Ingo Struck
Technology, processes and awareness
  1. About/

Profile

·6 mins

Three characteristic hashtags

#GoodQuestions

Good questions inspire me, and I like to ask questions. I am not afraid to ask awkward questions.

#Curiosity

Stagnation is regression. I like discovering new things and enjoy learning. Routine tasks are better left to others.

#DependableIT

IT underpins almost everything we do and powers our everyday lives as much as electricity. But how can we make IT resilient and dependable in the face of global networking and increasing consolidation?

From student tinkering to secure software development

I have had a keen interest in IT since my school days in the mid-1980s. Together with a schoolmate, I developed my first software for commercial use.

Do you think we knew about requirements engineering back then?

No.

We had three requirements: to print on A5, preconfigure pizzas, and be able to add and remove ingredients.

Did we know about iterative improvement and test management?

I suspect not.

Our software duly impressed in production. And was replaced a year later by a more expensive but professional solution.

We learned a lot, and so did the customer—the hard way. Yet it still remained “one of the better-known pizza delivery services in the city”.

Whilst studying physics, I started programming “professionally” on the side.

Even then, it wasn’t a matter of methodological professionalism.

But there were no complaints, and my code was fast and reliable—at least as far as the “happy path” goes. I had absolutely no idea about “edge cases” or “fuzzing”.

I first learned real software engineering as a working student. I did so alongside veteran developers as mentors, but still without any formal training.

But this is probably the best way to learn how to design and implement lean and solid software yourself. Using as little code as possible was almost a sport.

The small team worked in the spirit of the Agile Manifesto long before this was a published concept.

Building on this, I then worked as a freelance system and web programmer on a series of small start-up projects from 2002 to 2016.

It was back in the early 2000s that I first came into contact with the topic of information security as a [member of the management team] (https://web.archive.org/web/20021010062411/http://www.owasp.org/aboutus/) of the newly inaugurated Open Web Application Security Project (OWASP®).

However, this was relegated because the projects usually had such tight budgets that they had to focus almost entirely on the development of initial product features.

Could I live with that?

Of course not. I have since come full circle, working to improve information security since April 2022, and am convinced that reliable software with integrated security (security by design) is an absolute necessity.

My focus is on secure software development (SDLC) embedded in certified information security management systems (ISMS) in accordance with the international standard ISO 27001.

Useless knowledge

Do you still have a Tru64 machine in the basement running the central business process?

I hope not.

If you used to have one, you will appreciate all the more what came afterwards.

And I too have amassed a wealth of knowledge over the years, which has since become as good as obsolete, thankfully.

But it still helps me to assess vulnerabilities.

Certain patterns recur. Your mistakes have been made by others before you. My own mistakes were rarely new either.

You can avoid many such mistakes by building on proven international standards, which will save you time and money.

These standards require continuous improvement, and IT is developing at breakneck speed.

Which is why I never stand still; I update my knowledge and keep learning every day.

Standards – boring, but helpful

You know the feeling: colleagues outside your field misunderstand what you are saying, or you feel like you always have to start from scratch.

This is where standardised terminology and concepts can help. You can find this information for your ISMS in the [ISO 27000:2018] standard (https://www.iso.org/standard/73906.html) (available free of charge)

I was in charge of implementing large parts of the operational processes and documentation of an ISMS in accordance with the ISO 27001:2013 standard (https://www.iso.org/contents/data/standard/05/45/54534.html).

The recommendations from ISO 27002:2013 served as a good guideline when drawing up the measures and I was rewarded with initial certification with no major or minor non-conformities.

To meet the requirements for the use of cryptography, I planned and implemented procedures based on the recommendations of BSI TR-02102.

ISO 27001:2022 and ISO 27002:2022 now apply for ISMS initial certification and re-certification. They have been modernised and largely restructured to make them clearer and easier to follow.

A key aspect of the ISO management system standards is defining and complying with documented operating procedures. I recommend modelling and documenting your processes using the semi-formal description language BPMN 2.0.

My dissertation examined the [BSI IT-Grundschutz Compendium] (https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Kompendium/it-grundschutz-kompendium_node.html) and BSI Standard 200-2 applied to container platforms. In this context, for you as a user or provider of cloud services, the Cloud Computing Compliance Criteria Catalogue BSI C5:2020 is relevant. This is used to implement the requirements of the EU Cybersecurity Act (EUCA).

[CC version 3.1 and 2022] (https://www.commoncriteriaportal.org/cc/) have served me and my customers well as a guideline for selecting secure IT products.

The OWASP Top 10 (last revised in 2021) have become the unofficial industry standard for the secure implementation of web applications. They are supplemented by the OWASP ASVS (now in version 4.0.3), which provide a multi-stage model for the systematic testing of web applications. You can use both together as the cornerstone for securing your web applications, and systematically record and improve the maturity level of your software development life cycle (SDLC) with the OWASP SAMM (now in version 2.0.3).

Pedestrian technology

I could probably fill several books with my endless anecdotes about the use of technology, but they tend to be repetitive and really only worth sharing on a one-to-one basis.

Instead, I will share here a list of the products I have used throughout my professional career.

Security

HashiCorp Vault, OSSEC HIDS, f5 BIG-IP Advanced WAF, OPSWAT MetaDefender ICAP Server, LogRhythm Security Information and Event Management (SIEM), OpenVAS, kali Linux

Networks

PowerDNS, f5 BIG-IP LTM, FortiOS

IPFire

Automation, CI/CD

ansible, FAI

Concourse CI, Jenkins, GitLab CI, octodns, Terraform

Productivity, documentation

Jira

kolab, Outlook/O365

GitLab, GitHub

Confluence, miro, OmegaT

Word, Excel, PowerPoint

draw.io, Inkscape, GIMP, gnuplot, Dia

Markup, DTP

HTML, XHTML, CSS, hugo

TeX, Scribus

Programming

C, C++, Java, Fortran, Pascal/Delphi, x86 Assembler

Lua, Python, PHP, Perl, ruby, Bash

JSP, Javascript/ECMA, Actionscript/Flex, tcl/tk

Operating systems

Linux (kali, debian, CentOS, Ubuntu, alpine, Suse, LinuxFromScratch, raspbian, Zenwalk)

Solaris, Tru64 Unix

Windows 3.1 to Windows 10

MSDOS up to 6.2

Databases, indexes

PostgreSQL, MySQL/MariaDB, MongoDB, Consul, Oracle

Berkeley DB, TDB, CDS/ISIS

Xapian

Protocols, interfaces

TCP/IP, HTTP, FTP, SMTP

SOAP, XML-RPC, REST, BiPRO

Web servers

nginx, Apache, Lighttpd

fnord, coronita, gatling

Virtualisation, containers

libvirt/KVM, Xen, Qubes OS, Solaris Zones, VMware

kubernetes, buildah, podman, runc, katacontainers

Logging, monitoring

ELK, syslog-ng

icinga2, site24x7, dnscheck.co

Languages – do I speak yours?

Of course, I am most comfortable in my mother tongue, German.

In addition, I have a certified C1 level of English according to the Common European Framework of Reference for Languages (CEFR), and have a basic knowledge of French.

C’est tout.