It's been my third time at SoCraTes this year. I'm very grateful that the organizers invited me as trainer once again, enabling me to come and experience this wonderful community event. It's been a blast. I've met lots of folks old and new, and enjoyed both casual and deep conversations. It was a pleasure exchanging experiences and knowledge. I've had a safe space to practice deliberately and hone my skills together with like-minded folks. Everyone growing, everyone at their own pace, everyone together.
Arrival Day
On the final leg of the trip to Soltau there's usually the first conference folks to meet. Perfect time to ease in and brace mentally for lots of peopling the next days. This time I had a really nice chat with Martin Schmidt and Juke Trabold, catching up on all things.
Once arriving at the hotel, more reunions were to be made. You could feel that everyone was excited it's finally this time of the year again, full of hope that good things will happen. Also, this conference takes inclusion seriously, and a big part of that are health concerns. They require on-site testing for Covid before even entering the hotel. Once cleared, we settled in and prepared for the first dinner together.
For conferences, I really enjoy meeting less folks at a time by arriving earlier than most people. It really helps me manage my load and have more quality time with folks. This night especially with Thierry de Pauw, their son, and Jana Fuerchtenicht - loved our conversation! And it was so good to see Micha Kutz again.
Training Day
SoCraTes is an unconference at heart. Since three years, they offer an additional training day with a more classic structure to provide foundations and to ease new folks' way to join the open space without knowing the exact program before. I assume this also helps with selling the event to their companies, especially if they never had the opportunity to experience the magic of such an unconference before.
Personally, I'm very grateful that I got invited as trainer for the third year in a row. And this time with another topic that's dear to my heart: security! It was the premiere for my brand-new workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day".
But first things first. In the morning, I joined Marit van Dijk's "Code Reading" session. Now, this wasn't a new topic to me, as we both are in the same code reading club. That being said, it's always good to practice this skill - we read code way more often than we write it! Thanks to exercises from Felienne Hermans it's fascinating to learn more about your own understanding and mental model of code you read, no matter in which programming language, and especially what other people around you perceive and think. Also at SoCraTes, this session was a blast! Loved how people engaged and shared their own interpretations and pieces of knowledge which really helped figure things out together. There's always learning something new in these kinds of sessions. If you want to learn more about this whole topic, Marit offers a whole page of resources on reading code that's worth checking out.
Next up, I joined Thierry de Pauw's training on "Trunk-based development for regulated environments". Very relevant to me as I'm working on a regulated product at my current company. I've had the pleasure of reading lots of Thierry's excellent articles on the topic, like the "The Practices That Make Continuous Integration" or the "On the Evilness of Feature Branching" series. Already the beginning of their training resonated a lot with me. Thierry shared how often organizations conflate their approach to regulations with "regulation" - which is not the same thing at all! They pointed out that what folks mostly want to see is "do you do what you say you do", and the more rigorous ones add to that "get two people to look at it" and "have an audit of what happened". Thierry showed throughout their training how regulation and continuous integration principles aim for the same thing: risk reduction. They also emphasized that the deployment pipeline has three purposes: every part of the process is visible, it improves feedback, and it empowers teams. We also had the opportunity to craft our own pipelines using Emily Bache's pipeline game and a scenario as constraint. Lots of great conversations emerged from that!
Finally, it was time for my own training. Lots of people joined, more than I hoped for. It's always exciting to give a workshop for the first time at a conference, you never know if things will work out regarding the general concept - while the audience will always differ. I'm thankful to my dear InfoSec colleagues Tarik Kobalas and Honey Susan Kurian for their input which helped me improve the workshop before this first edition. Based on the feedback received from participants, I can say it went well! People enjoyed their time learning about threat modeling, secure coding principles, security testing approaches, and how we can detect malicious activity on our production systems. I'm already looking forward to the next opportunity to give this workshop.
After the trainings ended, it was dinner time. Loved the conversation with Michelle Avomo and her partner. It was a pleasure to reconnect with Claudius Link and Janina Nemec, two of my fellow organizers for the upcoming Open Security Conference, an idea that started at last year's SoCraTes. Playing the game SET together, of course! Just before that, we had a nice world café session as the official opening to the main conference. Three rounds with different groups of people, exchanging what brought us to SoCraTes, what this conference means for us, how we widen its impact. I met lots of first timers this way and we had a good time together.
Open Space Day 1
After a wonderful introduction to the open space and its principles by the amazing Juke Trabold, the first marketplace started and people began to queue up to share their session ideas and build the program together. Once again, it quickly became clear: there will be tons of interesting sessions, and I will only get to see a fraction of them. That's the beauty and the pain of any multi-track conference, yet for big open spaces like SoCraTes, it's showing even more. On the bright side of things, there will be sessions for everyone, no matter which topic, format, or experience level. We can all grow and learn from each other.
Here are the sessions I've joined. If you're interested what other sessions had been offered this year, check out the schedule.
-
"Priorities, Priorities, Priorities" by
Yorgos Saslis. So many things compete for our attention and claim to take priority - so
how to decide what to do next? This challenge resonates a lot with me as it
fits to the experience of nearly all the teams I've been at, and never so
much as in my current team. In this session, people came together and shared
their approaches of gauging what to tackle first, what's the most valuable
thing right after - and to communicate accordingly and manage expectations.
Wardley maps
were brought up to help decide what to build ourselves and what not. An
approach that stood out to me were business decision records - basically
architecture decision records (ADRs)
for business to document the reasoning of decision making at that time. If
circumstances changed since then, we know more clearly if we can change the
decision as well. The
cost of delay
was mentioned to help prioritization; I like to think of
opportunity cost
yet costs like this should be considered as well. People reminded each other
that value is not always money, enabling or unblocking another team provides
value as well.
-
"Making better decisions as a group" by
Tobias Mende. After thinking about prioritization, this seemed a fitting session to
continue with. Tobias gave a dry run of his upcoming new talk around
collaborative decision making. I really relate to him sharing that poor
decision making is costing companies a lot - seen that too many times when
we sunk too much time and effort into a feature that didn't return the value
we hoped for before pivoting (sunk cost fallacy, anyone?). But how can we make better decisions, together? From the
options presented, two stuck out for me:
consent with integrative objecting handling
which focuses on said objections, and
systemic consensing
which brings forward the resistances of various levels that exist within the
group. Tobias encouraged us to make decisions smaller, safer and more often
- I can't agree more.
-
"Security card deck game" by
Philipp Zug,
Martin Schmidt
and me. It was time to present our
security card deck game
project to a wider group, for the first time! Where better to share this
than at SoCraTes, the very place the idea originated at? We were stunned how
people showed up to see what we created so far. Philipp presented the
background of the project. Martin demoed a first round - and we already
received
so much valuable input and lots of ideas
how to evolve the game further. The crowd seemed to like the idea a lot, it
was really encouraging to see such interest. We are also happy to have
gained a new contributor in
Julian Michelmann
and are curious where the game will end up until SoCraTes 2025. Stay
tuned!
-
"Capture the flag together - Security Testing" by me. I had already given
this session at
SoCraTes 2023
which made lots of enthusiastic folks show up and ended up in many fun
follow-up sessions throughout the conference. Therefore, I was eager to
bring this session to this year's edition just as well. I hoped to find
again like-minded folks to practice security testing in a collaborative
setting. You can imagine how happy I was when lots of people showed up once
again, some from last year, lots who had not joined yet before. We had good
fun practicing on
Hack The Box!
-
"Baba is you" by
Marco Emrich
and
Michel Grootjans. A few days ago, someone had mentioned a game to demonstrate and teach the
mechanics and practices of ensembling, aka working on the same topic, same
place, same time, same computer together. That game is
Baba Is You, an endearing puzzle game that I can only recommend trying out yourself.
It's been interesting to watch group dynamics unfold as the ensemble tried
to work effectively together and solve the puzzles.
Dinner time! Yet beforehand, it's time for folks to announce what sessions they offer for the evening. Because the conference doesn't end as long as people don't let it! Lots of fun options were presented from playing boardgames, doing sports, learning Rust, solving coding katas, to whatever you can imagine. Well, SoCraTes 2023 taught me that I love doing capture the flag exercises in a collaborative setting, and that I find lots of enthusiastic people here to join me. My afternoon session confirmed that once again, so I offered to do even more of this in the evening. I was stunned how many people joined the evening edition, even a lot more than in the afternoon! We had such a good time. Just as last year, it got late! We didn't care, it was a blast.
Open Space Day 2
The second day started, another marketplace took place, offering even more awesome sessions to join. I took it slower in the morning and allowed myself to be kind and not join the first slot, yet rather engage in conversations, and prepare for my first session as facilitator.
-
"Smart Workshop Setups (Pull)" by me. A pull session in an open space is
where you ask folks for their expertise, knowledge, or help on a topic you'd
like to learn or a challenge you're facing. In this case, I decided to pull
for support on smart setups for technical workshops, especially if it
requires a more complex setup while folks might not be able to prepare a lot
in advance. How to make these workshops as accessible and welcoming as
possible so people can quickly get to a working setup and focus on the
actual practice content? This is especially relevant for my next workshop on
"First Steps in Mobile Security Testing"; my original setup idea unfortunately does not work out anymore, and
while I have ideas how to make it work, I was curious what other folks would
suggest. Lots of great ideas were gathered! I'm grateful for people taking
time. I'll ponder more over them the coming weeks and might share more after
said workshop. For now, let me say that pull sessions are awesome.
- "Next Level Spring Boot for Hipsters with Kotlin" by Chris Welcz. It's always interesting to see what tools, libraries and approaches other folks use. In this case Chris demonstrated his usage of Kotest providing convenient test structuring and property testing capabilities. He also showed his preferred mocking library Mockk. You can find examples in his hipster-tdd and kotlin-beer repos. Good input to consider for the Snack Shop project I'm collaborating on!
-
"Passion Personality Test" by
Gabrijela Hladnik. Models are flawed, and some can be helpful - especially to reflect about
oneself. That's how I see personality tests as well - flawed, sometimes
helpful. Gabrijela presented the personality test from
Clarity on Fire
around different passion profiles and how it helped her. This was the
starting point for a very insightful conversations about personality tests
as such. How much do we box ourselves in? Are labels we put on ourselves
helpful? Why shouldn't we use tests to categorize others? How can companies
misuse these kinds of tests? Which tests have scientific research as
background, what are the driving motivators behind them, and especially what
systems of oppression do they foster? Lots of food for thought.
- "Securely saving passwords" by Fabian Blechschmidt. In one of my capture the flag sessions we came across the topic of rainbow tables, which inspired Fabian to give a talk on passwords and ways to store them. A great session to recap hashing algorithms, rainbow tables (of course), salting and peppering, and key derivation functions. Always good to brush up on foundations!
This concluded the open space part of the conference. It's traditionally
closed with a retrospective. We had a really great conversation in our group,
with lots of highlights and lots of things we'd like to see improve - and how
we as participants can help improve them. Especially for an unconference,
participants are essential to co-create the conference. This means that
participants are also responsible for creating a safe and inclusive space and
taking care that everyone gets that safe space to contribute if they want to.
We collected various ideas for how we can do so better. These ranged from how
to notice that I am overtaking a conversation and should shut up to give
space, to ways to navigate a dominant conversation among few people and open
it up to the rest of the room, to options to indicate to the whole group that
space is lacking and we're currently not hearing everyone who might want to
contribute.
Dinner time again, and then - who would have guessed - capturing even more
flags together! Yes, as evening session hosted by me. And once again, folks
came and tackled a fun challenge together. We built on the knowledge and
approaches we learned about the day before, we tried a lot of things, got
closer, got stuck, took hints, moved forward - and in the end found the flags.
What a learning journey! A late night one as well again, yet so much worth it.
Many, many thanks to everyone who participated, it was a real blast. Can't
wait for more of these sessions next year!
Workshop Day
The last day arrived way faster than expected - time is flying at conferences like these. Traditionally, the last day is the workshop day, where people offer hands-on sessions of various lengths throughout the day. Already being very tired, I skipped the marketplace - I knew which session I wanted to go to this year anyway: the Code Retreat, hosted by Janina Nemec and Micha Kutz. I ended up arriving late, and already felt bad when entering the room seeing all tables being full and everyone being deep into the first exercise. Huge kudos to Janina and Micha for welcoming me in, recognizing my struggle and going to lengths for making me feel it's okay to stay and still join in. That mattered a lot to me and helped calm my brain down. Micha arranged a new table and offered to pair with me (thanks so much!) - until even more folks joined, and space was made for them as well.
Time to focus on practicing hands-on together in pairs. We tackle the
challenge of
Conway's Game of Life, which can be solved in countless ways so you will always learn something
new in each round. Programming language, approaches, modeling, communication,
and so forth. Always using TDD, and usually having additional constraints to
consider each round. Always deleting the code at the end of each round and
starting all over again with the next pair. There's a lot to learn about
oneself as well in this exercise! In our case, we were given the constraints
of strong-style pairing, then we were allowed at maximum one level of
indentation, then we tried it as ensemble, and finally the rules changed. In
my last rounds, I was part of a small ensemble together with
Janina Nemec
and
Hadrien Mens-Pellen. I loved it as we brought up any misunderstandings as they arose, clarified
them instantly, and aligned quickly on the way forward - super effective! We
also made use of the
Code Retreat card deck
designed by Janina, and we pulled the card to use
Object Calisthenics
as our constraint during these rounds. Overall, I can really recommend joining
code retreats; no matter which level of experience you currently have, you can
take a lot with you from them.
To add to this: We were all really, really tired. That alone can teach a lot
of lessons about ourselves, and how we cope with stressful situations then.
Each round was challenging in its own way, one was especially challenging for
me emotionally. I for one learned again that kindness, respect and
consideration go a long way - for each other, and also for oneself. Very
grateful to both Janina and Micha for granting us this space!
After the code retreat ended, many people had to leave the conference while some like me stayed until the next morning. We were all tired, so we decided to break things up a bit and get some fresh air. We went on a short walk in the beautiful moor surrounding the venue, visiting the famous Heidschnucken, moorland sheep from northern Germany. I was glad to get the chance to see them this year as I've missed out on them the last two years.
We had dinner, we had more conversations. People decided they still had the
energy to come together for a round of lightning talks - some of the short
like lightning, some rather ending up as longer thunderstorm sessions. All of
them great! We learned about
IntelliJ IDEA's
AI assistant from
Marit van Dijk, how cognition principles apply to software from
Corstian Boerman, how
things that start in noise get organized over time
from
Martin Schmidt, and about the
power-law distribution
and
Adam Tornhill's
work detecting it in code from
Christoph Kober.
Even more tired, we decided to play
What Beats Rock -
which stuck with us for the rest of the evening until we finally called it a
day.
Departure Day
Last chance for final conversations and final goodbyes. Everyone super tired,
everyone very happy. The post-conference blues was being held off a bit longer
while chatting on the train. More ideas were exchanged, plans for next year
made. Until we finally had to part, taking a lot with each of us from this
wonderful community space.
My head is energized due to new inspiration and ideas what to try. My heart is
full of connections and the community spirit we experienced. My soul is calm
thanks to the validation received through feedback and kudos cards, and
smiling thanks to all those folks for whom I wrote kudos cards myself.
Physical kudos cards are such an awesome concept! I'm ever grateful for each
person who took the time to write a kudos card for me this year, you really
make this conference even more special to me, and I can't even tell you how
much your card means to me.
Next year, this conference will be a month earlier than usual. I plan to be
there. Looking back at what happened between each SoCraTes instance I've been
at since 2022, all the good stuff, all the growth, all the strong connections
- I'm already curious what will happen until 2025.