Tuesday, December 16, 2025

2025 - The Year in Review

What a year! Just like many others do, I use the end of the year to look back at what happened and acknowledge both achievements and struggles. I've written lots of those reviews over the years and this practice helps both present and future me see how things evolved over a longer timespan. So, without further ado, let's get to it.

 

Professional

  • The biggest change of 2025 for me was that I've started at a new company in a new role. It's now nearly a year that I've been working at DocuWare as a security engineer in a central enabler team focusing on product and cloud security. This kind of role change was and is huge for me. Especially as I realized that I didn't only dare try something different. I could indeed contribute a lot of the experience, knowledge and skills I've built up over my career in this new, more focused area. At the same time, there's a lot more to learn and grow into, and I love that I continue to be very intrigued to do so. 
  • For the first time, I've done third-party product assessments for security myself instead of asking our security team. Well, now we are the security team! It's been a really nice topic to get hands-on very early on the new role.
  • I've done threat models and security reviews before for my own teams. This year, however, I've done them for and with a bunch of our engineering teams - which required building up a lot of context in very little time, again and again. I love that my teammate and I continuously experimented with even better ways to do threat modeling and make it a beneficial experience for everyone.
  • In a cross-team collaboration, we've provided a convenient pipeline template to scan for vulnerabilities that teams could plug in easily and quickly to get going. It's been picked up widely and the feedback received was pretty good throughout the year.
  • I've conceptualized our very first security champion program, we refined it in our team, and we managed to get buy-in from stakeholders very quickly. Another personal achievement here was that I've repeated the same presentation for all our team leads of all domains - 7 times in 2 days in 2 languages. Personal high score! The potential champions are currently learning about the pilot we want to run so they can make an informed decision whether they'd like to opt in from the start. Next year will be super interesting in this regard.
  • We've grown a lot in the team, individually and as a team - even a lot quicker than I've observed this with other teams before. And it shows, we're having way different conversations now than we had beginning of the year. Everyone is sharing transparently, acting as sounding boards, truly collaborating - I just love seeing this. We've become more resilient, faster in our feedback, a lot more intentional and strategic in what we spend our time on and how we approach situations. I'm very grateful for my team including our manager so we can continue to improve together! 

 

Community

  • I've paused speaking at conferences during the first half of the year to start at my new company without overloading myself or overburdening my new team. Therefore, I've only spoken at 3 conferences during the last months this year, including once more at a new conference in a country I haven't spoken before. Until now, I've had 110 speaking engagements overall, 51 of them conference sessions, given at 28 conferences, in 13 countries. Truth be told, I'm still amazed at such numbers, and I need to see them in front of me every end of the year to realize this actually happened.
  • Sadly, I had to cancel my very first speaking engagement this year due to sickness that I just couldn't spread further at a conference. Hence, I didn't make it to my first Øredev - yet. On the other hand, I got super fortunate that this was indeed the very first case I had to cancel an engagement since I've started public speaking in 2017!
  • I co-curated my first dedicated conference track - the security testing deep dive track at Agile Testing Days, together with  Kristof Van Kriekingen and Santhosh Tuppad. I loved that we could give the stage to lots of awesome folks and offer the audience a whole variety of insights this way!
  • So far, I've given lots of workshops at conferences - yet this year I managed to give my first one at a security conference at BSides Munich!
  • I acted as session chair for the first time at BSides Munich - trying to do sketchnotes at the same time. Phew, that combination was tough, yet I made it. Definitely a first timer for me.
  • Including this one, I've written 11 blog posts this year - more than I expected. It didn't feel like I was writing much during the year, probably because I originally planned to write a lot more. Well, reality kicked in and I chose to prioritize other topics, so there was no energy and capacity left for writing much. Yet 11 posts aren't too bad after all.  
  • We had the second edition of the Open Security Conference and it was both a big struggle to make it happen and a huge success! I just loved seeing folks enjoy themselves thoroughly in the space we co-created and share their own experiences out loud on social media. Very much looking forward to the third edition next year! Fingers crossed we learned enough as an organizer team to make the third one go smoother.
  • I've started my very first CTF team together with Mireia Cano and Martin Schmidt, joining our first official CTF competition. We continued practicing throughout the year, even saw each other in real life at a conference for the first time. Just love that we have this small, safe group to learn together by solving security challenges!
  • The security card game that Martin Schmidt, Philipp Zug and I are building is still alive, and while we're deliberately keeping the pace slow, the game grew both in concept and in content. We had a chance to showcase it at two conferences this year and gain further feedback and ideas - it's just a celebration in itself that we continue to work on this for so long now despite it being a pure leisure time, slow project. It's one of those rare sustainable ones!
  • Last year, Shiva Krishnan and I had started a series of leadership workshops with our very first community cohort. We really struggled to get this going last year, and beginning of this year was no difference. We nearly reached the point to give up and pivot. Yet then our small cohort fully engaged and we actually made this happen! Super proud we did pull through in the end and had impact we hoped for. Even though it wasn't easy most of the time.

 

Personal

  • In my volleyball team, we've managed to level up leagues in spring and started in the higher league in fall! Super proud and we're already learning a lot given our new challenges.
  • Another volleyball highlight, and an extremely rare one: Together with our senior's team, I've had the honor to join the German senior championships! Yes, it's as wild as it sounds. Well, we got very lucky as there weren't many teams in our region for our age group, and yet: this was a true once-in-a-lifetime event. Playing against former premier league players, or even the dream team of former national team members is truly a unique experience you could only dream of. Acting as a referee for such games is just as well! This was a true rollercoaster of emotions and I wouldn't miss it.
  • Over the last years, I sustained several small, but persistent and annoying injuries restricting my range of movement and affecting quality of life. I picked up custom training to help me get back to better shape, and it paid off massively. For example, I can finally kneel again which wasn't possible for nearly the whole year. Also when it comes to a bunch of other areas, I'm super happy that I managed to take care of my health a lot better this year. 
  • I finally started to relax a bit again. It didn't work all the time, there were plenty of stressful and packed phases, and yet. The constant tension and anxiousness faded. Lots of people from all parts of life noticed that something changed compared to last year for the better, and it's been very clearly attributable to my change of workplace. I found my optimism again and rediscovered the joy in doing what I'm doing.
  • Lastly, I managed to complete another personal challenge. This year's Calm and Steady endeavor was truly very personal. While I still have lots of stuff to work on, I did take things easier and celebrated when I noticed that I've been kinder to myself. I took more time for myself. Sometimes just to do... not much of anything. Or just things that I like doing for no other reason than that I like doing them. The best part here was being on this journey of reclaiming time and catering to our needs together with my best friend aka sister, holding ourselves accountable with each other. If you happen to read this: Thank you so much for all the wisdom shared in tough moments, all the reminders of taking things slower (yes, even slower than that), all the encouragement and reassurance that this is a basic need and not selfishness. I've already shared this with you, yet let me repeat it once more: without you I wouldn't have taken as many interpersonal risks this year and I'm both proud of you and very grateful to have you in my life!

 

Enjoying the Last Weeks of the Year

This year was a really good one for me, and I'm truly grateful. No one can choose what might happen during a year and I've been blessed. Special thanks and kudos go out to all the amazing people who shared my journey this year in little and big ways - you all made it so much better.

Now that it's the end of the year, some chores are coming up that I usually do over the holiday season. There are new conference proposals to draft so I can submit them beginning of the year - I've already preselected conferences I'd like to try my luck with in 2026. Finally, there's my next personal challenge to commit to and pour into written form so I can share it, make it real, and make it happen.

But whatever task awaits, I'm doing my best to enjoy this time of reflection and thinking ahead. And that includes that at times I'm just doing nothing, resting, playing games, exercising, whatever. I'm ready for what's to come in 2026!

Posted by at No comments:
Labels: , , , , , ,

Saturday, November 29, 2025

Agile Testing Days 2025 - Taking Things Easier

The last conference for the year is done! I just love having Agile Testing Days as the one to close the yearly conference speaking season. I'm clearly biased with this event as it's been my first conference ever back in 2015 and it has a special place in my heart. Usually, I try to catch everything and everyone at this conference which can go close to 24/7. This year, I managed to be kinder to myself, stay calm instead of feeling I'm missing out, and take things a lot easier. Surprise, it really helped and I feel way better afterwards.

Another specialty of this year was that together with Santhosh Tuppad and Kristof Van Kriekingen we curated the brand-new Security Testing deep dive track for the conference. We intentionally included a whole variety of sessions from diverse speakers of different backgrounds to showcase how broad security can be and where people can find themselves to learn more, and also to get them into contact with actual practitioners. I made it a point to attend the complete track myself - there's a reason we selected those topics after all. Especially on the first busier days the room was full and people engaged with lots of questions, just loved seeing it. Looking back, I'm pretty pleased how the track turned out. 

 

Arriving Early

For a change, I decide to come a day earlier this year, already on Saturday, and it turned out to be the right decision after some pretty hectic, wild and especially packed weeks. Having that one day to just do whatever I want was awesome. I decided not to mingle yet but have a calm dinner on my own, then retreat and follow up on a few things I didn't manage the last weeks, then get as much sleep as possible before the busyness of Agile Testing Days.

Sunday started just as awesome with a nice walk to Potsdam and grabbing hot drinks and cake at a lovely café with my dear friends João Proença and Rita Avota. We decided to keep things relaxed and went to dinner together - right after which we encountered a whole group of Agile Testing Days people on their walk back to the hotel. Every year I love seeing how folks cheer when they see each other again, there's been some real friendships made over the years and it's filling my soul.

The evening continued with more people and more conversations at the hotel bar, catching up or freshly getting to know each other. Just a perfect prelude to what's coming.

 

Tutorial Day

Every year, I pick a tutorial, always a different topic that will either help me broaden my horizon or allow me practicing among peers. This year, the tutorial I originally chose couldn't take place, yet I did get a place in my second pick: "The art of crafting your custom tools" by Bart Knaack, Huib Schoots, and James Lyndsay. It's been a good choice indeed! The tutorial offered both inspiration and also concrete examples on what useful tools to build and how. I appreciate that we got a whole section on building our own tool and help from each other on how to approach it. Admittedly, I wasn't on my best that day - yet this tutorial also helped me reflect why that might be and what I would need to get back in a better spot. What I appreciated the most from facilitator side is that all of them faced hiccups during the day when presenting, and they were open and vulnerable about it. They shared their feelings when they were frustrated or nervous and helped each other out to get back on track - leading by example.

After the tutorial, the conference was officially opened. Santhosh Tuppad gave the first keynote on "Simplify to Amplify: How Slow Living Enriched My Soul". He reminded us on how much anxiety we can build up when we keep running - yet for what? Slowing down can help us actually live our lives and focus on what's important to us.

After the keynote, it was time for a photo session with all speakers on stage, and right afterwards we went for the speakers dinner. This year, we had a lovely new restaurant to spoil us with lots of awesome treats. Absolutely enjoyed my time with my fellow speakers, and also connecting with folks I haven't met before. I'm really grateful for such a generous start into the conference. Afterwards, I managed to instantly go up to my room instead of keeping socializing - a great idea to preserve my energy better than last years.

 

Conference Day 1

The first conference day usually starts earlier for me as this is my chance to catch a lean coffee session - the following days I would already be too tired for it. So here's how it went.

  • Lean coffee with Ashley Hunsberger and Lisa Crispin. I just love lean coffee as a format to gather and discuss topics that are most important to the people who are present at that moment in time. This time as well, we had lots of interesting topics to talk about, like how to convince folks to give open space conferences a try, how to implement consumer-driven contract tests, what to do after being laid off. My own topic was voted on as well: what’s one security issue you see over and over again? Lots of familiar issues were gathered, from plain text passwords being transmitted over the wire or committed to version control, to default passwords and configurations opening doors to attackers, to lack of authentication and authorization in way too many places.
  • Keynote "AI-Driven Quality Engineering" by Jonathon Wright. While I usually take sketchnotes for talks I attend live at on-site conferences, for this one I took it easy and preserved my energy.
  •  "How Accessibility is Security" by Ina Tsvetkova and Jaunita Flessas. I love how both speakers demonstrated how to make talks more accessible by activating live captions. Very on point for the talk! I really appreciate these two to be the first ones to not only talk about usable security, but really combining accessibility and security issues which ultimately raised the need for security by inclusion. This talk triggered lots of thoughts for me to think about and also things I can take right back to work with me to check for and raise awareness.
  • "Dark OSINT: I know where you live" by Kristof Van Kriekingen. This talk was just a perfect case of leaving people appropriately and properly scared. And at the same time massively inspired in what good we can do in the world with our current skill set. Amazing delivery as well! Absolutely loved it. I had a sneak peek of this session already at this year's Open Security Conference, yet being a co-organizer I couldn't fully focus on it - no problem this time!
  • Keynote "Testing Transparently" by Elizabeth Zagroba and James Lyndsay. A very special keynote which didn't waste any time to get to the gist of it: live testing on stage. I loved the energy of both of them together, demonstrating how things can look like as a tangible example we're too often missing out on. Very happy about this being a keynote - as more people need to get inspired by how pairing can uncover a lot of useful feedback in a short timeframe.
  • Workshop "Start Hacking Today (For Beginners)" by Anass Ahmed Ali. Anass had a really nice pace for people who are just starting out in tech and specifically security. I really like he didn't assume technical literacy or a specific level of knowledge. He introduced us to breaking into systems using the very accessible analogy of a house, and demonstrated approaches to learn more and find ways into this system. The workshop paved the way for people to practice on their own afterwards, and also to get an impression on what malicious actors might do so we can detect their activities.
  • Keynote "The Agentic AI World is Already Here... Are You Ready?" by Martin Hynie. Martin shared a true story from his journey with AI systems and LLMs in specific, what to look out for and what to focus on. It's always good to learn about real-life examples like this.

During the evening of the first conference day, it's usually dinner and party time. This time, I took it easier as well, and opted in for an alternative program: a calm dinner at a restaurant outside the venue with a small group. Absolutely lovely and recharging my batteries. Once we returned, the party was still on, and I enjoyed lots of smaller conversations with various folks in the calmer hallway. A very special bonus for these evenings are the ATD Late Night Munchies - a Snack Exchange initiated and facilitated by Sophie Küster. She encouraged participants to contribute by bringing sweets and savory treats from wherever region they came from and enjoy each other's delicacies together. Just brilliantly wonderful. 

 

Conference Day 2

The second day was on. Being pretty tired already, and remembering my goal to take things easier this year, I decided to skip the morning keynote and rather catch more sleep. The good thing is, that certain talks like all keynotes had been recorded and with the online pass we can still watch them within the next six months.

  • "VNCPhish: How Hackers Pwn Users Despite MFA" by Yvonne Johnson. I just love that Yvonne agreed to give this talk here as a subset of her keynote from Open Security Conference 2024. I knew it would be awesome, and I wasn't disappointed. She explained a rather complex topic in simple matters and made it both comprehensible and tangible for us. I loved that she also demonstrated live how easy it can be to gain access to another person's system through MFA phishing - I've heard people around me share how they have to check their own systems at home now for proper access policies to prevent this from happening. Very cool session!
  • "Reimagining DAST: Integrating ZAProxy into Web Testing" by Sara Martínez. Sara introduced us to dynamic application security testing and demonstrated where they are left weaker than they could be, and how combining these with usual web testing scenarios can uncover their actual power. I love that she demonstrated her framework for this and made it open source so we all can take this inspiration with us! Very cool talk and so applicable.
  • Keynote "Practical Application of the Modern Testing Principles 2.0" by Melissa Eaden. I really appreciated Mel showcasing actual applications of the modern testing principles and hence bringing them closer to our realities. I loved her stories demonstrating what we can do for real to get us closer to a good state. Very practical for any kind of change you're trying to affect. Super well delivered as always! 
  • Workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" by me, co-facilitated by Santhosh Tuppad. I loved having a variety of folks attending the workshop, from people having their first touch points with security to those who already brought some experience. It seems they enjoyed practicing what they can do from idea to production to bake security into the product instead of sprinkling it on top of the cake at best.
  • Keynote "Air Fryers, Automation, and AI" by Angie Jones. Angie is one of the best keynoters I've witnessed so far. She didn't disappoint this time either! I really like how she provided a both opinionated and also differentiated point of view on what's currently happening and her personal advice on how to do good work with new tooling at hand. This keynote did remind me of her keynote a few years back when she told stories of how musicians had to adapt to new technology, this one used chefs as an example. The key message basically stayed the same - yet it seems people still need to hear it. I also loved how she responded to a critical (and very valid) question from the audience with such integrity and in such constructive manner. We all can learn from Angie.

After the formal program there was time for a short dinner, and then evening sessions already started. I chose to go to the Open Space hosted by Alex Schladebeck and João Proença. I love open spaces and really appreciate that this was an option to integrate it into a very busy conference program. At first, I thought I wouldn't have the energy to propose a session myself. Yet when attending Anass' hacking workshop yesterday, I decided to give it a go and suggest my "Capture the Flag Together" session for beginners to offer people a practice option to take their first steps on security / penetration testing to get into a system and find secrets (aka "flags") that we're not supposed to see. All that in a collaborative manner as an ensemble, bringing in all our knowledge and trying out our ideas together. People came indeed and we spent the open space seeing how far we could get. Unfortunately, the time slot at hand was rather short, so I couldn't see any other sessions.

Nonetheless, I spent the rest of the evening with lots of conversations with lots of amazing folks - as usual, gaining new inspiration from experience exchange on basically everything. Definitely one of the best parts and main arguments to go to an on-site conference that intentionally gives space for this to happen.


Conference Day 3

The final conference day arrived. Being really tired by now, I decided to repeat what helped me the day before and skip the morning keynote.

  • Workshop "API Hacking using GPTs" by Santhosh Tuppad. He introduced the audience to API security testing in general and the impact security flaws can have. Afterwards, Santhosh demonstrated how AI tooling can help with API testing and security in specifics.
  • Keynote "Orchestrating Chaos Into a Symphony" by Rachel Kibler. I loved Rachel's stage presence and way of delivery! True keynote speaker. She dropped lots of insights and wisdom, combined with real stories. I really liked how the transformation at her company revealed tangible advice for everyone who wants to affect change.
  • Workshop "Threat Modelling Workshop for QA Heroes" by Giancarlo Cordero Ortiz. It was interesting to learn how threat modeling is done at SAP. Giancarlo pointed out lots of aspects what helps and what hinders based on his experience, and how testing and quality folks are well-equipped for this and also needed at the table.
  • Keynote "Unlearning A.I." by Pradeep Soundararajan. Pradeep explained how he feels like an old man when hearing the same stories and seeing the same things happening over and over again in the industry. He shared observations on what people do and don't do and why it can be problematic. He applied the same for AI tooling and encouraged people to unlearn how to approach such new things to give ourselves a fresh perspective on them.
  • "ATD’s NEXT Keynote Casting". This bonus session allowed folks who applied for a keynote at Agile Testing Days 2026 to pitch their idea. We heard from ten awesome people what they had in mind and then the audience got to vote for their favorite. We had a clear winner: huge congratulations to Clare Norman for an outstanding pitch of rethinking user situations and system errors - I can't wait to see this on the keynote stage next year! 

While the conference was officially over, of course people kept going during the evening. For one more time, a group of folks decided to go outside and enjoy a dinner at a nice restaurant together. More stories shared, a lot more laughter, so much community spirit. Once back at the hotel, we enjoyed those last moments of togetherness until the very end.

 

Time to Go Home

The time came to say goodbye and depart. Lucky me that I met Gabrijela Hladnik and Anna Bommas in the hotel lobby and we spontaneously decided to share our trip to Berlin. More time for further exchange! Just love it when this happens. There's usually never enough time to speak with everyone you want to speak with during Agile Testing Days, no matter how long the conference is. So these little coincidences and opportunities are just perfect to seize. Just like the lunch table you join and encounter a conversation on neurodiversity you absolutely appreciate to listen to and share experiences on. Like the late-night evening talk about nerdy hobbies and side projects. Like meeting other souls you meet for the first time and discover you share so much with and who can understand you pretty quickly this way. Like having a very dear friend precisely knowing what you'll have for dinner at a specific restaurant, because of course you do. 

I did take things easier this year. Nonetheless, I came home with a bunch of things to try and think about, renewed and new connections, and a lot of love for this very unique conference in my heart. Huge thanks to everyone for making this special place so special - with the amazing organizers leading the way. See you all next year!

Posted by at No comments:
Labels: , , ,

Saturday, November 22, 2025

BSides Munich 2025 - On First Times

I've been to BSides Munich for the last three years, and it's been a pleasure each time. So while it wasn't my first time to attend the conference, there were other first times to be celebrated. It's been my first time giving a workshop at a security conference. It's been my first time as a session chair for speakers. It's been my first time that I've been together with the other half of my team at a conference. And for one of them it's even been their very first conference! That alone is already making my year. Especially as that specific teammate dove into the full experience, connecting with folks, joining a dinner group in the evening, exchanging experience. Just love it when good things happen.

 

Workshop Day

My day started out with meeting some known and new people on my way to the venue (we all ended up at a slightly wrong address at first, which was rather a connecting experience). On entering the (actual) building, there were more folks to greet. Some from other conferences, some from BSides Munich the last years. Grabbing a quick breakfast, it was time to start learning together.

In the morning, I joined the half day workshop "Cloud-Native Chaos: Hacking CI/CD and Cloud Environments" by Samuel Hopstock and Daniel Schwendner. This was a  really cool session and an actual workshop, fully hands-on and even exploratory! I know it's literally in the name of a "workshop", yet at times they end up as lectures instead of actual interactive hands-on learning sessions. So this was a really nice experience. We formed a group of three to tackle our task: given a practice app, gain full access to the Kubernetes cluster it's running on. The challenge was on! I loved that we had decent time to really try ourselves, not too many spoilers but help when needed. Perfect combination. I'm not going to spoil this workshop and the attack path we discovered, yet we could really make use of leftovers, misconfigurations, and oversights all the way. It was very interesting to see for myself how easy it can be to escape a Docker container to the host. It's different to know about it theoretically and to actually see it and especially to do it yourself. Another aha moment for me was to learn how to upgrade a non-interactive reverse shell to an interactive one - super useful for my next CTF sessions. 

After great conversations over lunch, it was time for the afternoon workshops. First, I joined "Developing Universal AI Agents for Static Code Analysis via MCP" by Sunil Kumar. My own workshop had been moved to a later slot and this one was the only session fitting in before. Good thing it was also on a topic I know I need to learn more about. Admittedly, I couldn't fully focus with my own workshop coming up right afterwards, yet it did showcase how MCP servers are built and configured, and demonstrated how they could be used afterwards. More to dive into for sure.

Then it was time for my own workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day". It was not set up for a good start - there was no break scheduled in between the two workshops, and people joining both definitely needed some time to breathe. To add to this, I learned about yet another scenario how things can go wrong when presenting. This time, the projector and my laptop both decided to connect shortly at first, but when I attempted to mirror the screen instead of extending it they said enough is enough - we're not working together any longer. Luckily, it's not my first rodeo so it didn't bother me (what a nice surprise to be calm for change), plus showing my screen was anyways only a nice bonus for my workshop. We found a quick solution, and once people were back from their break we could finally start. But well, that definitely cut as around 15min from the already short time. People told me afterwards they definitely wanted more time, it was flying for them! They had fun trying their hands on the exercises and there was more to explore. While some things are not in my hands, I'm taking this as a very positive signal.

The workshops were done and yet not everyone was ready to call it a day. My dear CTF team Mireia Cano and Martin Schmidt, one of my colleagues and I all headed for dinner to extend the conversations and have a nice conclusion for the day. 

 

Conference Day

Already at the beginning of the day, I've met many familiar faces and we all prepared together for a busy day ahead full of talks, conversations and insights. Here are the sessions I attended.

  • Keynote: "The art of saying NEIN (in security)" by Martin Brunner. Cybersecurity is a lot about trust, and we need to learn how to say "no" more often, especially from a defender's standpoint. Also, this talk made a new connection across domains: What we have in security with attackers, defenders and victims resembles the drama triangle with persecutor, rescuer and victim a lot. So also here, you can only stop playing the game. In general, Martin encouraged us to be very intentional what you say yes to, what you say not to, and why.
  • "Fantastic clear-text passwords and where to collect them" by Stephan Berger. This talk showed up a lot of interesting ways how to get your hands-on passwords on Windows systems. Easily. Honestly, too easily. Stephan reminded us that you often don't need fancy new tools, you just need to take the time instead and get your hands dirty.
  • "Structuring (cyber) incident root-cause investigations: a practical walk-through" by João Collier de Mendonca. This was a nice demonstration how incidents look in a very real scenario and what constraints come with it. Like in the medical and healthcare domain. Also, I'm curious to check out the mentioned DFIQ framework of forensic questions and approaches.
  • "Trust Issues: How Gen Z Attackers Hack Without Exploits" by Tom Barnea. Tom explained how Gen Z aims for the weakest link: the human. They are hacking trust as this is way easier than hacking systems. Going for everyday unsuspicious tooling and activities which evades traditional defenses is not only smart but also efficient. We need to rethink and change our approaches accordingly. 
  • "Translating mobile app security lessons to the Flutter stack" by Samuel Hopstock. Having worked with ReactNative apps, I was curious how Flutter differentiates when it comes to security. It wasn't very surprising yet still pretty interesting to hear the answer: Flutter apps are just mobile apps and show the same issues as any other mobile app, so we can use the same approaches to find weaknesses. 
  • "In Scope, Out of Sight Why NIS-2 Isn’t Landing in German SMEs" by Younes Ahmadzei. A lot of comnpanies are in scope of the new regulation. Nearly none of them are aware of this fact. And even if they are, they still lack understanding on what it actually means to them and what they have to do - such uncertainty can be paralyzing. 
  • "Why I Go to the Dark Web Every Day" by Alex Holden. Alex shared super interesting stories on what he learned when trying to gain the trust of cybercriminals, where they work, what they think. He emphasized that if you don’t know what’s going on on the dark web you have to assume the worst in case of breaches (e.g. you won’t notice that an attack is going on and how it ended, if the attacker aborted or pulled through). Also, corporate data is extremely valuable, and it’s everywhere in the supply chain - we tend to forget about this aspect. We better know our enemies and threats to stay ahead. 
  • "The Perks and Perils of Persistence: AWS Attacker Techniques" by Oisín B. This talk shared lots of tangible actions that attacker will try, how discoverable such attacks are, how we can spot them and what we can do to prevent these paths. It was targeted on AWS, yet the core ideas are transferable to other cloud providers. 
  • "Turning Off the Internet: Technical Tactics of State-Scale Censorship and Shutdowns" by Reza Sharifi. A lot of people witness shutdowns way more than others - they are reality nonetheless. Censorship thrives where the network is centralized as central points create control points. The tactics and techniques applied differ, however, based on which layer of the stack they target. This talk could have gone easily for a lot longer, there's a lot to talk about on this topic.
  • "NTLM reflection is dead, long live NTLM reflection: Story of an accidental Windows RCE" by Guillaume André and Wilfried Bécard. Here's a story of how the researchers found a trivial logic vulnerability allowing authenticated RCE - by accident. They couldn't believe it at first, yet in the end had to emphasize in this talk: high-impact, simple and stable logical vulnerabilities still exist.
  • "Cloud IR: A Rapid Guide for AWS, Azure & GCP" by Erblind Morina. It doesn't come to any surprise, yet sometimes we need to hear messages on repeat: lack of logging means limited evidence. Visibility and logging coverage are key for incident response. Erblind encouraged us to start using the incident response cheat sheet of our cloud provider and to check out the Incident Response Hierarchy of Needs
  • Keynote: "Oops, I pwned it again!" by David Elze. I love it when people share failure stories and what they learned from them. We all have failure stories - and some are more epic than others. David shared five situations where things went awry and the lessons they gained from them. Including the last: sometimes we do have to take certain risk that comes with the nature of our job.  

For two of these talks, I've also had the honor to support as session host. I tried to find the speakers already beforehand, yet I didn't spot them in the crowd. This meant we could only check in shortly before their talk on what they needed regarding setup, timekeeping, introduction and so on. And then it was already on! Welcoming the audience to the room, having them seated, getting their attention, and having them cheer. Welcoming the speakers to the stage, getting them briefly introduced and then out of their way. During the talk, keeping track of time and signaling notes according to speaker needs. Afterwards, coordinating questions from the crowd, ensuring the program schedule can be maintained. Thanking the speakers, making sure they got what they needed. And a few more things, huge kudos to BSides Munich organizers for preparing a comprehensive cheat sheet upfront for session chairs! They also went the extra mile and prepared both bio notes for the speaker introduction as well as potential fallback questions for each talk in case the audience wasn't ready to engage. All this went pretty well. Once again I found myself in a situation where I was glad to have been doing public speaking engagements for so many years by now, and where the respective skills gained really pay off.

The additional challenge I had: how to do sketchnotes while also being a session chair? Well, I dared to go full in, and it did turn out to be pretty stressful. I also missed parts of the talks and my sketchnotes don't do them justice. But well, I learned that's part of doing sketchnotes anyways. There are constraints and you have to live with them. Whatever you have on paper in the end you have, whatever you didn't note you didn't. It's a perception and interpretation of the talk anyways and you just do what you can do in the specific moment. I also learned over the years that I'm doing this, that no matter whether I like how a specific sketchnote turned out or not, it might still help others and it's usually appreciated by speakers. So I'm sharing them anyways.

The conference day was over super fast, with the packed schedule and lots of conversations and also duties to fulfill. Also on this day, not everyone was ready to leave just yet and instead hang around and stayed for a while, still enjoying each other's company. 

Then it was time to join the organizers and my fellow speakers to go to the speakers dinner. We concluded the day with a really delicious meal among great people. We made new connections, we exchanged our favorite licorice products, conference venue struggles, insights on local security communities, and much more. As you do.

Thank you everyone for making this yet another great conference! Won't be my last BSides Munich for sure.

Posted by at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)