Tuesday, September 3, 2024

SoCraTes 2024 - A Community to Grow With

It's been my third time at SoCraTes this year. I'm very grateful that the organizers invited me as trainer once again, enabling me to come and experience this wonderful community event. It's been a blast. I've met lots of folks old and new, and enjoyed both casual and deep conversations. It was a pleasure exchanging experiences and knowledge. I've had a safe space to practice deliberately and hone my skills together with like-minded folks. Everyone growing, everyone at their own pace, everyone together.


Arrival Day

On the final leg of the trip to Soltau there's usually the first conference folks to meet. Perfect time to ease in and brace mentally for lots of peopling the next days. This time I had a really nice chat with Martin Schmidt and Juke Trabold, catching up on all things.

Once arriving at the hotel, more reunions were to be made. You could feel that everyone was excited it's finally this time of the year again, full of hope that good things will happen. Also, this conference takes inclusion seriously, and a big part of that are health concerns. They require on-site testing for Covid before even entering the hotel. Once cleared, we settled in and prepared for the first dinner together.

For conferences, I really enjoy meeting less folks at a time by arriving earlier than most people. It really helps me manage my load and have more quality time with folks. This night especially with Thierry de Pauw, their son, and Jana Fuerchtenicht - loved our conversation! And it was so good to see Micha Kutz again.


Training Day

SoCraTes is an unconference at heart. Since three years, they offer an additional training day with a more classic structure to provide foundations and to ease new folks' way to join the open space without knowing the exact program before. I assume this also helps with selling the event to their companies, especially if they never had the opportunity to experience the magic of such an unconference before.

Personally, I'm very grateful that I got invited as trainer for the third year in a row. And this time with another topic that's dear to my heart: security! It was the premiere for my brand-new workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day".

But first things first. In the morning, I joined Marit van Dijk's "Code Reading" session. Now, this wasn't a new topic to me, as we both are in the same code reading club. That being said, it's always good to practice this skill - we read code way more often than we write it! Thanks to exercises from Felienne Hermans it's fascinating to learn more about your own understanding and mental model of code you read, no matter in which programming language, and especially what other people around you perceive and think. Also at SoCraTes, this session was a blast! Loved how people engaged and shared their own interpretations and pieces of knowledge which really helped figure things out together. There's always learning something new in these kinds of sessions. If you want to learn more about this whole topic, Marit offers a whole page of resources on reading code that's worth checking out.

Next up, I joined Thierry de Pauw's training on "Trunk-based development for regulated environments". Very relevant to me as I'm working on a regulated product at my current company. I've had the pleasure of reading lots of Thierry's excellent articles on the topic, like the "The Practices That Make Continuous Integration" or the "On the Evilness of Feature Branching" series. Already the beginning of their training resonated a lot with me. Thierry shared how often organizations conflate their approach to regulations with "regulation" - which is not the same thing at all! They pointed out that what folks mostly want to see is "do you do what you say you do", and the more rigorous ones add to that "get two people to look at it" and "have an audit of what happened". Thierry showed throughout their training how regulation and continuous integration principles aim for the same thing: risk reduction. They also emphasized that the deployment pipeline has three purposes: every part of the process is visible, it improves feedback, and it empowers teams. We also had the opportunity to craft our own pipelines using Emily Bache's pipeline game and a scenario as constraint. Lots of great conversations emerged from that!

Finally, it was time for my own training. Lots of people joined, more than I hoped for. It's always exciting to give a workshop for the first time at a conference, you never know if things will work out regarding the general concept - while the audience will always differ. I'm thankful to my dear InfoSec colleagues Tarik Kobalas and Honey Susan Kurian for their input which helped me improve the workshop before this first edition. Based on the feedback received from participants, I can say it went well! People enjoyed their time learning about threat modeling, secure coding principles, security testing approaches, and how we can detect malicious activity on our production systems. I'm already looking forward to the next opportunity to give this workshop.

After the trainings ended, it was dinner time. Loved the conversation with Michelle Avomo and her partner. It was a pleasure to reconnect with Claudius Link and Janina Nemec, two of my fellow organizers for the upcoming Open Security Conference, an idea that started at last year's SoCraTes. Playing the game SET together, of course! Just before that, we had a nice world café session as the official opening to the main conference. Three rounds with different groups of people, exchanging what brought us to SoCraTes, what this conference means for us, how we widen its impact. I met lots of first timers this way and we had a good time together.

 

Open Space Day 1

After a wonderful introduction to the open space and its principles by the amazing Juke Trabold, the first marketplace started and people began to queue up to share their session ideas and build the program together. Once again, it quickly became clear: there will be tons of interesting sessions, and I will only get to see a fraction of them. That's the beauty and the pain of any multi-track conference, yet for big open spaces like SoCraTes, it's showing even more. On the bright side of things, there will be sessions for everyone, no matter which topic, format, or experience level. We can all grow and learn from each other. 

Here are the sessions I've joined. If you're interested what other sessions had been offered this year, check out the schedule.

  • "Priorities, Priorities, Priorities" by Yorgos Saslis. So many things compete for our attention and claim to take priority - so how to decide what to do next? This challenge resonates a lot with me as it fits to the experience of nearly all the teams I've been at, and never so much as in my current team. In this session, people came together and shared their approaches of gauging what to tackle first, what's the most valuable thing right after - and to communicate accordingly and manage expectations. Wardley maps were brought up to help decide what to build ourselves and what not. An approach that stood out to me were business decision records - basically architecture decision records (ADRs) for business to document the reasoning of decision making at that time. If circumstances changed since then, we know more clearly if we can change the decision as well. The cost of delay was mentioned to help prioritization; I like to think of opportunity cost yet costs like this should be considered as well. People reminded each other that value is not always money, enabling or unblocking another team provides value as well.
  • "Making better decisions as a group" by Tobias Mende. After thinking about prioritization, this seemed a fitting session to continue with. Tobias gave a dry run of his upcoming new talk around collaborative decision making. I really relate to him sharing that poor decision making is costing companies a lot - seen that too many times when we sunk too much time and effort into a feature that didn't return the value we hoped for before pivoting (sunk cost fallacy, anyone?). But how can we make better decisions, together? From the options presented, two stuck out for me: consent with integrative objecting handling which focuses on said objections, and systemic consensing which brings forward the resistances of various levels that exist within the group. Tobias encouraged us to make decisions smaller, safer and more often - I can't agree more.
  • "Security card deck game" by Philipp Zug, Martin Schmidt and me. It was time to present our security card deck game project to a wider group, for the first time! Where better to share this than at SoCraTes, the very place the idea originated at? We were stunned how people showed up to see what we created so far. Philipp presented the background of the project. Martin demoed a first round - and we already received so much valuable input and lots of ideas how to evolve the game further. The crowd seemed to like the idea a lot, it was really encouraging to see such interest. We are also happy to have gained a new contributor in Julian Michelmann and are curious where the game will end up until SoCraTes 2025. Stay tuned!
  • "Capture the flag together - Security Testing" by me. I had already given this session at SoCraTes 2023 which made lots of enthusiastic folks show up and ended up in many fun follow-up sessions throughout the conference. Therefore, I was eager to bring this session to this year's edition just as well. I hoped to find again like-minded folks to practice security testing in a collaborative setting. You can imagine how happy I was when lots of people showed up once again, some from last year, lots who had not joined yet before. We had good fun practicing on Hack The Box!
  • "Baba is you" by Marco Emrich and Michel Grootjans. A few days ago, someone had mentioned a game to demonstrate and teach the mechanics and practices of ensembling, aka working on the same topic, same place, same time, same computer together. That game is Baba Is You, an endearing puzzle game that I can only recommend trying out yourself. It's been interesting to watch group dynamics unfold as the ensemble tried to work effectively together and solve the puzzles.

Dinner time! Yet beforehand, it's time for folks to announce what sessions they offer for the evening. Because the conference doesn't end as long as people don't let it! Lots of fun options were presented from playing boardgames, doing sports, learning Rust, solving coding katas, to whatever you can imagine. Well, SoCraTes 2023 taught me that I love doing capture the flag exercises in a collaborative setting, and that I find lots of enthusiastic people here to join me. My afternoon session confirmed that once again, so I offered to do even more of this in the evening. I was stunned how many people joined the evening edition, even a lot more than in the afternoon! We had such a good time. Just as last year, it got late! We didn't care, it was a blast.


Open Space Day 2

The second day started, another marketplace took place, offering even more awesome sessions to join. I took it slower in the morning and allowed myself to be kind and not join the first slot, yet rather engage in conversations, and prepare for my first session as facilitator.

  • "Smart Workshop Setups (Pull)" by me. A pull session in an open space is where you ask folks for their expertise, knowledge, or help on a topic you'd like to learn or a challenge you're facing. In this case, I decided to pull for support on smart setups for technical workshops, especially if it requires a more complex setup while folks might not be able to prepare a lot in advance. How to make these workshops as accessible and welcoming as possible so people can quickly get to a working setup and focus on the actual practice content? This is especially relevant for my next workshop on "First Steps in Mobile Security Testing"; my original setup idea unfortunately does not work out anymore, and while I have ideas how to make it work, I was curious what other folks would suggest. Lots of great ideas were gathered! I'm grateful for people taking time. I'll ponder more over them the coming weeks and might share more after said workshop. For now, let me say that pull sessions are awesome.
  • "Next Level Spring Boot for Hipsters with Kotlin" by Chris Welcz. It's always interesting to see what tools, libraries and approaches other folks use. In this case Chris demonstrated his usage of Kotest providing convenient test structuring and property testing capabilities. He also showed his preferred mocking library Mockk. You can find examples in his hipster-tdd and kotlin-beer repos. Good input to consider for the Snack Shop project I'm collaborating on!
  • "Passion Personality Test" by Gabrijela Hladnik. Models are flawed, and some can be helpful - especially to reflect about oneself. That's how I see personality tests as well - flawed, sometimes helpful. Gabrijela presented the personality test from Clarity on Fire around different passion profiles and how it helped her. This was the starting point for a very insightful conversations about personality tests as such. How much do we box ourselves in? Are labels we put on ourselves helpful? Why shouldn't we use tests to categorize others? How can companies misuse these kinds of tests? Which tests have scientific research as background, what are the driving motivators behind them, and especially what systems of oppression do they foster? Lots of food for thought.
  • "Securely saving passwords" by Fabian Blechschmidt. In one of my capture the flag sessions we came across the topic of rainbow tables, which inspired Fabian to give a talk on passwords and ways to store them. A great session to recap hashing algorithms, rainbow tables (of course), salting and peppering, and key derivation functions. Always good to brush up on foundations!

This concluded the open space part of the conference. It's traditionally closed with a retrospective. We had a really great conversation in our group, with lots of highlights and lots of things we'd like to see improve - and how we as participants can help improve them. Especially for an unconference, participants are essential to co-create the conference. This means that participants are also responsible for creating a safe and inclusive space and taking care that everyone gets that safe space to contribute if they want to. We collected various ideas for how we can do so better. These ranged from how to notice that I am overtaking a conversation and should shut up to give space, to ways to navigate a dominant conversation among few people and open it up to the rest of the room, to options to indicate to the whole group that space is lacking and we're currently not hearing everyone who might want to contribute.

Dinner time again, and then - who would have guessed - capturing even more flags together! Yes, as evening session hosted by me. And once again, folks came and tackled a fun challenge together. We built on the knowledge and approaches we learned about the day before, we tried a lot of things, got closer, got stuck, took hints, moved forward - and in the end found the flags. What a learning journey! A late night one as well again, yet so much worth it. Many, many thanks to everyone who participated, it was a real blast. Can't wait for more of these sessions next year!


Workshop Day

The last day arrived way faster than expected - time is flying at conferences like these. Traditionally, the last day is the workshop day, where people offer hands-on sessions of various lengths throughout the day. Already being very tired, I skipped the marketplace - I knew which session I wanted to go to this year anyway: the Code Retreat, hosted by Janina Nemec and Micha Kutz. I ended up arriving late, and already felt bad when entering the room seeing all tables being full and everyone being deep into the first exercise. Huge kudos to Janina and Micha for welcoming me in, recognizing my struggle and going to lengths for making me feel it's okay to stay and still join in. That mattered a lot to me and helped calm my brain down. Micha arranged a new table and offered to pair with me (thanks so much!) - until even more folks joined, and space was made for them as well.

Time to focus on practicing hands-on together in pairs. We tackle the challenge of Conway's Game of Life, which can be solved in countless ways so you will always learn something new in each round. Programming language, approaches, modeling, communication, and so forth. Always using TDD, and usually having additional constraints to consider each round. Always deleting the code at the end of each round and starting all over again with the next pair. There's a lot to learn about oneself as well in this exercise! In our case, we were given the constraints of strong-style pairing, then we were allowed at maximum one level of indentation, then we tried it as ensemble, and finally the rules changed. In my last rounds, I was part of a small ensemble together with Janina Nemec and Hadrien Mens-Pellen. I loved it as we brought up any misunderstandings as they arose, clarified them instantly, and aligned quickly on the way forward - super effective! We also made use of the Code Retreat card deck designed by Janina, and we pulled the card to use Object Calisthenics as our constraint during these rounds. Overall, I can really recommend joining code retreats; no matter which level of experience you currently have, you can take a lot with you from them.

To add to this: We were all really, really tired. That alone can teach a lot of lessons about ourselves, and how we cope with stressful situations then. Each round was challenging in its own way, one was especially challenging for me emotionally. I for one learned again that kindness, respect and consideration go a long way - for each other, and also for oneself. Very grateful to both Janina and Micha for granting us this space!

After the code retreat ended, many people had to leave the conference while some like me stayed until the next morning. We were all tired, so we decided to break things up a bit and get some fresh air. We went on a short walk in the beautiful moor surrounding the venue, visiting the famous Heidschnucken, moorland sheep from northern Germany. I was glad to get the chance to see them this year as I've missed out on them the last two years.

We had dinner, we had more conversations. People decided they still had the energy to come together for a round of lightning talks - some of the short like lightning, some rather ending up as longer thunderstorm sessions. All of them great! We learned about IntelliJ IDEA's AI assistant from Marit van Dijk, how cognition principles apply to software from Corstian Boerman, how things that start in noise get organized over time from Martin Schmidt, and about the power-law distribution and Adam Tornhill's work detecting it in code from Christoph Kober.

Even more tired, we decided to play What Beats Rock - which stuck with us for the rest of the evening until we finally called it a day.


Departure Day

Last chance for final conversations and final goodbyes. Everyone super tired, everyone very happy. The post-conference blues was being held off a bit longer while chatting on the train. More ideas were exchanged, plans for next year made. Until we finally had to part, taking a lot with each of us from this wonderful community space.

My head is energized due to new inspiration and ideas what to try. My heart is full of connections and the community spirit we experienced. My soul is calm thanks to the validation received through feedback and kudos cards, and smiling thanks to all those folks for whom I wrote kudos cards myself. Physical kudos cards are such an awesome concept! I'm ever grateful for each person who took the time to write a kudos card for me this year, you really make this conference even more special to me, and I can't even tell you how much your card means to me.

Next year, this conference will be a month earlier than usual. I plan to be there. Looking back at what happened between each SoCraTes instance I've been at since 2022, all the good stuff, all the growth, all the strong connections - I'm already curious what will happen until 2025.