Contributing in New Ways - Getting over the Hump

This year, my personal challenge is to contribute in new ways - courageous community contributions I haven't dared to do before. As opportunities arose, I took on a bunch of endeavors beginning of the year, which are both very exciting and, admittedly, time-consuming. While I've been aiming to share intermediate updates from time to time, I'm grateful for my past self deliberately decoupling my challenge from any writing efforts to reduce artificial pressure. Still, it does help me to sit and write down my thoughts from time to time. It's time now.

A Lot to Celebrate

It's been a lot to juggle this year. Well, I realize I've set myself up for that. It's one of those self-inflicted situations, which might be uncomfortable yet also come with a bright side: it's totally up to me. I can reduce things at any point in time. Or shift my main focus between endeavors. Right now, this is working out sufficiently well so that I didn't have to cut anything completely yet. In addition, there's an even brighter side: no matter how the rest of the year plays out and what else will happen, there are lots of things to celebrate already.

Open Security Conference

It's happening! It's actually happening. The very first Open Security Conference (#osco) will take place from October 4th to 6th in Rückersbach, close to Frankfurt/Main in Germany. The event will be kicked off by two amazing keynotes before we then all learn together in the open space:

• "OWASP Juice Shop 10th anniversary: Is it still fresh?" by Björn Kimminich, who's well known as project leader of the OWASP Juice Shop and a co-chapter leader for the OWASP Germany Chapter
• "How to hack a company in one day or less" by Yvonne Johnson, who's an experienced red teamer and penetration tester
  

I'm so very curious about how the first osco plays out. A first event is always exciting! You're trying to set the space and constraints in ways to support your values and your goal. What of it helps and what rather hinders is something you'll only find out when you give it a go. We are starting small and learning as we go indeed. We've already gained lots of insights during the preparation so far. We can't do everything we'd like to do for the very first event, and yet it's a starting point that sticks to our principles and is based on our values. A starting point that hopefully helps establishing this new conference so we can build on it and evolve it further over the next years. Because cybersecurity is just a way too important area that's too often struck by gatekeeping and other barriers we're trying to lower and remove where we can to make it more accessible - for everyone interested.

We gained a better understanding on our individual and collective reasons for doing this in the first place, why we think there's a need and a gap to fill, what makes this conference special to set it apart from existing events in the security space. Not only for marketing osco and figuring out our target audience (which is a real challenge!) but also to make even more intentional decisions to shape it further. We'll continue to iterate on how we present the conference vision, just as we'll also continue learning to spread the concept of an open space conference format to cybersecurity which lots of folks seem not to be familiar with yet. Well, for now - we'd like to do our part in changing that!

As an organizer team, we had a tough challenge to overcome. We weren't quite clear on the direction to take on how to handle finances, which paralyzed us. Not much happened during this time besides going back and forth pondering about our options and worrying. It felt like treading water. I think it speaks for our group that we didn't break up at this point, that we indeed got over this hump and we came out stronger together. We made a feasible decision for the initial event this year and paved the way to create an underlying non-profit organization to sustain the efforts for next year.

Solving this big bump in the road meant we picked up speed again. We could finally open the registration, and we already have more registrations for this first event than we dared to hope for! There are still a few more tickets available, so if you're interested in participating in our inaugural event, go ahead and register now! And if you like what you read and want to help us spread the word on either LinkedIn or Mastodon, I would appreciate it very much.

I'm really grateful for my organizer team to be on this journey together: Claudius Link who came up with the initial idea, Janina Nemec, Ulrich Viefhaus and Dave van Stein who considered it a worthy cause to work on together. I'm also grateful to all supporters on our way. We had several initial thinking sessions, like with Tarik Kobalas, Jahmel Harris, Dan Billing and others. Several people contributed with lots of advice based on their expertise, like Mathias Verraes on organizing conferences, or Raphael Albert on the legal side of things. My thanks to all of them.

We're still learning lots of stuff and we won't get everything right from the start. We observe and listen to feedback, we adjust what we can right away, and we take note of what we can do better next year. That's what makes me hopeful that we're coming to stay.

Leadership Workshops 

Shiva Krishnan ran his series of leadership workshops many times in company settings. A few years back, I was fortunate to participate in one of his cohorts myself and got hooked - more people needed to do this program that I was drawing from so much! So I paired up with Shiva and we ran the next cohort together, until I changed companies. Thinking back, I'm still using those tools and ideas until today, and still continuing learning. Shiva and I kept in touch and thought about how we can bring this offer to community. Talks, writings, all good but not the same. How about bringing the actual cohort idea to community?

For a half-public first experimental community cohort, we reached out to our networks to find people who give us enough trust to get this started. We had first calls to present the workshop series, manage expectations transparently (it's a whole program after all and no small commitment), and answer any questions that came up. That alone already taught us quite a lot of what might be different for community cohorts compared to a company-internal offer. 

We indeed found a great cohort of six people who agreed to join us on our journey of bringing these workshops out there. We set up foundations like a shared communication channel with folks, clarified feasible lengths and frequencies for our remote sessions next to everyone's work. Everyone was eager to get started and looking forward to this endeavor. All we needed to figure out was scheduling now to run the first workshop.

Oh my. "Just" the first time slots. We knew scheduling is not the easiest task when it comes to these workshops, we've seen that in the company setting, yet always managed to find good solutions. Phew. What can I say, we really did not expect it to be that much of a struggle. We're only eight people. And yet, all our schedules differ in ways that make it really hard to find any overlaps. Like, any. Each time we thought we've now found a solution, more obstacles got in the way. And time keeps running. We brought everyone together to solve the puzzle, we made judgement calls and a few tough decisions to make this work. 

Let's see what happens with our latest option. In the end, we might need to rethink our whole approach. It's an experiment after all, and we're still learning from it even if it might not turn out what we planned it to be. But yeah, scheduling such a workshop series when you're all working at the same company, and you have the buy-in of people's managers is a lot easier. By far. We still hope there's a way that people can also benefit from the content and format of this series in the community space. In any case, we're grateful we got that far, and we definitely learned a lot which hopefully helps us in the future to bring this content and concept to a wider audience.

Security Card Game

This is probably the most relaxed of my endeavors. Martin Schmidt, Philipp Zug and I are trying ourselves, and absolutely enjoying ourselves with creating a new security-themed card game. Taking it as a deliberate practice project, we're learning a lot just thinking about it and evolving it further.

The game concept evolved quite a bit from the very first paper draft. We already played it several times with different variables and rules and gained more insights each time. We have both game engine and user interface to support our current ruleset, lots of cards already added, and it's honestly just providing us a good time. It's not balanced well yet, the game goal needs refinement, more content would help. We are currently only playing in collaborative mode all together, while having ideas for the future to simulate different company scenarios with people taking different roles to advocate for different strategies, maybe just going about their own (hidden?) agenda, or secretly sabotaging everything from the inside. Lots of potential paths - because in the end it's a game about decision making.

So, what is it about? You're employed at a fictive company. As time passes, you gain a certain number of resources available for you to invest in one way or another. Also, as time passes, more and more "oopsies" happen from a security point of view - a password got leaked, a vulnerable dependency wasn't updated, an internal website became accessible to the public. Do you close those doors to make it harder for attackers, or do you risk leaving them open for a while? At the same time, attacks are attempted by malicious actors. Sometimes they hit one of those open doors and you have to pay the price. Sometimes attackers don't find a target, or get impatient, or you just got lucky so you can counter the attack. All the while new employees need to be onboarded, security training can increase your skills, or it's just a normal day without anything bad happening. How do you make it through, will you still have resources left at the end? And how many oopsies did you leave unattended?

Well, curious? Just give it a try yourself! Get our latest release 0.5.5 and check out the current rules to get started.

Our next step is to share this game with more people at SoCraTes - we are fortunate that we can meet there again in one week's time already. It's the place where this game idea saw the light of the day in 2023, so it's going to be awesome to return a year later and play it with folks. I'm sure we'll be able to gather lots of feedback and future ideas for our game project. And hopefully people have a fun time with it, just as we do.

Snack Shop by Make-Believe Labs

Ben Dowen, Vernon Richards and I set out this year to fill a gap. We wanted to have a full-stack, open-source practice platform for all things product development. One that resembles real work scenarios close enough, with challenges people actually face so that gained skills could be applied. One that provides a safe space to hone all skills development, testing, architecture, UX, infrastructure, security, accessibility, you name it. One that offers opportunities for us to make use of it in teaching and coaching situations, e.g. for conference workshops and trainings. One that we could use to showcase collaboration dynamics, from ensembles to pairs to individual asynchronous work - both in live streams as well as through the artefact trail that we're leaving behind. When working on the project, we had good fun leaving a deliberate trail at times, sometimes showing rather commendable, sometimes less ideal behavior, so we can make use of them later.

What we're building is project "Snack Shop", a client project that the fictive company "Make-Believe Labs" took on. It's based on a brief from the owners of a bricks and mortar snack shop, who want to take their business online. Taking on various roles, we're working hard on a proof of concept system that we hope they will love.

The snack shop is composed of three services as of now:

• A web frontend for users to interact with the shop, using React, written in TypeScript
• A backend for frontend, often called BFF, to serve as single public gateway and orchestrator to various backend services - using the Nest.js framework, also written in TypeScript
• A SpringBoot Kotlin backend service connecting to a MongoDB

What we're having as of now is a so-called walking skeleton. All components are running on their own and are integrated. It’s walking, and yet it’s still a skeleton. There’s a lot of work to do, and yet we can evolve it iteratively.

The first goal was to create a typical proof of concept. We were starting out rather well, taking deliberate architectural decisions, taking time documenting them. Then we received a first due date - and the rush began! Tradeoff decisions made it in just as they would in real life. A due date works wonders in cutting corners! Okay, we did that deliberately, and yet! We see what happens. We have pull requests that were sneakily just merged without communication, we have changes that do a lot more than what they claim, we have faulty descriptions, we have long waiting times for asynchronous work, we skipped good practices like test automation, input validation, and a lot more. Well, we took on this scenario and played the roles, yet I admit I felt those feelings myself. It was both fun to see patterns play out I've seen so many times, also in myself. Indeed, a real practice project! Oh, and yes we also had lots of good behavior and great collaboration, don't you worry about that.

What caused that due date? Good thing was we had a real one, which indeed pushed our project forward in the end. All thanks to Ben who was invited to the Automation Advocates meetup, and extended that invite to us. We chose to use our own new project and work on challenges together. In front of a live audience. For the first time. Well, the right kind of scary that really lets you grow! Not everything worked out, yet we felt we still did alright for a first time, and we learned more for potential future sessions. Because we want to do more of those live sessions. By then, the project will have evolved as well.

All in all, it's really evolving, slowly, and in waves, but steadily. And it's just fun to work on, practicing deliberately.  Ben is currently preparing for his next conference workshop "Coding Challenges: Prepare for Success in Technical Interviews" for TestBash Brighton where our project will make its second public appearance. If you have the chance, check it out! Personally, I'm already curious what he'll learn from that. Overall, I'm eager to get back to our Snack Shop once I'm on top of another topic I currently focus on. I'm happy I can be flexible to follow my energies here, plus I love that I always gain energy from our ensemble sessions.

Conference Sessions on Security

It's been a while since I started speaking at conferences. At times I look back at how many speaking engagements I already had and am both speechless and grateful. It's really been a ride so far, and I wouldn't miss it! So, while speaking at conferences is not a new thing for me, speaking officially and publicly about security topics certainly is a new contribution.

I'm very pleased to share that I am giving four different conference sessions on security topics this year. All but one are brand-new as well! I'm still in awe and very excited. Already next week the next session is coming up.

• Software Teaming Online Conference - 11 April 2024: Capture the Flag Together: Security for Everyone (ensemble session, co-facilitated by Lisa Crispin)
• SoCraTes - 22 August 2024: Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day (training)
• Agile Testing Days - 20 November 2024: A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day (talk)
• Agile Testing Days - 21 November 2024: First Steps in Mobile Security Testing (workshop)
  

Finally taking this step that I've waited for quite some time is a big thing for me. I've paved this way since my first security pair testing sessions in 2018, diving deeper every year, and I'm quite enthusiastic about it.

That being said, it's honestly quite a lot of work. It's already a huge challenge for me to create three new conference sessions in one year on any topic, and all those in this huge area... It's a real stretch. It's scary and I'll certainly grow. It'll work out in the end, as always - and yet it's making me as uncertain and nervously excited as I haven't been in a long time when speaking at conferences.

Just recently I've learned that there's even more to celebrate in this space, I got accepted for yet another speaking engagement which is not public yet. I can only share that much: a dream came true for me. I hoped it might happen next year maybe, and now it's already there. I'm still speechless it happened. And very excited!

A Lot to Reflect On

Once again, I noticed that, while I had to force myself to sit and write down all of things above, it really helps me. Having my thoughts sorted, written out, and put out there is a relief from a perceived overdue task, it provides me dearly needed clarity, and it is going to help my future me as well when looking back on what happened and what I did over the years.

Truth be told, listing all the above feels quite good, despite the effort going into making each and every point happen. But how has it been for me in the past months? I've taken some notes for myself during this time. I wish I would have taken more, yet it is what it is, and that's what I got. I still want to persist them and show the other side of it. So here are my rather raw notes, jotted down over time, to keep as a reminder to myself.

May

I came to the realization that accountability works well for me, especially when I don't want to let others down. Yet I always prefer those tasks where I feel I gave my commitment to someone else over my own endeavors, so I'll always feel guilty. And always behind. Did I set myself up for failure? Or for learning to let go and do less?

June

I got so busy that I neglected where I get my energy from: celebrating, taking breaks, games, people conversations and feedback. I dearly needed that reminder.

Now I focused deliberately on de-stressing - and it worked! I'm already feeling a lot more relaxed.

I also re-aligned with people - I really needed this and the energy gained from it. Especially rediscovering the joy. For osco it was really liberating to make that financing decision finally and get over the hump, this allowed me to also start advertising the event again more freely. It's really hard to promote something if you don't know if it's going to take place for real.

Following my energies always served me well - just do the next thing I think of and can do right now. Taking small steps. Feeling good.

My new laptop also encouraged me doing something for the current projects, making it very easy and quickly accessible. It's a great side effect to have the nice combination to have various platforms available now for testing out my projects on different setups. Also, I'm building on the energy of "this is new, I instantly want to do something with it" that I usually get from shiny new things.

Also: I'm finally writing again, journaling these notes. Well, I knew I was better at reflecting and thinking in writing! And I'm so used to write on a laptop that's similar to my working setup - very interesting insight.

Oh, and movement and games of course! I finally did something just for myself again apart from these challenges. It's been way too long.

More sources of energy to take note of: sleep, breaks, tidying up, games, movement, emotions, focus, more intentional social media time.

Due dates help unless they get overwhelming.

 

July

Ben and I set ourselves a due date: until the meetup we're going full in, setting things up - but minimal in every regard! Cutting corners and taking shortcuts, like a real team will have to do if they need to present the proof of concept. We even set ourselves a code freeze a week before (editor's note: we ignored it and did changes until the day before the meetup, obviously).

I'm so glad we did this! This really pushed me to contribute and get into coding again! All my previous jest and unit test and Angular RxJS observable knowledge came to play! Plus my new bff knowledge, all combined - very, very useful, already proofing the concept.

Today I committed lots of changes - and it only took me a couple of hours overall to figure things out I haven't done before yet, very proud of myself. The last bit to add a bff endpoint was only half an hour in the end, including everything! Probably even less.

August

Still feeling overwhelmed with all challenges although most things are more under control now - mainly the time factor is pressing on me. How to juggle all those balls I've sent into the air? I know the answer - I need to drop some and pick them up again at a later point in time. And while it doesn't feel right right now, that's okay and in hindsight it'll also feel better.

I also know I need to force myself to sit down and do things one by one. I know afterwards I will feel better. But sometimes I have to do everything else before I can actually make it happen and sit down and do the thing I'm dreading. Once I've started, it's way easier for me to keep going until things are in shape again. It's about that initial sitting down when I lack energy. Habits could help me, yet I don't have as clear ones for these in place yet. Today I had to force myself to sit down. And again, and again, as this post didn't write itself in one long session. It was still important to do.

I need to wait sometimes to have energy again. Do other things. Just watch a TV show. Dive into the Olympics. Rest as my body told me to. All while feeling that time is running, while knowing I won't get far without sufficient energy. Today I finally had enough energy to get a few things done, even though I had to push myself.

What I'm writing in my initial draft is not very coherent, yet I have to get into just writing again - I can clear things up later, even if that takes more time. First, I need to get to writing again.

Switching contexts is - surprise, surprise - draining energy. And too many tasks on different topics all having due dates drain even more. I've experienced the same here.

I originally thought of posting heavily on social media regarding updates on each single endeavor - and didn't have energy or wasn't sure as I'm not alone on any of these, and it was costing too much to align on everything. In the end I just didn't.

This year I've left out my "stop when you notice you neglect self-care" clause - and guess what? I'm not holding myself accountable. I have rarely played any games, not read much of my fiction. For physical health and strength, I often only invested rather the minimum although I wanted to get in better shape again this year. The most I did was watching TV shows as I wasn't able to do anything else anymore. Often falling asleep on the couch or over a book as well. Hard lesson learned: don't skip self-care, however it looks like for you. Ever. Life is short anyway. I need to make time for things I deeply love. Games, books, volleyball.

A Lot to Keep for Next Year

Several of my endeavors won't completely stop with my personal focus on them at the end of October 2024, they will reach into next year. And yes, I already have further ideas for challenges next year (as if I haven't learned enough from overdoing yet - I haven't). Well, I'm taking note of ideas and leave the actual decision to end of the year, as always. Only making a call once I have more information to make it a good call.

For this year, there's still more to do. I'm looking forward to getting over the next big hump as well. I'm sure I will. And I'm already curious what I'll write in my concluding wrap-up for this year's personal challenge of contributing in new ways.