Wednesday, October 9, 2024

Open Security Conference 2024 - A Memorable Beginning

We've done it. The very first Open Security Conference, osco24, is over! It was a memorable event that exceeded our expectations. It's highly likely that there will be a 2025 edition.

Launching this brand-new open space conference together with my amazing co-organizers Claudius Link, Dave van Stein, Janina Nemec, and Ulrich Viefhaus was part of my personal challenge for 2024 to contribute to community in new and courageous ways. Our efforts paid off! 

 

The Day Before

Most of our organizer team arrived on Thursday, the day before the conference. I haven't met everyone in a physical space yet, so it was amazing as usual to see the folks I've worked with throughout the year to make this event happen. We could explore the venue that only one of us had visited before. We had a great dinner together. We organized the last bits, managed last minute communication with participants, clarified a few things. Not much to do anymore, we already prepared most things upfront, including what needs to be done when we're on-site. So mostly we could just breathe and enjoy the moment, socialize and relax before everything starts. 


And you know what? We weren't alone at the venue! The previous conference just had their last day, and what a pleasant surprise to meet folks we already knew from other spaces. Community for the win!


Kicking It Off

Friday, and hence the start of the conference finally came. Time for last preparations! Distributing Covid tests and masks in small packages for participants to grab on arrival. Preparing stickers and cutting communication cards we brought. Aligning on last moderation details. Setting up the registration tables. Putting up all sponsor material. Creating a conference feedback wall. Adding our conference values on a flip chart. Preparing the room to ensure the welcome introduction as well as the two planned keynotes could go smoothly. And many more of all the little things.

Then the first participants arrived! Time to test out the registration procedure for the first time. Things worked well with welcoming people and introduce them to osco. They could settle down, get familiar with the venue, get some snacks and hot drinks, start initial conversations with other folks. Our two amazing keynote speakers arrived as well and could test out their setup, everything good. Our Mastodon Glacier social wall was also installed and showing live updates as people posted using the conference hashtags #osco and #osco24.

One thing we noticed at this point was that the venue's WLAN was too restrictive for our use cases. Only specific protocols were allowed so that, for example, you couldn't use ssh to pull from GitHub, or connect to certain VPNs. Well, mobile hotspots for the win - yet mobile network wasn't well covered by all providers either in the area. Definitely something to look into for next year! After all, it wasn't convenient, yet we made things work for the conference.

Before kicking off the evening, we all first enjoyed dinner together - really nice food and various options. More conversations took place, all good so far.

And then it happened: we opened the very first osco ever. All five of us organizers presented the welcome and introduction together. We explained how this conference idea became reality after the initial conversation about it back at SoCraTes 2023. We shared our core values of cybersecurity for all, inclusion and being community-driven. Values that also represent why we invested in creating this space in the first place. We want to welcome all people who are interested in cybersecurity, eager to exchange knowledge, and keen to learn with each other. We want to get rid of gatekeeping in the industry and instead lower barriers to the cybersecurity field so people can enjoy diving deeper into it from wherever they are. Therefore, we encouraged participants to contribute to a good experience for everyone including code of conduct and giving examples on how welcoming and inclusive behavior can look like. I really loved seeing how one participant demonstrated visual applause (over making noise) and everyone jumped on it throughout the conference!

It was time to introduce our keynote speakers and then lean back ourselves to enjoy the presentations. I decided not to create sketchnotes this time, but instead opted for live posting during the talks for our Mastodon and LinkedIn presences. Here's what I took with me during the talks.

  • "OWASP Juice Shop 10th anniversary: Is it still fresh?" by Björn Kimminich. OWASP Juice Shop was my first real touchpoint with security testing back in 2017 so it has a special place in my heart. Can you imagine how happy I was when Björn confirmed he'll come and speak at osco? Especially for the 10 year anniversary? He even brought the Juice Shop lego tower. The keynote was awesome, leading us through the history of this intentionally vulnerable web application from back then until today and into the future.











  • "How to hack a company in one day or less" by Yvonne Johnson. I'm really glad that Yvonne agreed to give her keynote at osco. She's an experienced red teamer and gave us glimpse into her everyday work. What they aim to achieve on an assignment as well as approaches they take to do so. Yvonne gave a hands-on demo breaking into a system in short time - well, it would have been even shorter if the live demo curse wouldn't have hit! What worked before, done exactly the same way, of course did not work instantly when presenting. Yet Yvonne stayed remarkably calm and we could witness how she either found ways around the issues faced, or patiently tried things again until they worked - just like during her regular work. Impressive and very insightful.












The official program being over for the day, we invited everyone to join for conversations and games in the hotel bar. Lots of folks took up the offer, they even brought some games themselves. As organizers, we checked in with each other and aligned on the last bits and pieces before the first full day of conference. The first evening went well - so far, so good.


A Full Day of Open Space 

On Saturday morning the main part of the conference started: the open space. We had ask a dedicated person to set and moderate the space for us, Pierluigi Pugliese. Which meant we as organizers could focus on the rest to create a smooth experience, and besides that, be normal participants as well.

Being the very first instance of this conference, we wanted to start small yet feasible. Therefore, we were glad that 25 people had registered for the event. As it usually goes, there were last minute changes, so overall we were a group of 20 participants in the end. Leading up to the conference, we had worried whether that number would be enough for a good open space with enough sessions proposed and people getting real value out of it. As it turned out, we wouldn't have needed to worry at all! Even though several folks were not familiar with open spaces before, they quickly got the gist of it and enjoyed this more informal, self-designed space that gave them agency. Also, already during the first marketplace, lots of people instantly proposed sessions and the schedule filled up quickly and nicely.

The marketplace is one of several places where we could give kudos and huge shout-outs to our sponsors who trusted that also this very first instance is worthy to support. And it's a great place for it as well! We were inspired by SoCraTes who thanked their sponsors in lots of funny ways as "ad breaks" or "commercials" in between the session announcements. It's such a fun and effective way to raise attention to those who made osco more affordable. 

The first sessions started, and the first things we missed to prepare ahead of time showed - fortunately, everything could be fixed quickly and we could also start enjoying and giving sessions ourselves. Here's what I chose from the schedule.

  • "How to get people interested in just about everything (including cybersecurity)" by Felix Schnellbacher. Due to having some organizational tasks to do at the same time, I could only drop in late and had to drop out early - well, showcasing that you can indeed do so any time at an open space. What I witnessed was interesting storytelling on how to raise people's attention to important topics that are not easily digestible. A really nice match to our conference idea!
  • Hanging at the coffee bar. I had to enable one of the sessions during this slot, and also prepare for my own session. So I decided not to join any announced session and instead take a break and enjoy some tea and snacks. And I found great company there as well!
  •  "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" by me. This was the third dry run for this brand-new talk overall, the first public one, and the first on-site. It still took longer than the conference slots I have for it in November. But besides that, things went well and I received lots of good feedback. People even stayed around for further exchange even though it meant we all arrived late at lunch. All this helped reduce my worries that I usually have with new talks - iterations for the win! Many thanks to everyone who joined and shared their thoughts with me. And huge shout-out to Janina Nemec for creating a wonderful sketchnote of my talk!
  • "Make your own Juice Shop theme" by Björn Kimminich. This app really evolved over time, it's impressive. Nowadays it has lots of additional features, like very easily being customizable. We could quickly adapt the look and feel to our own needs - an osco-style Juice Shop of course! There's lots of configuration options available to adapt the experience overall as well. 
  • "Which security tools should I know for everyday development?" by Chris. An awesome session that initiated an engaged conversation on all kinds of cybersecurity tooling. Those that a security team would use themselves, those that they could offer as a service to development teams, those that could be included in pipelines, those that you could use on demand when implementing a change. Really insightful exchange.
  • For the last session, I had planned to join one of the proposed sessions, and then the other great thing of open spaces happened: a new session emerged right in the moment. Julian Michelmann and I started talking about security culture, strategies to bring teams on board to make things more secure, challenges we face, and everything. Very interesting and appreciated!

Time flew and it was already time for the evening news. Everyone came together again and shared impressions and insights from each of the sessions so that everyone got value out of them even if they weren't there.

Finally, another short marketplace where participants offered evening activities after dinner. Speaking of dinner, I really enjoyed the conversations I had with Yvonne Johnson, her partner, Björn Kimminich, Janina Nemec, and Dave van Stein. Especially on TV shows and computer games! Oh, so much to geek out about.

Originally, I wanted to make time in the evening to finally solve a few OWASP Juice Shop hacking challenges, as Björn had set up a CTF throughout the day using the MultiJuicer. Yet things happened, as they often tend to do! Further conversations were had, further topics had to be organized, and time was running. In the end I still made space to at least try a speed run - that lasted only eight minutes as then the instance had to be shut down already. Well, I focused on solving challenges I still remembered and managed to get four flags in the eight minutes - yet next time I'll do better in preserving the time, exploring new challenges, and also tackling them in a team. I'd really enjoy that.

The evening continued, games were played, snacks and drinks enjoyed, lots of great conversations. Challenges and opportunities, struggles and wins. What a great day.


The Closing Day

Finally, the last day of osco24 had came. I could feel it in my bones, I didn't get enough sleep - and yet it was worth it so far. So I decided to make the best of the remaining time we had together.


Another marketplace (of course), offering two more slots for sessions in the morning. Here's what I chose.

  • "osco25" by us organizers. We wanted to gather people's ideas for a potential (and very likely) next edition of the Open Security Conference. This initiated a good exchange on what people valued and what they'd like to see differently. We were super happy to find out that we also gained further supporters for next year, be it in the core organizing team or in other ways! While we secretly hoped for it, we really didn't expect that people would proactively reach out and offer their support. We're really grateful.
  • "Mob-hacking some Juice Shop challenges you might not have solved yet" by Björn Kimminich. As I couldn't invest much time in this the previous day, I jumped at the chance that Björn offered another session. It was really insightful to go through a few of the harder challenges, figure out the path to the solution, and see the vulnerability being exploited. What an awesome way to close off.

Afterwards, we came together for a final round of sharing our insights from the sessions. We also had a chance to find folks we hadn't been in contact with too much during the conference and share with them what we aim to do until a potential osco25. We had the space to find people and thank them directly for whatever impact they might have had on us. This was a nice addition to the physical kudos cards that we had provided throughout the conference, and that people had made good use of. I had received a few myself, and I could give out further to other participants. Physical kudos cards are such a valuable form of feedback that you can literally take with you. Another lesson I had learned from SoCraTes.

And that was it. The open space was closed. Everyone helped cleaning up the rooms, which turned out to be straightforward and quick. We sat down for a final meal together before one after another started their journey home. 

Really tired and really happy, with a heart full of gratefulness, I said my last goodbyes as well and started my own way home. Reflecting on everything that happened, I felt content. Most things went very smoothly, there were only a few minor hiccups that could be corrected quickly, people gave constructive feedback, overwhelmingly positive support, and in general validation for the space we set out to create. Huge shout-out to my amazing organizer team, our wonderful sponsors, and especially the participants who put trust in this idea - you are awesome. This was great. Way better already than expected. I have lots of hopes for osco25.