Nearly instantly, the idea popped up whether we could ask the hotel for opening the room once more during the evening. Asking was worth it, we got the keys and went all in after dinner. Many more rounds of capturing flags followed until everyone was so tired we couldn't think anymore - while being just super happy. Some of the challenges tackled were very familiar to us and hence solved a lot faster, others required us to piece together knowledge we usually don't need. All of them were very insightful and fun. So much fun. I loved that we all worked together so effectively as a big ensemble again. I really want to do more of this.

There's a traditional count of code katas done at SoCraTes, counting each exercise by everyone. I was really moved seeing so many people join me on practicing penetration testing, staying with me for so long and sharing my enthusiasm. It felt we just established a new counter at SoCraTes next to the code kata counter: the captured flags counter, aka the number of security secrets discovered. We collectively increased it to 8 overall! 

Why again next year?

Heading home, my heart was full, my brain energized, my body tired, and me super happy. I was certain that if I have any chance to be back next year I will take it.

Besides the obvious reasons of self-selected, very insightful content and just amazingly kind and inspiring people, there's a reason that is even more important. This conference is the best I've seen so far in intentionally designing welcoming and inclusive spaces. They continue to reduce friction and make it more accessible and safer to more and more people. Literally every year. There are lots of aspects of this to be found everywhere. Not only in the code of conduct that's actually being lived and enforced, or offering all gender toilets, or giving away tickets based on a lottery to level the playing field. It's in every little detail. Less noisy applause by waving hands. Exact food labelling and plenty of options for everyone. Child care service so lots of parents could join this year. Sharing Covid tests upfront for every day and encouraging masks.

The level of diversity already achieved has a huge positive impact on the quality of conversations and insights gained. A lot to learn and take with me to do better myself.

Wednesday, July 19, 2023

AskAppSec - Gaining Momentum

Last time I wrote about my struggles to kick off my AskAppSec challenge. Allowing myself to go tiny steps and considering any small thing as progress, I was able to make just that - progress. Well, I've had to learn this lesson multiple times already on different topics, this is just another example. Still works all the time.

So here's what happened since my last post. The following actions helped me get out of the scary zone, slowly and steadily.

Ask More People

I reached out to more security folks like Jay Harris and Dan Billing and asked them for recommendations on online communities out there. This way, I learned about new options I had not considered yet. Even when they confirmed communities I already had on my list, it provided validation that I wasn't too far off. I also got inspired by a podcast episode where Tanya Janca emphasized the importance of joining communities and named further ones. Last but not least, I finally asked publicly for recommendations and yet again could add more to my list.

Join Further Communities

Now that I knew about more communities, I indeed joined more of them. Initially, I felt adding too many would be overwhelming, yet as my initial attempts were going slow, I changed strategy. So I joined as many communities as possible to try them out and see which ones would end up as the best suited for me. Once I started, entering new ones wasn't as scary anymore as in the very beginning. If it's scary, do it more often, right? So now I've added the following ones to the those I had joined already.

There are a few options on my list I haven't tried yet as they didn't feel like a good fit right now. Nonetheless, I'm still on the lookout for more online communities, so anyone having recommendations please reach out.

Collect Security Resources

I've come across quite some interesting stuff in the past years, so why not finally start a page of recommended resources dedicated to security. I felt this would be an easy quick win to make progress, it would be great to have a foundation to build on and extend with anything I'm learning now, and nice to be able to share a page with folks interested to learn more about security as well.

Feel free to check out my recommended security resources, maybe this collection already offers something of value for you.

Start AppSec Courses

I'm still reading Tanya Janca's awesome book "Alice and Bob Learn Application Security". I'm a slow reader of non-fiction books, especially if I'm not traveling. So, I thought why not also try out the courses she offers at the We Hack Purple Academy. There are a few free mini-courses available. The paid ones seem very reasonably priced, especially considering the fact that they represent exactly what I'm looking for. There's even a bundle of the four most interesting courses to me, which I'm currently on: AppSec Foundations Bundle + Secure Coding.

Prepare First Challenge

I do have a whole list of potential mobile AppSec challenge options. I still need to pick the first to tackle, write about and ask feedback for. While I have a hunch which topic it's going to be be about, I'm fine with not having made the final decision yet. Again, tiny steps, and that particular one is on my radar of things to do next - besides consuming resources and engaging with the communities I've joined.

It'll come, at the right time and pace. As long as I can build on the gained momentum, I'll be fine.

Thursday, June 29, 2023

AskAppSec - On Late Beginnings, Distracting Struggles and Finding Community

The personal challenge I picked for 2023 is AskAppSec. I believe that joining and actively participating in at least one security community for a period of six months will increase my understanding of practical application security in everyday work situations. When I decided on my challenge end of last year, it felt it would be a perfect fit: scary and a worthy endeavor allowing me to grow while sharing hopefully useful content. It also fit well to what I set out to do at work, taking on more explicit advocacy for security in my team and the company.

Sounded all nice and well to me, and yet I struggled, more than I expected. I'm acutely aware that it's already the middle of the year, and where am I? Well, it's not that I didn't move at all, yet I'm clearly not where I hoped to be. I need to acknowledge it and accept just as it is in order to move on from here.

Biting Off More than I Can Chew

I've been learning in public for quite some time now, and I still enjoy when I can fully dive into a topic. This year I thought it's the time again to do just that, going full in! And then life happened. Now half the year is already over, and not so much was done yet. I'm struggling with processing this. I'm between trying to allow myself to go slower, and beating myself up that I actually didn't go slow so far but instead opted in for so many other things. Distractions. Valuable stuff, yet definitely distracting me from what I set out to do: my personal AskAppSec challenge. I've recently been at Agile Testing Days USA where Dr. Rochelle Carr dropped wisdom that heavily reminded me of my situation. In her fantastic keynote "The WHY you are", she told us to remove unneeded distractions to our own potential. Does it feed your "why"? If not, don't get off course.

So, let's face it. I took on too much this year. I declined opportunities, and yet said yes to others - including creating new conference sessions. I really forgot how time-consuming and energy-draining that is (although it can have a really nice return on investment). Plus draining life stuff happened on top of all this that also demands capacity. Work is very consuming as well, although it does give me back a lot, too.

So here am I again, trying to remove tasks from my to-do list and gain more headspace so I can do bigger things, like working on my challenge. Because I also realized, I continue doing things just because I started them once, they tend to pile up as obligations - and then I bear the pain of opportunity cost and never get to things that would grow or amuse me. 

At the same time, there are a few things I always wanted to do and be better at. Over and over in my life, I practiced them for a while and dropped them again, just to pick them up to start over again and again. Recently, I realized that I added most of these to my daily habits checklist. So I actually do work on them, even though only very little by little, yet mostly every day and I make progress. I did consider them distractions for some time, yet maybe these ones are indeed not.

Finally, I kept my public writing to a bare minimum. This blog usually helped me reflect by writing things out, like a public journal on non-confidential work and growth topics. I stopped doing so as well, only fulfilling what I had loaded on myself, like writing a blog post per on-site conference. With this one, I am again just writing down my thoughts which is more than I did the last months and it feels good.

So, here's where I am right now. This is my attempt in bringing a bit more order to the chaos of my thoughts. Maybe I am indeed slacking off on the things I care about and do too much of the other things that are rather distractions. It's time to reconsider and only keep what adds to my own why, respectively the goal I had set for myself. Gain energy, headspace, and focus on what moves me forward to get stuff done and learn from it as I go.

Starting Late in the Year

Back to my challenge. Beginning of the year I had gathered material to work with, like communities I could join, interesting resources, potential challenges, and so on. Only beginning of May, I could finally start acting on this material, though.

The first weeks went quite well. I joined a few online security communities and tried first interactions, more or less successful. I read more stuff. And yet, I still found this very hard. I thought about things I could do, and then - once again - lacked focus. Distractions came my way and I happily jumped on them. At times it helps me to find more headspace if I get things out of the way first, yet this time I instead ended up lacking energy to work on my personal challenge.

At the same time, I'm still scared of this challenge. How did I do this in the past years? I conquered my fear back then and did it anyway, so how about now? I guess the only way to do this, as last years, is go step by step and never hesitate or look back. I need to break this challenge down more clearly in my head, and then finish one step after another instead of jumping around between different tasks. Do small tangible stuff.

Whenever I leave the challenge be, it festers in my mind and gets even bigger than it is. Whenever I take a step, it becomes a step smaller and seems more doable. It becomes less scary and getting stuff done simply feels good. I guess one big issue with security is that I started this topic a few times already in the past and stopped again each time, hence I couldn't build on the momentum. Turns out,  consistency is once again crucial for me.

What Happened So Far, After All

My first goal was to join communities and find a new additional place for me to learn and share. I focused mostly on online places as I don't have capacity left for on-site events this year, and didn't want to rely on local meetups only. The three communities I joined so far are the following.

  • We Hack Purple. This community is initiated by Tanya Janca. I benefitted a lot from her content over the years and this community felt like a great fit to start. I actually already had joined back in 2021, yet then neglected it. This place had been quite welcoming so far, yet I feel I joined at a moment where there was not too much activity going on - I see it increasing these days. My first attempts to connect didn't receive too much response, yet it's still a promising community to be in and learn with.
  • OWASP Slack. Well, OWASP continues to be the one constant we keep hearing about again and again. It's a frequently used reference point when it comes to all things application security. Everybody I talked with who had joined local chapters mentioned that the community culture differed heavily depending on the chapter. So I decided to join the global Slack first, which is quite active. Also here, I had first interactions, nothing groundbreaking yet.
  • InfoSec Community Discord. A colleague brought my attention to this one. It's not been overly active these months and it felt the hardest to join in so far based on its structure and engagement. It's still good to be there and see what's going on and being shared.
I have a whole list of other communities I could join. In the beginning, I wanted to start with only a handful not to overwhelm myself, yet now I'm considering adding more. I'm especially interested in places people can recommend, so I started asking around for personal experiences.

I dived into further resources as well, which had been quite insightful so far. For example, I finally started reading Tanya's book "Alice and Bob Learn Application Security". It's really awesome and I can already recommend it. Tanya manages to explain security concepts in a comprehensible, digestible and engaging way. Theory, examples, stories, and actionable exercises - all included. For me it's perfect to see what I already know and what not yet, and for which concepts I had a grasp yet lacked the official term for.

At work, mobile application security is my topic of the year as well and quite some stuff got moving there already. For example, we aligned in the team on an application security strategy to get where we want to be, and already took steps to get closer. I had a few sessions together with our awesome InfoSec folks to build security in, test together, and gain more clarity on specific topics. Also, I joined my very first security audit and officially took over the role as security champion for my team. More is in the making.

Finally, I still continue having monthly security testing sessions with Peter Kofler. We kept doing these ever since my Testing Tour back in 2018, we just never stopped! We're not moving fast yet continuously. This way, we could already cover lots of ground in theory and practice together. Well, there's always more to learn and always something new going on, we won't run out of topics any time soon. It's been great to see how much we can build on the insights we gained over the years.

Probable Next Steps

Well, I don't know what life and this challenge brings, yet I have a rough plan on my next moves.

I'll see what I can do to get more active in the communities I'm already in, seeing where I can find help and inspiration, and also practice giving back as much as I can already. I'm considering joining more communities, so I'll continue seeking recommendations. I'm also looking out for events that might still suit my schedule this year, and probably bring my topics to the events I'm already going to.

It'll soon be time to decide on my first hands-on challenge around mobile application security that I can share about and get feedback on. This will also include finding safe ways to practice and share without causing harm.

Finally, I'm still gathering and consuming more resources on application security in general.

Reflections for Moving Forward

This year was full of distractions so far. Over and over, I allowed myself to be pulled away from my personal challenge. Then my brain got so tired that I just kept working on these distractions which I perceived way easier than doing the scary thing, and they kept me nicely busy anyways. Yet also more guilty with every step. Especially considering my usual timeline for personal challenges from January to October. Seeing so much time having passed already without much progress is frightening and paralyzing. Having too many options what to do next, is too. The last months, my brain kept jumping between too many threads, and not producing the clear structure I dearly need to hold on to and not get lost.

Also, why didn't I ask more of my existing network connections yet, as I do know several folks who work in security? For other topics I did that a lot, so why not here? After all, I'm not alone - and the whole topic is about reaching out!

Well. This challenge is indeed scary for me. 

Is it because security is such a vast area of expertise? Or maybe because it's difficult to impossible to share about real everyday work challenges? I liked to believe so, yet on the other hand I had similar situations already where there was always a way to still learn and share. I wonder if it's because I interrupted my streak of personal challenges and can't build on the past momentum of learning in public to the same extent. Maybe it's because it's very long time ago since I had to join a new community, especially online compared to mingling at on-site events - and it's difficult to have to prove myself all over again. Or it might just be a tough year for me, and that after a few years of drained energy - which might cause my fear overshadow my curiosity and hope. Heck, maybe I'm once again overthinking way too much. Probably it's all of it combined.

Maybe it'll get easier once I can focus my head on hands-on challenges. Right now, consuming resources and practicing would feel closer to my comfort zone than making my way into security communities. But that's exactly what I am aiming for.

I should indeed take my own advice and do a bit every day, just a few minutes, yet every day. Tiny steps go a long way and still result in lots of practice in the end. For that, I have to be okay with good enough for now, and not worry too much about my originally envisioned timeline that clearly didn't work out this time - which is fine.

So be it. Slow steps it is, and I'll become okay with it. As long as I do take the next step it still keeps me moving in a generally good direction. At AgileTD Open AirJanet Gregory shared a quote by Paulo Coelho that really hit home for me: "An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties, it means that it’s going to launch you into something great. So just focus, and keep aiming."

Sunday, June 18, 2023

AgileTD Open Air 2023 - Welcome to Unicorn Beach

It's been my second time to the AgileTD Open Air, the beach edition of the Agile Testing Days. I'm really not an outdoor person, yet once again I thoroughly enjoyed this event.


Directly when arriving in Cologne, it felt like coming home when spotting first folks in the hotel. After initial conversations with Sophie Küster and Micha Kutz, and yet another practice session for my new talk, it was time to go for speakers dinner. Food and company were amazing and I enjoyed our table conversations. I finally had a chance to speak with Tariq King and his wife - loved it! We got into deeper discussions around certifications and whether they make sense or not. We had fun laughing about past conference stories (anyone remember "table 2"?). We celebrated new speakers at the table, like Mazin Inaad who decided to start conference speaking at Toyer Mamoojee's and my learning partner workshop back in 2018! So proud. We got drawn into the "pen game" to practice our observation and critical thinking skills - ask me about it in person, I won't spoil it here. We had deep meaningful conversations about life struggles; I just love how communities like these support each other all the way. And so much more. Many thanks also to João Proença, Richard Bradshaw, Zeb Ford-Reitz, Paul Holland and Patrick Van Enkhuijzen - it was a brilliant evening!


Micha Kutz invited a bunch of us to go sightseeing together before the conference officially started. Who can say no to that? Also, a great opportunity to re-connect with Heather Reid and Steph Desby! We really enjoyed our time discovering Cologne.

Then it was time, the conference was about to be kicked off. We took the bus to the event location Blackfoot Beach and had sufficient time to meet folks before the official opening.

  • Keynote "Invasion of the Gummy Bears: Fighting Back" by Janet Gregory. This was a great opening keynote on a very important topic. I loved the angle on it and can relate so much personally. It once again reminded me about all the coping mechanisms I already make use of, and provided me more ideas of what else to try. Finally, it provided an additional nudge to get out of my mental fatigue - easier said than done, yet I'm on it.
  • Bonus session "Puzzle your way to group success" by Patrick Van Enkhuijzen. I just loved this session! Each of us had been given one or two pictures that only we were allowed to see and not show anyone. We were tasked to figure out the pattern in order to place all images in one order  - just by speaking with each other. What a great exercise in communication and collaboration. I'm amazed it worked out so well, too! This gave a lot of food for thought to reflect on.
Dinner at the beach was great and the evening flew by. Special shoutout to Marc Kalmes and Ada Pohl for insightful conversations!


Originally, I wanted to start the conference day with a lean coffee session, as I often do. I had some topics in mind to bring, and looked forward to the evolving conversations. Well, it didn't work out as planned and I missed the first bus that would have gotten me to the venue in time. Guess I should have used that time for extra sleep, yet it was how it was.

  • Key-speech "Visibility of Testers" by Huib Schoots. It's a recurring topic that people dedicated to testing and quality are asked to justify their position and demonstrate their value-add. Yet I've seen the same apply to other roles as well, so making our contribution and impact visible is a topic for everyone. Transparency indeed often helps to do a better job, not only because it helps the team work closer together, yet also because you need to spend less headspace on justifying your value that you can use to deliver value instead.
  • "Cross Team Ensembling" by Christian Rucinski and Zeb Ford-Reitz. This topic is very dear to my heart and I hope more people get to hear about it. I loved this talk as it was an experience report, and the angle of cross-team collaboration gives yet another perspective how working as an ensemble can be valuable. I hope people got inspired to give this a try!
  • "The 8 ‘Commendments’ for Maintainable Test Automation" by Mazin Inaad. Can't believe Mazin just started out speaking at conferences - he delivered well! I believe also in 2023 more testers need to hear the presented "commendments" (a word play between recommendations and commandments), especially when automating tests through the whole tech stack. I really liked how he pointed out that this is not carved in stone as things depend on context - while still providing very tangible and actionable advice including examples.
  • "Data Driven Decisions in Testing" by Heather Reid. This talk was awesome, Heather rocked it. We really need to be advocating for using more data at any time for making more informed decisions - real data can indeed be a super power to bring to the table. Loved all the stories that made this talk very tangible!
  • "Team Transformation Tactics for Holistic Testing and Quality" by me. This is the third time I gave this brand-new talk and I felt I had practiced it well. Yet once again, real life situations differ! I was struggling a bit to find my rhythm and took more time than expected. I felt drained afterwards and wasn't sure if the message came across. Therefore, I was even more grateful when a bunch of people came to me afterwards and told me what they got out of it! Really, if you've been listening to a talk and it was helpful for you, please go and tell the speaker - we dearly need this feedback.
  • Keynote "Combining Force Multipliers to Improve Quality" by Tariq King. Just loved the emphasis on force multipliers, how they could be applied and combined! Great examples, too. Especially appreciated that Tariq emphasized how culture is a big multiplier in itself. I totally relate to this, have seen it over and over again. Quite some food for thought in this keynote!
  • Bonus session "Code Reading Club Session at the Beach" by Samuel Nitsche. I am part of a regular code reading club together with Sam and a bunch of other awesome folks, and I couldn't resist this opportunity for additional practice. I also always felt the testing community needs more of this - so I can only encourage folks to seize the opportunity when it presents itself. This was an amazing session indeed, it fully re-energized me. The whole group practiced together and the resulting exchange was really insightful.
  • Bonus session "Smoke Tests & Mirrors" by Benjamin Bischoff. What a magical session - literally! Just loved the combination of Benjamin doing a really awesome magic show (despite very tricky stage conditions for magicians) and showing how magic principles relate (or not) with principles in testing. Both educational and entertaining!
Wonderful conversations throughout the day just happened. Like with Stefan Scheidt on why we both love Star Trek and how it relates to our work in tech teams. Or with Rick Scott, whom I ended up sitting next to in talks a lot which enabled us to instantly exchange thoughts! Or with Sam and Gabrijela Hladnik talking about getting closer to other communities like the domain-driven design (DDD) or software crafter communities. Or with Maria Olga Raimondo about our origin stories; there are so many amazing ways to end up in tech and excel there. I loved the experience people bring in who don't take the straight way.

The conference day concluded with a party with a live band made out of a bunch of speakers and friends! Loved it. Loved the more quiet and private conversations afterwards even more. Like with my dear friends Anne ColderVincent Wijnen and João Proença! One main insight was again that we can learn a lot of things. Everyone has a different learning curve and time when we plateau, though. Yet one thing is for sure, without practicing no one gets far. Behind skill there's usually a lot of practice and effort. 

At first glance, the program didn't seem too full that day, yet the day was over again very quickly being filled to the rim with awesome experiences.


Second day, second chance to get to lean coffee! Or not. My body already complained about lack of sleep, so it was rather not.

  • Key-speech "How do we stay relevant?" by Paul Holland. Paul reconnected this back to Huib's key-speech by sharing that if we're adding value yet aren't visible we might not stay relevant. Paul encouraged people to stop doing what automation can do, and instead start doing what only a human can do. This triggered a great conversation over lunch on which skills and behavior we assume will still continue to be relevant and which not.
  • Workshop "Let’s Get Into Coding" by Stefan Scheidt and Micha Kutz. While this was targeted at beginners, I made it a point for myself to catch as many hands-on coding sessions as I can, as usually I can always practice no matter the overall level. And I was not disappointed! I loved the setup and instructions provided, especially that it was close to real-life situations and that struggling through while also supporting each other and receiving support was an integral part of it. This made it not only very authentic yet also encouraging to go further and learn more - together.
  • Keynote "What I thought I knew about the status of testing" by Lena Nyström. I loved hearing all the misconceptions Lena had been holding or overheard in the past, and what she learned instead throughout her career. Awesome and authentic storytelling, very relatable, and I totally agreed with the provided advice. And hearing Lena say "I'm priceless because I care" really got to me, it's exactly feedback I recently received from a developer teammate (so I'm clearly biased), yet I truly believe people have to hear this more to make better career decisions.
  • Workshop "Ensemble Exploratory Testing" by me. I've given this workshop over and over again and it doesn't get boring yet for me or the participants from what I can tell. Most often, people have never had the opportunity to try any of the included components. Seems they also had a great time and took value out of it! What else can I want.
  • Bonus session "Bug Hunting - Explored" by Patrick Van Enkhuijzen and Jarno Lapere. This session was a perfect segue from my own workshop as we again explored in ensembles - and this time I had the opportunity to practice as well. It was great to learn about what's important for facilitating bug hunts, and then instantly experience one ourselves. It was especially awesome that we tested a real product so we could also provide real value. It worked really well to find a lot of issues in short time. This session was both educational and really fun. The chocolate prizes were much appreciated as well, especially as my group shared the first place with another group. :D
  • Keynote "Knowledge Gaps and the Quest For Rapid Feedback Loops" by Richard Bradshaw. I really liked Richard's angle on thinking in gaps together with feedback loops, encouraging people to spot gaps and fill them quickly. I really think this is so at the core of what we're doing and trying to achieve in teams, and that more people need to hear about that. Richard provided actionable ideas how to implement this, so people could start doing so right away. The delivery was also very entertaining! Perfect to close this conference.
Another live band played, even more conversations were to be had. One person really made my day sharing how they love my blog (I'm feeling honored they really go through these lengthy writings!) and that especially my post "I Am white" was very impactful on them, letting them dig into resources and start changing behavior. Just wow.
Saying goodbye is always hard and people didn't want to let go until the last bit - me included.


The day of going home had come. I took the opportunity to meet up with one more community friend who happened to be in the city: Janina Nemec. It was lovely to catch up before each of us headed home.

Returning from a conference like this usually needs me to sit and digest what I heard and what I learned, the conversations we had and the thoughts they inspired. I'm sad for the people I've missed to re-connect with more deeply, I'm glad for those I had the opportunity to do so, and I enjoyed getting to know all the new folks I had not met before.

I'm grateful to have been in such good company for the last days, people that we can have deep meaningful conversations with each other. I'm grateful for all the inspirational experience exchange. I'm grateful for practicing together for our personal growth. Looking back over the last years, I've been growing with every conference I've been at. I hope more people can make this experience as well, so I will continue paying it forward.

Tuesday, May 30, 2023

Agile Testing Days USA 2023 - A Lot to Think About

Last year's Agile Testing Days USA was full of inspiration. This year, this conference and its community once again gave me a lot to think about.

Before the Conference

Arriving early, I had time to do a bit of sightseeing next to finalizing the preparation for my two sessions. I decided to take it slow and preserve my energy while still checking out some places I haven't seen yet.

Another benefit of being there ahead of time is to connect with people already before a conference starts and slowly getting into networking and exchanging experiences. So good to see familiar faces again and re-connect - like with Kelsey Schoen whom I met last year. On the evening before the conference started, we had a lovely dinner group which resulted in great conversations. Many thanks to João ProençaJenna CharltonJenny BramblePaul Holland and Erik Davis!

Tutorial Day

A dream came true for me: I finally could meet Elisabeth Hendrickson in person! She's one of my personal heroes in tech. I followed her and her work for a long time via social media and was eager to learn from her in person. So when I realized she'll be at this conference and also give a tutorial, I didn't hesitate once to sign up for it. Especially as it perfectly fit my situation: "Doing the Hard Stuff".

This tutorial was indeed worth it already. It was awesome. I had hoped to get insights and advice for current difficult leadership situations as well as guiding principles for those still to come and I was not disappointed. Elisabeth shared a toolkit of the wisdom she collected over years working with teams and organizations - a toolkit full of wealth of applicable wisdom. Super interesting on a meta level as well, as I am sharing some of my own tactics in my latest talk.

We had a small group with high safety where we could bring our current challenges, think openly together about them using the toolkit, and discuss options to move forward. The self-organized structure of the tutorial made me think of an all-day themed lean coffee session with lots of dedicated time for each topic - wonderful to get detailed thoughts and feedback from everyone, and also be able to contribute! One of my topics got discussed into detail as well and I received lots of input and ideas what to try next - along with validation of my own stance and connecting the dots on what I already knew. Invaluable.

At some point, I really wondered about my own confirmation bias - as I kept nodding throughout. I really related to the toolkit topics shared. Was it because I learned and adapted a lot from Elisabeth and her peers already over the years, or were they really reflected in my own experience? Well, probably a bit of both. Anyways, it was amazing to see lots of the ideas and approaches I had used in my past being validated and built on by a group of peers.

There's a lot to ponder about and make use of. I'm really grateful for having had the chance to participate, I took a lot with me. I bet more people would benefit from this content, it actually would make a great book.
Right after the tutorial, it was time to get together with everyone and mingle for a "Meet the Speakers" event. This meant new people to get to know and connect with! A curious side note was when one person mentioned that they thought speakers would get formally introduced, and then being pleasantly surprised they're already among the crowd - being just normal humans as everyone else.

Finally, it was time for speakers dinner. My opportunity to connect with Allison Lazarz and catch up with Larissa Rosochansky and Rafael Cintra!

Conference Day 1

The first full day of talks and workshops for everyone was full of interesting sessions. Here are the ones that I joined.
  • Early Morning Lean Coffee with Janet Gregory and Lisa Crispin. I make it a point to go to at least one lean coffee session per conference whenever offered. Whoever shows up are the right people and whatever topic is discussed, I gain insight from it! If I'm lucky, my own topics are selected and people's thinking help me move forward with a challenge. Like this time - I'm grateful for the input received. Many thanks to Janet and Lisa for facilitating these sessions and for doing it so welcomingly!
  • Keynote "Imperfect Agile" by Jenna Charlton. What a great opening keynote reminding all of us to remember self-care and keep our own boundaries, while also encouraging to resolve conflict in a timely manner and find closure instead of piling onto existing grudges - and emphasizing that impact is more important than intent. All that while following the story of figuring out what agile actually means. Just loved the conclusion of "Take what works, leave what doesn't, don't do harm - it works for us is enough"!
  • Keynote "Bigger than the Box" by Erika Chestnut. Great keynote emphasizing that testing is not all the work even though people try to keep us in the box. Loved that Erika showed ways how we can claim the power in what we do, seize the opportunities around us and let quality shine in a new light together with everyone. Very important messages.
  • "Stop Making QA The Last Train Stop Before Production" by Rick Clymer. Really related to this talk and think more people need to hear it. I witnessed so many folks being stuck in what they do. This talk showed very concrete and actionable things they could do to get out of their situation and not only provide more value yet also get more value out of their work themselves.
  • "Business Agility Lab" by Ray Arell, Rhea Stadick, Tobey Aumann and Shawna Cullinan. This was a positive surprise! I didn't expect much and came to the session as a mere filler. And received a nice hands-on introduction to Wardley mapping, a topic I would have chosen if it had been offered in the program! Loved the examples Tobey provided and the opportunity to try it ourselves. Wasn't too easy to get started with, yet understanding grew the more we tried it.
  • Keynote "Focus. Deliver. Learn. Repeat." by Elisabeth Hendrickson. What an amazing keynote. Just kept nodding throughout, so many excellent points made! Sadly, this could have been given twenty years ago already, and maybe was. Why haven't we learned this in the meantime? Overall, this was a dearly needed reminder to focus back on XP principles, including the reasoning why. Delivered in a wonderful energetic and authentic way.
My own session on this day was my workshop "Grow Your Technical Confidence". I had a small but great group, learning together. It's always fascinating to see people dare to try something new and potentially scary, and then have them figure out what they already know about it and that they can already contribute - hence increasing their confidence for the next step once again.

To conclude the day, organizers invited everyone to an Oktoberfest party! Loved the conversations with Melissa Eaden, it's such a pleasure to reconnect with folks I haven't met for a while. More exchange followed with Ray ArellTobey Aumann, Pete WalenTara Walton and others before the evening came to an end.

Conference Day 2

The last day of the conference provided further insights and even more to ponder about. Here are the sessions I listened to.
  • Keynote "Where is testing heading?" by Paul Holland. This keynote provided a reminder on bad trends in testing, historically and current, along with their reasoning. So what can testers do nowadays? Paul recommended to focus on what automation cannot do well, and make use of the tools at hand.
  • "The dark side of agile implementation" by Lisette Zounon. Just loved the focus on how culture is essential whether people can thrive or literally end up in the emergency room. The audience interaction to openly think about warning signs and anti-patterns was a nice addition. It was quite sad to see how many folks seemed to have endured rather toxic cultures. Yet what makes us succeed is team happiness! Loved the emphasis on taking care of ourselves and practicing self-care - dearly needed that reminder.
  • "Mobile app testing sucks. Here's how to do it better." by Eden Full Goh. This talk provided lots of insights on what we're usually missing when testing mobile apps. Loved all the examples of new features, device configuration settings, and more things that are too often not considered - especially when it comes to automation. Very tangible and practical advice and new ideas how to test better on mobile, both on exploring more and finding new ways to automate user interactions.
  • "The WHY you are!" by Dr. Rochelle Carr. What an amazing keynote in content and delivery. Loved Dr. Rochelle Carr's abundant energy on stage and refined skills to truly engage the audience with the content shared! The messages themselves - they hit home. More than I expected to, this keynote gave me lots to think about my own why and purpose, what drives me - and how it changed over time. Very impactful.
  • "How we're setting up QE's to fail" by Vernon Richards. This talk opened my eyes that should have already been open. I knew about glue work, and I knew about quiet quitting. Yet Vernon made the connection to where testers often find themselves, and that all of our work is indeed technical leadership - whew, that blew my mind. I think I heard this message before, yet this talk delivered it to me just at the right time to truly understand it. Gave me a lot to think about!
  • "Building a Culture of Accessible Software" by Jon Hussey. This talk provided a lot of actionable advice on how to increase awareness about accessibility, a topic that is very relevant to me right now. I loved how Jon connected this to his own story, what he tried, what didn't work and what did. His one request was for each and everyone of us to ask for more accessibility - something we all can do. A very important topic we all need to hear more of!
  • "Feedback Techniques for Transparent Teams" by Dee Ann Bernau. We all need to learn how to receive and give better feedback as it's essential for learning. This talk gave models to help our thinking about feedback as well as tangible steps to take and improve on feedback ourselves. One point caught my eye that I would have loved to hear more about: Creating a system to call out bad behavior in your team. More to think about.
  • Keynote "The Secret To My Success" by Melissa Eaden. This keynote was amazingly brave. Mel shared her personal story on stage which allowed me to realize how many more people are affected by trauma and systemic issues than we might realize from just seeing the "successful" facade. Really appreciate the reframing of what success means for us and finding our own definition of what to work toward. Loved the emphasis on how giving someone a chance can have a life-changing and even life-saving impact on them, and how especially tech can lift people out of a situation they would not have gotten out otherwise. As well as asking for an outside observer view! One more argument to indeed get coaching, or therapy, or both. I admire Mel for her vulnerability and I hope this talk helps more people on their journey towards more good than bad days. It definitely had impact on me, I have lots to think about.
On this day, I gave my brand-new talk "Team Transformation Tactics for Holistic Testing and Quality" for the first time live on stage - in its most condensed short form. According to feedback it seems people got something out of it to take with them, what more can I want?

A great bonus this day: Ash Coleman was in town and stopped by to say hi! Such a pleasant surprise, was so good to see her again, even if only for a few minutes.
Right after the conference ended, the social closure began with food, games and even more conversations. I joined a great dinner group with João ProençaMelissa EadenJenna CharltonJenny BrambleTara Walton, Vernon Richards and Tristan Lombard.
Afterwards I ended up in storytelling conversations with Elisabeth HendricksonJoão ProençaRay Arell and Kirtika Dhathathri. Really loved the chance to talk with Elisabeth once more - I really appreciate her for being so approachable, with people all the time and so authentic - very appreciated and amazing to see.


After a conference is over means the start of digesting everything. There's overcoming the post-conference blues of having had to say goodbye again to many dear people, there's follow-up to process all the gained insights and notes and everything, and there's rest to catch up with. And some more sightseeing to do to make best use of the efforts of traveling!

Once more I realized how much time and effort the conference follow-up tasks that I do take. This made me think about what I could cut down to make it less burdensome and tedious, and grant more capacity to work on other opportunities. One particular task stood out for me: processing my sketchnotes. Not only do they eat up a lot of energy to take during the talks, I also spend lots of time to take good enough photos of them, then transcribe them to get good enough alt texts for increased accessibility (kudos to Cakelin (Kaitlin) Marquardt for demonstrating how to write alt texts for sketchnotes!), then to create threads with the sessions and alt texts on both Twitter and Mastodon. Phew. Lots of time and energy goes into all that and it's often exhausting to do after a conference when I am tired anyway. I realized that nowadays sketchnotes don't save me time anymore, which was the very reason I started sketchnoting in the first place. So I felt maybe it's time again to for the next experiment to find a more effective way to take and share notes. And guess what? Shortly after considering that, I received abundant positive and grateful feedback on my sketchnotes, including personal messages on how impactful they are and suggestions that I could even make a book out of them. I'm feeling honored! At the same time, I guess I have to really think about how to best move forward from here.

In any case, I was leaving yet another Agile Testing Days USA with a full heart and mind, lots of insights to ponder upon and ideas to try next. Many thanks to organizers and volunteers for creating this space and making this edition run so smooth, and to my fellow speakers and participants for learning so openly together. Now I have a lot to think about.