Monday, October 13, 2025

Open Security Conference 2025 - Marvelous Momentum

It's now exactly one week after the Open Security Conference 2025 ended. And I'm still amazed about what happened there. Co-organizing a conference means a lot of things. You put in effort to make this a great experience for everyone. You prepare for anything you can imagine that could happen so you're prepared in the moment (yes, we do have a threat model for the conference). And then the conference runs and you experience something you didn't expect yet for this second edition: that participants give testimonials and help spread the word for you. I'm so very, very grateful.

 

What's an #osco again?

The Open Security Conference, short "osco", is an open space conference. In a nutshell, it means that the people who come co-create the program and the space we're in. With some liberating constraints, beautiful things can happen in such a format, things you didn't expect - so be prepared to be surprised.

We organizers found that in our cybersecurity bubbles, the open space format isn't well spread or even known at all. Hence, we decided to fill this gap. Yet osco is more than just an open space conference for cybersecurity enthusiasts. It's also intended as a place where everyone is welcome who's interested in security and learning from each other. No matter their current roles, areas or levels of expertise. We wanted to focus on inclusion and break any gatekeeping in the industry. You can learn more about the osco values on our conference website. 

Oh and by the way, our little monkey mascot is also named "osco" - you can find their bio as well on our organizer team page. 

 

How I Experienced #osco25

Well, on the one hand, there's the organizer view. A lot of work is going into creating a fresh new conference and help it grow and evolve to become not only valuable for folks but also sustainable on the longer run. A lot of hours, a lot of energy, a lot of care. We deliberately and intentionally committed to ethical choices and not taking the easy routes as much as we can. It's not all perfect, we're also human and messing up at times, yet we committed to continue learning and doing better. And that's what we hope to spread as well among the crowd.

Last year, we had our very first edition, basically our proof of concept - and people told us "yes, we love having this space". This year, for our second edition, we were delighted to have doubled the number of participants. Having around 40 folks turned out to be the perfect size for lots of engaging sessions and interactions, for getting to know people better. We had such a lovely crowd indeed. And we got real lucky: no cancellations, no no-shows this time!

We also gained further sponsors this year to make this event more affordable. We're a non-profit event and splitting costs among everyone (besides keynote speakers who at least get their ticket covered; hopefully more in the future), so any support is helping us making this event more feasible. There are lots of ideas to make it more accessible for the future on top of that, yet we have to start from where we are and sometimes go smaller steps than we'd love to. 

Some might have noticed that currently, it's mostly me posting on our official social media accounts (feel free to follow osco on Mastodon, LinkedIn, or Bluesky). Last year, taking care of social media was pretty stressful to do during the conference while everything else was going on. Pretty overwhelming especially given it was our very first edition. This year, we included Bluesky as a third platform to reach more folks - which would have made it even more overwhelming to cross-post manually across three platforms. Hence, we chose to use a cross-platform posting solution which also allowed me to draft and schedule a lot of posts in advance, which I then could just adapt or post on the fly during the event. A massive helper that reduced my personal stress a lot, and it was an invaluable tool for live posting during the keynotes.

Well, there's a lot more that could be shared from an organizer point of view. But it's not the only perspective here.

Post by @lisihocke@mastodon.social
View on Mastodon

There's also my view as a participant. Because yes, all organizers are usual participants as well, while they do have their organizing hats on top. This was especially tricky at last year's first edition where there were so many unknowns (back then I didn't even know the venue myself yet). This year, things were so much smoother, and I truly enjoyed this ride. I had a lot of fun joining the sessions, learning and contributing, and also giving sessions myself.

My very personal highlight: several people I knew from various areas of my life decided to join osco - so osco was the place to get them together in one place for the first time. I was very excited about this and confident they would get along with each other very well. New connections had been made for sure! Special kudos also to my dear colleagues Rudolf Kärtner (whom I met at #osco24), and Lucas - it was a real pleasure having you both there.

Here's the overall schedule we co-created. We'll post it on our website as well for reference, just bear with us while we're resting for a while after the conference.

Post by @realn2s@infosec.exchange
View on Mastodon
Post by @realn2s@infosec.exchange
View on Mastodon

Now, here's how my own conference days looked like overall.

Thursday

  • Registration. Throughout the afternoon and early evening, people arrived and first conversations were had over delicious snacks and hot beverages. The registration itself is something I really enjoyed last year already. It's our first chance to make folks feel welcome and get them introduced to what we have. A few things always stand out, like people's pleasant surprise that photo consent is explicit opt-in (instead of the usual opt-out if it's an option at all), and that we support initiatives like the sunflower as a symbol for hidden disabilities and Daniela Schreiter alias Fuchskind's amazing communication cards as special helper for neurodivergent folks.
  • Dinner. Snacks aren't enough for sure! Before everything started for real, dinner was served and people could get a bit more familiar with the venue. 
  • Official conference opening. The original idea initiator Claudius Link and I had the honor to welcome everyone and introduce them to our conference. We shared the origins and main idea, the values we share, our goal. Getting to know our participants a bit. Having each organizer introduce themselves; it was real sad that two of us weren't able to join on-site this year, yet they were with us in the form of a lovely video greeting for everyone. Setting the space and getting everyone familiar with a few helper tools to make this space as inclusive as we can.
    Post by @mkalmes@hachyderm.io
    View on Mastodon
  • Opening keynote: "Building an AppSec Program from Scratch" by Mireia Cano. I witnessed a former version of Mireia's talk last year right after I got to know her - and I felt it would be the perfect opener for osco. I'm ever so grateful that Mireia agreed to take a leap of faith and do this! Her AppSec stories of what worked and what didn't were just fabulous and already initiated lots of conversations on the first evening, as well as ongoing throughout the conference. Check Mireia's point of view further down below to see that convincing her to come to osco wasn't only good for us. ;-) Also, check out all the live posts made during Mireia's keynote to get an impression of her keynote.
    Post by @OSCo@infosec.exchange
    View on Mastodon
  • Socializing at the bar. Some people went to their rooms to rest, some people opted for getting to know each other a bit before the first full day came. This was already a real good and promising start.

Friday

  • Open Space Marketplace. Claudius and I also had the honor to introduce everyone to the open space, explaining how we do things, the principles and the one law, and basically how to get the best out of it. This first marketplace of ideas already showed: we won't run out of awesomeness. Lots of people came up and offered a whole variety of sessions. Sessions can be talks or workshops, yet they can also be "pull sessions" aka asking people to share their knowledge, maybe ask for help to solve an issue they face, or invite people together to try something out for the first time, or practice hands-on, or just have a conversational knowledge exchange - you name it. Any format you can imagine. Topics can also range from anything cybersecurity (which is the main theme bringing us together), to socio-technical and social topics, to hobbies and other activities we'd like to share. Anything goes that's not against the code of conduct.
  • Hallway track. During the first slot, I'm usually tired and undecided. Additionally, as an organizer, I also feel the need to make sure everything's working out, so I decided not to join an official session right away. Instead, I ended up having a lovely hallway conversation with Sofia Borga on security champions (yep, one of my favorite topics indeed).
  • "Session on InfoSec awareness for fresh folx at a Fachhochschule, studying public infrastructure IT" by Janis. What a really insightful conversation. Raising awareness on security (and also privacy) topics is such a crucial core challenge many of us face. We gathered lots of ideas from what content to focus on to how people could experience the importance without causing real harm.
  • "Fediverse #Q&A #experienceSharing" by Konstantin Weddige. Yet another wonderful conversation sharing insights on all things Fediverse with its plentiful social platforms like Mastodon, PeerTube, Pixelfed and many others. Pretty sure this made more people join and try it out for themselves.
  • Lunch. Some sessions were held over lunch, and unfortunately I didn't make it there before they filled up. Nonetheless, I enjoyed the conversations I had a lot. 
  • "Help! I'm a security champion - exchange on how to champion security" by Sofia Borga. This was such an amazing session. Sofia shared her own journey as a security champion as a consultant for a customer project. All the bumps and lessons learned, what helped and what not. This resulted in a great exchange on what kinds of experiences people made so far with either running a security champion program or being a champion on it. 
  • "Capture the Flag Together (Beginners Edition)" by me. What can I say, I just love introducing people to the practice labs out there to learn more about penetration testing in a safe and ethical environment. It's like little puzzles which are intrinsically intriguing, while you have to use lots of the tech knowledge and things in your toolbox to solve them. Especially when doing this in a collaborative, non-competitive mode, it's an amazing tool. It helps showcase what folks already know that's useful in this situation, how a diverse crowd can help fill our own gaps, learn more as we go together, experience how to breach a system and also gain insights on what we need to do to prevent this from happening. Once again, I had a really nice crowd joining me. Lots of fun included!
  • Keynote: "History repeating itself" by Bianca Kastl. Just like with Mireia, I was so happy to see Bianca accepting our invite to give a keynote at osco this year. I've seen her and Martin Tschirsich's talk about the German electronic health record at CCC last year which left me very impressed, and I was following her since. Her keynote at osco was such a great reminder on what we already learned in the past, and an analysis on why we keep repeating similar mistakes. Make sure to check out the live posts for Bianca's keynote to learn more!
    Post by @mkalmes@hachyderm.io
    View on Mastodon
  • Evening news. This is where everyone comes together again to reflect upon what happened during the day, sharing thoughts and feedback, giving kudos. It's also the place to create our evening (and early morning) program. Lots of sessions came together, just loved seeing people use this space as well.
  • Dinner. For me, conversations over food are just awesome. Especially at conferences. Thoroughly enjoyed having proper time to talk before the evening program started.
  • "Capture the Flag Together (Adventurers Edition)" by me. Yes, I just can't get enough of these sessions. This time, no guidance was available - it was up to us to explore, get into the system and find the secret flags. And we did! What an awesome group to learn with. 
  • Lockpicking at the bar. The evening (or shall I say night) wasn't over yet. People tend to gather at the bar as the last stop to socialize just a bit more before bedtime. Some people played games, some just talked. I joined a group who tried their skills at lockpicking. I always wanted to try this out, yet missed my opportunities at past conferences so far. Now I finally had my hands on a first practice lock to learn how simple locks work and how you can exploit tolerances to make them open. Well, we didn't have much time that evening, yet it was enough to get intrigued and get myself an entry-level practice set for myself at home.
Post by @lisihocke@mastodon.social
View on Mastodon
Post by @lisihocke@mastodon.social
View on Mastodon

Saturday

  • Open Space Marketplace. From now on, my fellow co-organizers Janina Nemec and Christian Ciochina took over the moderation, and they did wonderfully. Once again, so many people queued up and presented their session ideas. Once again, we quickly had a program for the day where it was hard to choose which sessions to go to and hence which sessions to miss out on.
  • "Osco 2026" by Claudius, Janina and me. Just like last year, we organizers offered a dedicated slot to talk about next year's edition. Ideas, improvements, wishes, good things to keep. Also, answering any questions regarding organizing, and seeing if there's anyone willing to support our endeavors. We received so much invaluable feedback! Much appreciated, many thanks to everyone who came.
  • "Dark OSINT 4 Good" by Kristof Van Kriekingen. What an awesome talk, what a frightening scary world, and what an amazing initiative to use OSINT skills for good causes. I really don't want to spoil this one at all. If you ever have the chance to see this one, go for it. 
  • "Trust me, I'm lying" by Kush Mehra. Really interesting talk around all things deception tactics, honeypots, and other approaches to defend against adversaries. I hope this one becomes a full conference talk, more people should learn from it.
  • Lunch. Obviously! Great food, great conversations. Time to digest what we learned so far.
  • Organizer session. This was a closed, non-public side-track. Nothing I can reveal here as of now!
  • "Hacking Toys" by Sebastian Strobl. Really interesting session on all kinds of little offensive security tools, educational and fun. You might have heard of the Flipper Zero, yet there are more tools like the Wi-Fi Shadowapple, the PwnagotchiBjorn, or the PiSquirrel.
  • "SecCardGame needs content, ideas and other things" by Martin Schmidt and me. You might remember, I'm part of a little group developing a security card game as a no-pressure, leisure-time project. Where to present it better than at osco and ask people to playtest! (Such a pity Philipp Zug couldn't be there as well, we missed you.) Martin did an awesome job taking the lead for the session, explaining the background of the game, where we are now, how things are currently working. We played two different scenarios together with the group and found lots of improvement ideas! People also really liked it, which is in combination super encouraging for us to keep going evolving this little game of ours.
    Post by @inw@mastodon.social
    View on Mastodon
  • Evening news. The last full open space day came to an end. Once again, people shared which sessions impressed them or left them with insights, how they experienced this open space, gave credit where credit was due. We also invited them to a little continuous retro board until we all had to leave. And of course evening and morning sessions were announced as well. The highlight of this last evening's news: we had gathered tip money for the hotel during the conference, and now was the time to hand it over to the staff members. Super grateful for such awesome folks supporting us throughout, they fully deserved the applause!
  • Dinner. I found yet another little awesome dinner group - to all of you: thank you for letting me vent and rant with you in a safe space about the systems I grew up in! Really appreciated it.
  • "Capture the Flag Together (Adventurers Edition)" by me. Well, what can I say. Once I found like-minded people... it's really hard not to do yet another hacking session together! Once again, we found the flags. We had fun. We learned. Just having a great time.
  • Hanging out at the bar, playing SET. Of course it's ending at the bar, as every night. My fellow co-organizer Janina and I, we have the tradition to always play a game of SET every day we see each other. This osco, we didn't get around to do so yet. At least on the final evening, we had to correct this and it was just awesome. You know, when you're super tired, and you're playing a game really requiring your brain capacity - what could be more fun? Of course we're playing anyways!
Post by @lisihocke@mastodon.social
View on Mastodon
Post by @lisihocke@mastodon.social
View on Mastodon

Sunday

  • "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" by me. I've given this workshop for the first time at SoCraTes 2024 and it seemed to land very well with that crowd. Hence, I decided to submit it to further conferences this year. It was indeed accepted for three events in the coming weeks. Therefore, I wanted to give it once upfront in a rather informal setting to get a feeling again for this workshop - what better place than osco? I decided to give it in a very relaxed way, adapted to our setting. And it seems people did enjoy it indeed! They learned, they contributed, they had fun, it initiated lots of conversations. What more is there to want. :)
    Post by @lisihocke@mastodon.social
    View on Mastodon
  • Lunch. Most people already had to leave at some time during the morning, so lots of goodbyes were already had. We had cleaned up most rooms already last night as we closed them, and the last bits were quick and easy to do just before lunch, especially with folks helping together. During lunch, only a small little group was still there. It was one more lovely conversation.
  • Train ride home. I was fortunate not leaving home alone. We were still three people, sharing the same train. So conversations continued until the very end, keeping the osco atmosphere alive. Very, very grateful for you two, you know who you are.

Arriving home, osco was officially over for me as well! As a participant that is, there's of course lots of follow-ups as an organizer. ;) Yet looking back as a participant, there are a few more notes to make.

    As those who didn't know me yet might have noticed, I'm not a morning person at all (yet have to get up even earlier for organizing) - and as the day gets longer, my day gets better. I'm an absolute night owl so while other organizers were among the first ones up (some even went running in the morning), I was with the last ones standing every night. I don't regret one bit.

    The hotel staff are super kind, attentive, and accommodating. The food at this venue is plenty and real delicious. The place and its surrounding landscape is beautiful. Everything is close together and perfect for an open space conference. Add to that the awesome folks we had - it's just perfect.

    Lastly: we did spread physical kudos cards and encouraged people to use them. This year, it worked super well. I've seen many cards with little notes of appreciation being exchanged. I handed out many myself, I got many back. I can't tell you how good both giving and receiving such little cards feels. Maybe try it out for yourself if you haven't so far and see what happens.

    Post by @lisihocke@mastodon.social
    View on Mastodon

     

    What Others Said about #osco25

    Let's have people speak for themselves! Here are my favorite posts people made during or after the conference. I'm still stunned what they had to say. 

    These were my personal highlights, yet there's more! Just look for the hashtags #osco and #osco25 on Mastodon, LinkedIn, and Bluesky.

    We also received lots of feedback what we should keep and what we can improve or try out for next year's edition. Lots of awesome ideas, I'm already curious which of them we can implement the next year and how the next edition will look like.

    Post by @F30@chaos.social
    View on Mastodon

     

    See you at #osco26!

    While we organizers still need to update our website (and absolutely take a break to recharge), I can already share one thing: there will be an Open Security Conference 2026 on November 5 - 8. Save the dates and see you there!

    Post by @OSCo@infosec.exchange
    View on Mastodon
    Post by @inw@mastodon.social
    View on Mastodon
    Post by @realn2s@infosec.exchange
    View on Mastodon
    Posted by at No comments:
    Labels: , , ,

    Tuesday, August 19, 2025

    The Calmness Tide - It Comes and Goes in Waves

    Remember I'm doing a personal challenge this year? It's all around my inner critic and finding calmness again while being content with steady progress, even tiny steps. To be frank, the first half of the year was rather packed and exciting. Not the easiest moment to find calm in everything, so what better time to do this challenge than this year?

     

    What happened? 

    Career-wise, I started a new job and also switched roles by doing so. As a security engineer, I'm now fully focusing on product security and all that comes with it. You could say I'm still a specialized generalist also in this field, yet that's food for thought for a dedicated post. 

    Starting out at my current company was challenging in different ways than I expected. Over six months in, I can now share I definitely made the right choice when picking this role, company and team. I really enjoy my time there and the impact we can have together. At this place, I can go at a sustainable pace (and am even encouraged to do so). I can contribute using the knowledge, skills, and network I've built over many years. At the same time, I can learn so much more in an area that intrigues me every day. 

    I love my new position as a security engineer. I found that it's both very similar to my past roles (e.g. with regards to building value in from the start, affecting change, fostering a collaborative learning culture, the holistic technical system knowledge, a whole variety of things to learn and do) - and it's also very different (now I'm focusing on security as one main quality aspect, and I'm in a central enabler team which brings different opportunities and challenges to face).

    My team is just awesome. In the past, I've never joined a team where I encountered such maturity, accountability, and reliability in my team mates right from the start. We've grown into a real team in no time, and continue to find better ways to work together with each other and the engineering teams we support. Things like prioritization of the highest value initiatives, balancing reactive and proactive work, increasing resilience through sharing work, providing sounding boards and pairing. We even had first ensemble sessions. The usual, and yet from a different perspective. 

    The company keeps surprising me in very positive ways, especially when it comes to upper leadership and acknowledging both achievements and shortcomings, plus their own accountability in this. Taking concrete actions to find better ways. Mind me, this is not taken for granted at all. Also, I do appreciate the culture that's currently in place and keeps evolving. Yes, there's room for improvement (wouldn't it be boring if not?), and yet: when it comes to working with the other engineering teams I've encountered folks being genuinely open to exchange insights and learn from each other. This makes it so much easier for everyone to make informed decisions together on what is feasible and worth doing to increase our product's security posture. 

    Personally, I love that I worked on a variety of topics already. They went from improving the ease of vulnerability scanning, to security reviews and threat models, to assessing third party tools to integrate into our product. From investigating infrastructure alerts, to alert teams ourselves of new vulnerabilities discovered, to joining incident investigations. Discussing risk, thinking ahead on scaling and enabling teams. And many more. Well, there are lots of topics worth sharing and I'm going to see what I'll mold into future content.

     

    That wasn't it, though.

    Not by far. There are also the community things I'm pursuing next to work. Here's what I focused on during the first half of the year.

    • I'm co-organizing the Open Security Conference for the second year in a row. We've had to find ourselves in our new organizer team, and had quite some prep work to do. We're currently in the hot phase - registration is open, and the last operational bits need to get done to set things up for success. It's looking good though, and I'm really getting excited! By the way, we're looking for further sponsors to get the price down for everyone. In case you're interested or know companies who would, please reach out. We'd be truly grateful for your support!
    • The leadership workshop series that I co-facilitated with Shiva Krishnan for a first community cohort is now finally finished. Phew, that was some kind of a ride! It took us over a year, yet it's done and we've learned a ton. We were glad to hear from our cohort that this series was really valuable for them. It'll need further reflection how to move on in the future. For the current cohort format, we had heavily underestimated the difference between doing such things with colleagues at work or with community folks next to work, where personal schedules play an even bigger role. But we made it! At least for this year, this topic is actually concluded.
    • As a leisure side project, I'm still working on the security card game with my fellow co-conspirators. Slowly but steadily for real. The last SoCraTes really encouraged us to keep going. Good thing here is, while it still needs time investment, it's constrained and highly flexible, without imposed pressure. 
    • I've started my first capture the flag (CTF) team for real. We participated in our first CTF this year and it was a blast. We keep meeting regularly for practice, and looking out for further intriguing CTFs we can tackle together. I've learned a lot already through this fun deliberate practice setup, including that I still have a long way to go. These challenges can be super frustrating. "Easy" labels got a whole new meaning here - it really depends on what you're already familiar with and what not, and how much is in your "go to" list of things to try based on experience. And yet, they're so worth it. I love that this team is very collaborative, really tackling challenges together which makes it special to me.
    • That not being enough, I've joined my second CTF group after SoCraTes. It's not really a team to take on CTFs together, yet people are regularly coming together online to try their hands on practice machines and help each other as they go. This is another interesting opportunity for me. I've already seen it help me hold myself more accountable to practice during the agreed time even if no one else is online.
    • Of course there's not only the "calm" part of my personal challenge this year, there's also the "steady" part. Meaning, I'm working actively on learning topics. I've started with a variety of things and realized that while variety is nice when you just want to follow your energy, I need more focus to perceive progress as it's very small each day. Right now, I've reduced my options to mostly the CTF hands-on practice opportunities I described above and reading books. I'm moving very slowly yet steadily, while trying to keep my inner critic at bay. No matter how fast others consume such books (like, over a weekend, while it takes me months). On some days that's easier than on others! 
    • As I've done over many years, I'm still having both regular and on demand calls with community folks to exchange knowledge, ideas, and inspiration. Granted, they do cost time and yet they are a valuable investment into fostering my network and learning through serendipity. The good thing, more often than not, I'm regaining energy from such check-ins. They make me realize time and time again why I'm doing what I'm doing.
    • Conference season is starting in fall this year for me. I've paused things for the first half due to changing jobs. Every time I do so, I first have to figure out what's okay when it comes to speaking engagements and the off time that comes with it. I'm ever so grateful for my truly supportive and encouraging manager here! Again, not taken for granted. It makes it so much easier, though. So yeah, conference season starts in fall which also means preparation takes place before. Even though I'm giving sessions that I already gave last year, I still need to invest effort to arrange things. I have four conference speaking engagements lined up for the rest of the year (plus my own conference of course). At Agile Testing Days, I'm also co-chairing the brand-new security testing deep dive track. Enough to keep me busy for the rest of the year! 
    • Last, definitely not least: Physical health is keeping me pretty busy as well next to my mental challenge. Fortunately, nothing too bad so far, yet stuff that has built up over many years is now cashing in. It's more than enough that I needed to prioritize this and deliberately work on a few areas in a more focused way. The bad news is that this is also consuming lots of time and energy, while at the same time I clearly need more rest and sleep. The good news is that this effort is perceivably paying off (slowly, very slowly - I'm needing lots of patience).

     

    The Challenge of No, Not Now, Not Anymore, Just No 

    I realized a few things that would help me on my journey of struggling less. And most of these came rather quick and easy, like "I'm okay with only making little progress with my challenge topics". I was surprised how easy. Or being okay with balancing out my working hours every week. Others were fine too, like documenting influences on my health and indicators of calm. I was okay to document all the activities I'm doing, how much time I spend on them, and what I want to do differently in the future. I even managed to actually make some of these changes (at least temporarily). Yet then I struggled massively. I knew I couldn't go on doing everything, I had to cut things. Yet which? I had already cut them to only things I really want to do.

    That made me realize, even though I'm saying "no" to lots of things already, I've accumulated way too many things that I've said "yes" to in the past and then just never let go. And I still say "yes" to new things as well. That simply doesn't add up, given I still have the same amount of hours every day that I can use to a highly variable degree that's different every day. So I tried coming up with a rather short list of things that are truly important to me as of now, and focus on those. Worked for a short while. This way, I even came up with yet a shorter list of things I claimed to be the main recipe to joy and calmness while learning! And then a very stressful period of six weeks followed, and I threw everything overboard. Maybe it truly is the recipe for me - and still I might not listen to it. So I created yet another new list of the things I'd like to transition my focus to. Plus a new version of my recipe, as you do.

    And yet, nearly every week feels like a puzzle to solve, another round of Tetris (for the record, I hate Tetris), a house of cards that might collapse any moment an interruption occurs. It doesn't feel sustainable. At least not yet. Too often, it feels more like pressing on to make everything happen without stopping to think. Which also means, it's harder to celebrate achievements and enjoy the little moments for longer. It's harder to keep up my energy - even though I know I can do a lot if I have the energy.

    One thing that did help me so far was pressing the pause button on blogging. It truly hurt and at the same time was a relief. Something simply had to go. Even though I wanted to take time to reflect on things publicly, I reduced it to my private space only. I still kept journaling throughout the year, and it paid off heavily so far. Not only to get some thoughts out of my head and documented for my future self, but also to see in hindsight how things actually progressed. All that, while only spending a few minutes per day on it, which is a huge difference compared to doing this more publicly on a blog or just social media, even when keeping things informal. What helped with this temporary decision was that I noticed I had stopped one thing for a whole while now, mostly related to my former work situation: posting public notes on social media on what happened day by day, what I learned, the experiments tried and insights gained. I simply didn't have the capacity and energy for it. My conscious decision to pause blogging for now was indeed a good one for the last months. Only these days are now starting to be way less hectic with more time to sit down and write about what's moving me. Let's see what happens.

    There's more to cut, and cut for real. Probably a lot. Ruthlessly. To regain focus, headspace, and slack. Very tricky challenge for me. So this is by far not solved. Instead, I only became even more acutely aware of the issue. I do indeed spread myself too thin. I rush from one thing to the other, one due date to the next. It's a hamster wheel that keeps me from thinking. Yet calm thoughtful focus is what would help me most. Let alone that I also want to start (or re-start) other endeavors which do need time investment. More to think about.

    So, probably the hardest thing that I'm still working on is shifting my priorities in how I (want to) spend my time. Haven't figured that one out yet. And as of today, that's strangely okay and not okay at the same time, and I still don't know what to do with it. 

     

    The Importance of Being Joyful 

    Speaking of slack. I really want to cut myself more slack. And I really keep struggling doing so. Slack for pure joy topics, like playing computer games. It's one of these things I truly do just for myself, no one else. In the last half year, whenever I had lots of tasks to do in front of me (like, every day), and yet I said "I don't care, I'll play a game first", that day was a good day. Preponing play before work seemed to somehow really wake me up, calibrate my brain and enable me to think. Any work I've done afterwards was way more effective than on other days. And these days felt good. I've found myself a new mantra this way: "Play first, work later". On bad days, it's still hard to unlearn the former "business before pleasure" indoctrination I grew up with. It just meant for me that play never comes as work never ends. I'm still optimistic that finally I can rewire my brain and replace this with the new narrative that works a lot better for me at this moment in time.

    Another realization I've had was that I reserved "joy" for only those "pure personal joy without any other purpose" things. Like playing computer games as mentioned. Or... well, what else? Lots of other things also bring me joy, yet "they don't count" for my brain. Like enjoying a really nice cup of tea. Several times a day! So many different flavors! I could go on endlessly on how much joy this brings me as I absolutely adore tea, and it's my perfect example of finding lots of joy in the little things. Or how about reading fiction when already in bed? Yes, brings joy, yet nah doesn't count, that's just a normal thing I'm doing anyways. Nothing special. But that applies to lots of examples. Like watching an episode of a TV show during dinner. Or just taking a few conscious breaths of outside air. Or loving the rewarding payout of exercise (heck, even the time while I'm exercising). Or meeting friends I truly enjoy spending time with. Or when I realize I learned something new, that moment it clicked when another piece of the puzzle found its place. Why do I never count any of these as joy while they clearly are very joyful?

     

    Paying Off Plenty 

    Overall, the last months were a lot. Surprisingly or not, my calm and steady journey pays off. Not because I was always as calm as I wanted to be, or as content with very small progress as I'd love to be. But because I listened a lot closer to my own needs, to my own wishes, to my brain and my body. I keep observing more what's going on with me in each moment and what makes me respond in which way. I become aware on further things that impact me in certain ways. Through journaling, I realized that my inner critic got rarely loud and noisy this year which is great news, as this would render it useless. Only sometimes it did alert me to something that was actually a valid concern. Like at times when I realized I indeed don't know enough on a certain subject, or when I haven't invested enough time into honing a skill while others clearly had. The rest of the time, my inner critic was actually quite calm. It's almost as if trusting my inner critic to have something valuable to say, actually calmed it down.

    Calmness comes, calmness goes, and then it comes again. I can trust that the phases when I'm not calm (like, literally last week when my mind once again ran wild fearing nothing's going to work out) are indeed just that, phases. Usually, it's because I lack clarity or structure, or feel overwhelmed when too many things need my attention at once. When that happens, my ability to think degrades and I spend more and more time on just managing that. Once I get through this period, e.g. by getting all my thoughts written down before me were I can see them clearly, then bringing structure to them so I can tackle one by one and hence get things done (even if slowly) - then I'm riding the calmness wave again. And things feel good. What helps here immensely, is that my work environment really calmed down thanks to having switched jobs. Now for the rest, it's mostly my own brain and body. I can work with that.

    My plans for the rest of the year? Continue this challenge. Create content. And contribute to conferences. Lots of C's, as it happens. But not without the main ingredient for everything: calm.

    Posted by at No comments:
    Labels: , , ,

    Sunday, August 3, 2025

    SoCraTes 2025 - Coming Home

    For the fourth time I've come home to SoCraTes, the International Conference for Software Craft and Testing. It already felt like coming home last year and I knew I wouldn't miss this edition. And it even felt more like home this year. I love this colorful crowd who are so eager to learn with and from each other. It's been a wonderful place for me to test out security-focused sessions that I could bring to conferences and find like-minded folks for lots of community initiatives I'm contributing to. Here's my report for 2025, to help my future me remember and maybe inspire more folks to give this awesome conference a try.

     

    Arrival on the Day Before

    I've had the pleasure to share my train ride with Martin Schmidt, a dear friend I met a few years back at SoCraTes, and hence slowly getting into the vibe of exchanging knowledge and experiences that would await us at the conference. Not only on all things tech and software, yet anything that moved us at that moment, ranging from personal lives, career situations, societal and socio-technical systems we're part of, hobbies, passionate projects, health, personal realizations, and more. Literally anything, as full humans. Which is what I love about this conference. We can't fully separate our work selves anyways - here we really don't have to.

    SoCraTes cares for people. This shows from the start when we still tested ourselves for Covid before mingling with others - which was a great catch, unfortunately there were cases who then couldn't enjoy the conference. This evening, I've seen the first folks again I've already met the last years as well as new acquaintances. Like meeting Ruth Malan for the first time in person, after following her for a while on socials! Dinner time is perfect for this, checking in with each other, exchanging hopes for the next days. This is also why I love to come early when not as many people are there yet, it really eases me into the conferencing joy awaiting me without the mass of people instantly overwhelming me. 

     

    Training Day

    This year, I did not give an official training myself, so I was completely free for a change which was also really nice. The training sessions I've joined were the following.

    • "Know your tools: git" by Martin Schmidt. Yes, I do know git and used it for a long time. And at the same time, I'm well aware of all the things git also offers that I don't know about. Lastly, I usually always learn something new when joining trainings by other folks as they will structure content differently, explain things in different ways, and so on. Hence, I was curious about what I'll learn from Martin! I really appreciated that he had various modules prepared so the audience could choose what they were most interested in learning about. Same applied to exercises versus theory, kudos to him for listening to people's needs here! Martin had prepared a whole website for the git training with instructions and all kinds of useful commands - such a good resource to take with us. Conclusion: I indeed knew quite a bit about git before and yet I learned about features new to me that come in hand.
    • "Digital Dominoes: Understanding Modern Security - From Supply Chain Attacks to the life cycle of a vulnerability" by Avraham Poupko. Avraham reminded us that while most of software security is a discussion that assumes malice, that there's an evil person on the other side who wants to take away what we consider to be ours, that there's also the side where it's about negligence, like losing stuff. He walked us through the lifecycle of a vulnerability and emphasized that confidence in a company can be really shattered through CVEs - no matter if they are fixed or not. Avraham elaborated on supply chain attacks and what common attack patterns are, how trusted and yet verified sources are crucial. He left us with a few practical action items: security by design, not by accident; patch fast, patch smart; and monitor everything, question anomalies.
    • "The Evolution of Team Co-intelligence: from Knowledge Work to Learning Work" by Diana Larsen. I've been following Diana for a long time on social media. This was my first opportunity to meet her in person and join one of her workshops! It was such a great session. We both learned theory and could instantly apply it in the group exercises, observing the group evolve and grow together. Diana provided lots of tangible advice, and language to talk about and take action on observations we make at our work places. For example, she shared how teams need purpose, autonomy and also co-intelligence to be effective motivated teams. She defined co-intelligence as collective intelligence + collaborative intelligence + trust + learning-centered - sharing ten qualities. We walked through all the steps we have to achieve to really reach high performing, or even resilient learning teams - and as with so many things, it has to start with building trust. Diana made us think of what we bring to our teams, what we can do to build co-intelligence, and what makes learning leaders. All of this has resonated a lot with me and my experience within teams so far.

    After training day, the main conference started with the official opening and the world café. This is a great opportunity to get to know more people early on. This year, we had a different question per room to think about as a group, and these questions went rather deep. Like "If you could send one piece of advice back to yourself from 10+ years ago, what would it be?", "What's a skill you wish you'd developed earlier in your career, but you're glad you're learning now?" and "What's the most valuable mistake you've made in the last year, and what did it teach you about your craft?". Pretty daunting to break the ice and get to know each other! Yet it was great to see people share and open up, trusting this process and the space. I admit, these questions made me realize a few things about myself as well.

     

    Open Space Day 1

    The main conference consists of two open space days. With this conference, this is truly special, as for an open space I've never seen a bigger crowd so far. At SoCraTes Germany, it's usually around 200 people, all co-creating the program of each day in the morning. You never know what exactly will happen, and yet there will be so many amazing sessions to choose from that fear of missing out is high. I learned over the years to just let it happen, go with the flow, and also listen better to my needs to take breaks or tackle a different task that's on my mind. And yet, of course, I also had to propose sessions myself. An open space is just too good an opportunity not to! Especially as this is chance to test-drive talks and workshops, to pull information from all those knowledgeable participants, to try something out together, to discuss societal topics, and so much more. Here's how my first open space day went.

    • Hallway track: I remember I was tired that morning and I couldn't decide which session I wanted to go to, there were many interesting ones. As it happens, I didn't have to in the end - as I met awesome folks in the hallway and just went with having a nice conversation there. Both insightful and helping my brain relax and ease into the day.
    • "Building Secure Enough Products" by me. I was really curious about what people experienced to be bumps when trying to build secure software, and what they perceived as boosters. Now that I'm in the position of security engineer, this was even more interesting to me to see what we can do at my company to foster a culture where security measures help people accelerate delivery of sound software and prevent the things that get in their way. Loved the engaged conversation and collection of topics! 
    • "Sticky-Business" by Corstian Boerman. Corstian shared a fascinating story with me last year which led to many and more conversations. Because one day, he had found an envelope with a USB stick in his mailbox. This year, I nudged him to host a session to share this story of reverse engineering a USB thumb drive and what he learned from it with more people and was hyped that he agreed to do so! Make sure to check out his slides.
    • "Capture the Flag Together (For Beginners)" by me. I admit, SoCraTes was THE conference where I started these sessions and learned to love them. Like, for real. I've started them as very collaborative, whole group ensemble sessions to find the secret flags and solve these security puzzles together, using Hack the Box labs as our safe practice space. We've already found quite a lot of flags in the last years, and this year I decided to host a beginner session first before continuing the fun discoveries during the evening times. Seems it was a popular idea! Lots of people joined and we enjoyed cracking a few of the starting boxes together in just an hour. Some of these folks then also joined the evening sessions; it seems they got hooked just as I did back in the days! I just love seeing folks having fun learning more about security and ways to get into a system - it teaches us a lot about what we need to do (or should not do) to prevent this and defend the system.
    • "What does non-patriarchal, anti-capitalist* software delivery look like?" by Andrew Harmel-Law (*) Intersectional (anti-colonial, anti-racist, anti-classist, anti-sexist, anti-ableist, etc.) & inclusive. We don't just build and run software; we live in our codebases). What a very interesting conversation on all kinds of company systems and choices to deliver software. Lots of people engaged and shared their experiences and open questions, the challenges and opportunities they see. Quite a heavy topic at this point in the day, and still such a very much needed space to have these kinds of conversations. We will need to continue them and run experiments to find out what we can do to do better.

    Dinner time! Lovely conversations. And it wouldn't be an open space and definitely not SoCraTes, if there weren't evening sessions suggested as well. Well, I was eager to host "Capture the Flag Together (For Adventurers)" sessions, of course! This evening, we spent four hours trying to solve a seasonal machine. We had found the user flag, yet the root flag still eluded us. Getting really tired, we concluded the session by midnight and called it a day, with the intention of trying it again the next night.

    Oh, and it wouldn't be SoCraTes if we wouldn't play games either! Like the already traditional rounds of SET together with my dear friend Janina Nemec and anyone else who wanted to join.

    Yeah, late nights and lack of sleep also come along with SoCraTes for me. Yes, it would be a lot wiser to join those who go to sleep early. No, I still cannot do this. Yes, I'm still (sort of) regretting this every single day after. And yet. It's just so good and such a unique chance during the year.

     

    Open Space Day 2

    In the beginning, it always feels like we're going to have so many days together, so much time to check in with everyone and learn and enjoy ourselves practicing whatever we're up for. And then the second open space day usually comes a lot sooner than expected! Well, here it was, with further sessions.

    • Hallway track: Yep, yet again I started the day opting out from a formal session and instead having a great conversation in the hallway. Maybe I should make this a habit, it really helped my slow morning brain going. This time, we talked about our varied experiences with AI tools. We also wondered about the utter lack of beginner positions these days. I mean, where should all those senior folks that companies are looking for come from in the end?
    • "Navigating Spaces". What a beautiful session, thanks so much to the host for creating the space for it. Lots of people opened up and shared parts of their identity and their struggles to navigate the spaces we're finding ourselves in, even within very open ones. We shared what helped us so far, what tips we tried and more. These ranged from embracing discomfort, doing things anyways, that companionship helps just as well as avoiding assumptions. Looking for the little indicators and signs of shared connection. Really thought-provoking and just wholesome.
    • "Hack the Parrot - Prompt Injection" by Jan Gregor Emge-Triebel. I had it on my list for a long time to practice prompt injection using Gandalf. Finally, this was my chance to do it for real! Loved that Jan hosted this session. We all learned a lot trying to trick an ever-evolving Gandalf into revealing the secret password to us. Such good fun and oh so relevant in our daily lives, as it's getting harder and harder by the day to get around LLMs and other AI tooling.
    • "Micro-retros, macro-retros, ad-hoc retros, continuous improvement" by Diana Larsen. Diana introduced us to lots of advice and tips on how to really achieve continuous improvement. Instead of waiting two weeks, we can include very brief retros in our everyday work. Sometimes, we need more folks to come together and reflect, not just our teams. Sometimes, we need additional retros on demand. Yet what matters is that we really activate our own learning by finding the right cadence, learning at the right scale, learning as frequently as possible, and continually improving.
    • "Getting into Security - Career Options" by me. I didn't plan to give this session, yet I was kindly asked to do so by another participant. How could I say no? I wondered if it would be interesting for more people, and then quickly realized - yes indeed, it was! Didn't expect so many folks to join and listen to me sharing my own journey into cybersecurity. For me it was also great practice in impromptu improvised storytelling - such a good skill to hone. It was great to realize that there's real interest, I might end up making a full session out of it. People appreciated me sharing my non-traditional way into tech and security, daring more as I went. They asked lots of questions, like how my everyday job looks like, about penetration testing, about certificates, and much more. And I was totally blown away when one person shared that I'm THE security person for them, given my history of bringing security sessions to SoCraTes. Just wow! That's also the beauty of an open space: be prepared to be surprised. 

    As the main part of the conference ended, dates for the upcoming sibling SoCraTes conferences were shared. The organizers were so kind to allow Janina Nemec and me to also plug our own open space conference, the Open Security Conference - which originated at SoCraTes 2023 thanks to Claudius Link. In case you're curious, registration is still open - maybe see you in October!

    After a lovely dinner with my dear friend Thierry de Pauw and their daughter, it was time for evening sessions again. And, how else could it be, a bunch of courageous adventurers dared to look for the secret root flag in another round of "Capture the Flag Together (For Adventurers)"! We can proudly report, we did get it together within around 90min. And then we talked for another 90min. And then we got curious about further Hack the Box challenges, like for mobile. As the first one was really straightfoward, we dared more. And ended up sitting long past midnight to de-obfuscate a piece of decompiled software to finally also get that flag! Many, many thanks to every single one for joining me on these fantastic journeys. I really cherish going on them together with you all.

     

    Workshop Day

    The final day of SoCraTes is dedicated to workshops everyone can propose and host. I've often joined the code retreat this day, yet this year, Martin Schmidt, Philipp Zug and I wanted to host a session on our own security card game, one of those other endeavors originating at SoCraTes. Last year, we hosted a session to introduce the game to people and received lots of great input. This year, we wanted to show our progress and test out the new additions like reputation and game scenarios we've added. We had a small but lovely group who were super hyped about this game as it initiated such good conversations on all things security, and stories to share. Two of our participants even shared that the current state would already be good enough to use in workshops! Such lovely and really encouraging feedback. Once again, more ideas were gathered, and we'll continue working on this leisure-time, low pressure and fun side project.

    In the afternoon, I had planned to join another workshop, yet things turned out differently. You know, as they tend to do at SoCraTes! Instead of another workshop, I had wonderful conversations with various folks keeping me company. Talks about organizing conferences, company cultures, career choices, computer games, creating IDEs, and so much more.

    The day flew by, and more and more people left the event, going back home. As usual, I chose to leave the next day only, as this way I could ease out of this awesome conference space and still enjoy the company of the last people standing. The last years, we've found various fun activities to end this last day. This year, things happened differently. After having dinner, my table round got small, down to two people. And then it grew again organically with more and more folks joining in over the course of many hours. We had a wonderful round of around eleven people, mainly having a group conversation about anything. People showed their pieces of art and craft. People shared fun stories. We talked about the past and the future. Or sat silently with each other at times, just enjoying our company and being there together. And as the night grew longer, the group grew smaller again, until we finally also went to bed.

    A very wholesome ending to a wholesome conference.

     

    All in All 

    My huge thanks go out to so many people I've met again this year, and many people I met for the first time. You all know who you are. You are all awesome at co-creating this place together. My special observation this year was that this time, I didn't have to spend energy on calling out unfortunate behavior, calming down dominant voices taking up all space, and instead holding space for everyone to share. Or non-inclusive language and the like. This year, folks were really considerate, at least in the bubbles I've been part of. It just felt good and allowed us to spend our energy on things we wanted to spend it on. This was a real glimpse of how it could be.

    Did I mention this conference offers and encourages physical kudos cards? Years back, I was hesitant about this. Nowadays, I absolutely love them. It's such a fascinating thing to give someone a kudos card, thanking them for what they did or who they are, and seeing their eyes light up. It's incredibly touching to receive those cards as well. I hold mine dear over years to come.

    Another thing I've noticed is that more and more folks seem to bring security-related sessions, and I love seeing it. We have even created a new channel for us security enthusiasts on the SoCraTes Discord, and sharing doesn't stop just because the conference ended for this year. I think we have something going on here. This crowd really likes to learn more and do better. And as always, they continue realizing they do know a lot that helps on this journey. Personally, the collaborative capture the flag sessions are really the banger. They bring all kinds of people together, create a great atmosphere, and facilitate us learning so much from each other. Going through frustrations together and also celebrating our wins. Just awesome and wholesome. 

    I'm still processing all the insights and inspiration and energy I once again gained from SoCraTes. This conference has a fixed slot in my calendar also for next year. Therefore, my final shout-out goes to the organizers: Huge thanks for creating this wonderful space for all of us every year again and again! It's been awesome and getting better every year.

    Posted by at No comments:
    Labels: , , ,
    Subscribe to: Posts (Atom)