Sunday, August 3, 2025

SoCraTes 2025 - Coming Home

For the fourth time I've come home to SoCraTes, the International Conference for Software Craft and Testing. It already felt like coming home last year and I knew I wouldn't miss this edition. And it even felt more like home this year. I love this colorful crowd who are so eager to learn with and from each other. It's been a wonderful place for me to test out security-focused sessions that I could bring to conferences and find like-minded folks for lots of community initiatives I'm contributing to. Here's my report for 2025, to help my future me remember and maybe inspire more folks to give this awesome conference a try.

 

Arrival on the Day Before

I've had the pleasure to share my train ride with Martin Schmidt, a dear friend I met a few years back at SoCraTes, and hence slowly getting into the vibe of exchanging knowledge and experiences that would await us at the conference. Not only on all things tech and software, yet anything that moved us at that moment, ranging from personal lives, career situations, societal and socio-technical systems we're part of, hobbies, passionate projects, health, personal realizations, and more. Literally anything, as full humans. Which is what I love about this conference. We can't fully separate our work selves anyways - here we really don't have to.

SoCraTes cares for people. This shows from the start when we still tested ourselves for Covid before mingling with others - which was a great catch, unfortunately there were cases who then couldn't enjoy the conference. This evening, I've seen the first folks again I've already met the last years as well as new acquaintances. Like meeting Ruth Malan for the first time in person, after following her for a while on socials! Dinner time is perfect for this, checking in with each other, exchanging hopes for the next days. This is also why I love to come early when not as many people are there yet, it really eases me into the conferencing joy awaiting me without the mass of people instantly overwhelming me. 

 

Training Day

This year, I did not give an official training myself, so I was completely free for a change which was also really nice. The training sessions I've joined were the following.

  • "Know your tools: git" by Martin Schmidt. Yes, I do know git and used it for a long time. And at the same time, I'm well aware of all the things git also offers that I don't know about. Lastly, I usually always learn something new when joining trainings by other folks as they will structure content differently, explain things in different ways, and so on. Hence, I was curious about what I'll learn from Martin! I really appreciated that he had various modules prepared so the audience could choose what they were most interested in learning about. Same applied to exercises versus theory, kudos to him for listening to people's needs here! Martin had prepared a whole website for the git training with instructions and all kinds of useful commands - such a good resource to take with us. Conclusion: I indeed knew quite a bit about git before and yet I learned about features new to me that come in hand.
  • "Digital Dominoes: Understanding Modern Security - From Supply Chain Attacks to the life cycle of a vulnerability" by Avraham Poupko. Avraham reminded us that while most of software security is a discussion that assumes malice, that there's an evil person on the other side who wants to take away what we consider to be ours, that there's also the side where it's about negligence, like losing stuff. He walked us through the lifecycle of a vulnerability and emphasized that confidence in a company can be really shattered through CVEs - no matter if they are fixed or not. Avraham elaborated on supply chain attacks and what common attack patterns are, how trusted and yet verified sources are crucial. He left us with a few practical action items: security by design, not by accident; patch fast, patch smart; and monitor everything, question anomalies.
  • "The Evolution of Team Co-intelligence: from Knowledge Work to Learning Work" by Diana Larsen. I've been following Diana for a long time on social media. This was my first opportunity to meet her in person and join one of her workshops! It was such a great session. We both learned theory and could instantly apply it in the group exercises, observing the group evolve and grow together. Diana provided lots of tangible advice, and language to talk about and take action on observations we make at our work places. For example, she shared how teams need purpose, autonomy and also co-intelligence to be effective motivated teams. She defined co-intelligence as collective intelligence + collaborative intelligence + trust + learning-centered - sharing ten qualities. We walked through all the steps we have to achieve to really reach high performing, or even resilient learning teams - and as with so many things, it has to start with building trust. Diana made us think of what we bring to our teams, what we can do to build co-intelligence, and what makes learning leaders. All of this has resonated a lot with me and my experience within teams so far.

After training day, the main conference started with the official opening and the world café. This is a great opportunity to get to know more people early on. This year, we had a different question per room to think about as a group, and these questions went rather deep. Like "If you could send one piece of advice back to yourself from 10+ years ago, what would it be?", "What's a skill you wish you'd developed earlier in your career, but you're glad you're learning now?" and "What's the most valuable mistake you've made in the last year, and what did it teach you about your craft?". Pretty daunting to break the ice and get to know each other! Yet it was great to see people share and open up, trusting this process and the space. I admit, these questions made me realize a few things about myself as well.

 

Open Space Day 1

The main conference consists of two open space days. With this conference, this is truly special, as for an open space I've never seen a bigger crowd so far. At SoCraTes Germany, it's usually around 200 people, all co-creating the program of each day in the morning. You never know what exactly will happen, and yet there will be so many amazing sessions to choose from that fear of missing out is high. I learned over the years to just let it happen, go with the flow, and also listen better to my needs to take breaks or tackle a different task that's on my mind. And yet, of course, I also had to propose sessions myself. An open space is just too good an opportunity not to! Especially as this is chance to test-drive talks and workshops, to pull information from all those knowledgeable participants, to try something out together, to discuss societal topics, and so much more. Here's how my first open space day went.

  • Hallway track: I remember I was tired that morning and I couldn't decide which session I wanted to go to, there were many interesting ones. As it happens, I didn't have to in the end - as I met awesome folks in the hallway and just went with having a nice conversation there. Both insightful and helping my brain relax and ease into the day.
  • "Building Secure Enough Products" by me. I was really curious about what people experienced to be bumps when trying to build secure software, and what they perceived as boosters. Now that I'm in the position of security engineer, this was even more interesting to me to see what we can do at my company to foster a culture where security measures help people accelerate delivery of sound software and prevent the things that get in their way. Loved the engaged conversation and collection of topics! 
  • "Sticky-Business" by Corstian Boerman. Corstian shared a fascinating story with me last year which led to many and more conversations. Because one day, he had found an envelope with a USB stick in his mailbox. This year, I nudged him to host a session to share this story of reverse engineering a USB thumb drive and what he learned from it with more people and was hyped that he agreed to do so! Make sure to check out his slides.
  • "Capture the Flag Together (For Beginners)" by me. I admit, SoCraTes was THE conference where I started these sessions and learned to love them. Like, for real. I've started them as very collaborative, whole group ensemble sessions to find the secret flags and solve these security puzzles together, using Hack the Box labs as our safe practice space. We've already found quite a lot of flags in the last years, and this year I decided to host a beginner session first before continuing the fun discoveries during the evening times. Seems it was a popular idea! Lots of people joined and we enjoyed cracking a few of the starting boxes together in just an hour. Some of these folks then also joined the evening sessions; it seems they got hooked just as I did back in the days! I just love seeing folks having fun learning more about security and ways to get into a system - it teaches us a lot about what we need to do (or should not do) to prevent this and defend the system.
  • "What does non-patriarchal, anti-capitalist* software delivery look like?" by Andrew Harmel-Law (*) Intersectional (anti-colonial, anti-racist, anti-classist, anti-sexist, anti-ableist, etc.) & inclusive. We don't just build and run software; we live in our codebases). What a very interesting conversation on all kinds of company systems and choices to deliver software. Lots of people engaged and shared their experiences and open questions, the challenges and opportunities they see. Quite a heavy topic at this point in the day, and still such a very much needed space to have these kinds of conversations. We will need to continue them and run experiments to find out what we can do to do better.

Dinner time! Lovely conversations. And it wouldn't be an open space and definitely not SoCraTes, if there weren't evening sessions suggested as well. Well, I was eager to host "Capture the Flag Together (For Adventurers)" sessions, of course! This evening, we spent four hours trying to solve a seasonal machine. We had found the user flag, yet the root flag still eluded us. Getting really tired, we concluded the session by midnight and called it a day, with the intention of trying it again the next night.

Oh, and it wouldn't be SoCraTes if we wouldn't play games either! Like the already traditional rounds of SET together with my dear friend Janina Nemec and anyone else who wanted to join.

Yeah, late nights and lack of sleep also come along with SoCraTes for me. Yes, it would be a lot wiser to join those who go to sleep early. No, I still cannot do this. Yes, I'm still (sort of) regretting this every single day after. And yet. It's just so good and such a unique chance during the year.

 

Open Space Day 2

In the beginning, it always feels like we're going to have so many days together, so much time to check in with everyone and learn and enjoy ourselves practicing whatever we're up for. And then the second open space day usually comes a lot sooner than expected! Well, here it was, with further sessions.

  • Hallway track: Yep, yet again I started the day opting out from a formal session and instead having a great conversation in the hallway. Maybe I should make this a habit, it really helped my slow morning brain going. This time, we talked about our varied experiences with AI tools. We also wondered about the utter lack of beginner positions these days. I mean, where should all those senior folks that companies are looking for come from in the end?
  • "Navigating Spaces". What a beautiful session, thanks so much to the host for creating the space for it. Lots of people opened up and shared parts of their identity and their struggles to navigate the spaces we're finding ourselves in, even within very open ones. We shared what helped us so far, what tips we tried and more. These ranged from embracing discomfort, doing things anyways, that companionship helps just as well as avoiding assumptions. Looking for the little indicators and signs of shared connection. Really thought-provoking and just wholesome.
  • "Hack the Parrot - Prompt Injection" by Jan Gregor Emge-Triebel. I had it on my list for a long time to practice prompt injection using Gandalf. Finally, this was my chance to do it for real! Loved that Jan hosted this session. We all learned a lot trying to trick an ever-evolving Gandalf into revealing the secret password to us. Such good fun and oh so relevant in our daily lives, as it's getting harder and harder by the day to get around LLMs and other AI tooling.
  • "Micro-retros, macro-retros, ad-hoc retros, continuous improvement" by Diana Larsen. Diana introduced us to lots of advice and tips on how to really achieve continuous improvement. Instead of waiting two weeks, we can include very brief retros in our everyday work. Sometimes, we need more folks to come together and reflect, not just our teams. Sometimes, we need additional retros on demand. Yet what matters is that we really activate our own learning by finding the right cadence, learning at the right scale, learning as frequently as possible, and continually improving.
  • "Getting into Security - Career Options" by me. I didn't plan to give this session, yet I was kindly asked to do so by another participant. How could I say no? I wondered if it would be interesting for more people, and then quickly realized - yes indeed, it was! Didn't expect so many folks to join and listen to me sharing my own journey into cybersecurity. For me it was also great practice in impromptu improvised storytelling - such a good skill to hone. It was great to realize that there's real interest, I might end up making a full session out of it. People appreciated me sharing my non-traditional way into tech and security, daring more as I went. They asked lots of questions, like how my everyday job looks like, about penetration testing, about certificates, and much more. And I was totally blown away when one person shared that I'm THE security person for them, given my history of bringing security sessions to SoCraTes. Just wow! That's also the beauty of an open space: be prepared to be surprised. 

As the main part of the conference ended, dates for the upcoming sibling SoCraTes conferences were shared. The organizers were so kind to allow Janina Nemec and me to also plug our own open space conference, the Open Security Conference - which originated at SoCraTes 2023 thanks to Claudius Link. In case you're curious, registration is still open - maybe see you in October!

After a lovely dinner with my dear friend Thierry de Pauw and their daughter, it was time for evening sessions again. And, how else could it be, a bunch of courageous adventurers dared to look for the secret root flag in another round of "Capture the Flag Together (For Adventurers)"! We can proudly report, we did get it together within around 90min. And then we talked for another 90min. And then we got curious about further Hack the Box challenges, like for mobile. As the first one was really straightfoward, we dared more. And ended up sitting long past midnight to de-obfuscate a piece of decompiled software to finally also get that flag! Many, many thanks to every single one for joining me on these fantastic journeys. I really cherish going on them together with you all.

 

Workshop Day

The final day of SoCraTes is dedicated to workshops everyone can propose and host. I've often joined the code retreat this day, yet this year, Martin Schmidt, Philipp Zug and I wanted to host a session on our own security card game, one of those other endeavors originating at SoCraTes. Last year, we hosted a session to introduce the game to people and received lots of great input. This year, we wanted to show our progress and test out the new additions like reputation and game scenarios we've added. We had a small but lovely group who were super hyped about this game as it initiated such good conversations on all things security, and stories to share. Two of our participants even shared that the current state would already be good enough to use in workshops! Such lovely and really encouraging feedback. Once again, more ideas were gathered, and we'll continue working on this leisure-time, low pressure and fun side project.

In the afternoon, I had planned to join another workshop, yet things turned out differently. You know, as they tend to do at SoCraTes! Instead of another workshop, I had wonderful conversations with various folks keeping me company. Talks about organizing conferences, company cultures, career choices, computer games, creating IDEs, and so much more.

The day flew by, and more and more people left the event, going back home. As usual, I chose to leave the next day only, as this way I could ease out of this awesome conference space and still enjoy the company of the last people standing. The last years, we've found various fun activities to end this last day. This year, things happened differently. After having dinner, my table round got small, down to two people. And then it grew again organically with more and more folks joining in over the course of many hours. We had a wonderful round of around eleven people, mainly having a group conversation about anything. People showed their pieces of art and craft. People shared fun stories. We talked about the past and the future. Or sat silently with each other at times, just enjoying our company and being there together. And as the night grew longer, the group grew smaller again, until we finally also went to bed.

A very wholesome ending to a wholesome conference.

 

All in All 

My huge thanks go out to so many people I've met again this year, and many people I met for the first time. You all know who you are. You are all awesome at co-creating this place together. My special observation this year was that this time, I didn't have to spend energy on calling out unfortunate behavior, calming down dominant voices taking up all space, and instead holding space for everyone to share. Or non-inclusive language and the like. This year, folks were really considerate, at least in the bubbles I've been part of. It just felt good and allowed us to spend our energy on things we wanted to spend it on. This was a real glimpse of how it could be.

Did I mention this conference offers and encourages physical kudos cards? Years back, I was hesitant about this. Nowadays, I absolutely love them. It's such a fascinating thing to give someone a kudos card, thanking them for what they did or who they are, and seeing their eyes light up. It's incredibly touching to receive those cards as well. I hold mine dear over years to come.

Another thing I've noticed is that more and more folks seem to bring security-related sessions, and I love seeing it. We have even created a new channel for us security enthusiasts on the SoCraTes Discord, and sharing doesn't stop just because the conference ended for this year. I think we have something going on here. This crowd really likes to learn more and do better. And as always, they continue realizing they do know a lot that helps on this journey. Personally, the collaborative capture the flag sessions are really the banger. They bring all kinds of people together, create a great atmosphere, and facilitate us learning so much from each other. Going through frustrations together and also celebrating our wins. Just awesome and wholesome. 

I'm still processing all the insights and inspiration and energy I once again gained from SoCraTes. This conference has a fixed slot in my calendar also for next year. Therefore, my final shout-out goes to the organizers: Huge thanks for creating this wonderful space for all of us every year again and again! It's been awesome and getting better every year.

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)