My Background/

Profile

Updated: August 4, 2025·6 mins

Three characteristic hashtags

#goodquestions

Good questions inspire me, and I like to ask questions. I am not afraid to ask you awkward questions.

#curiosity

Stagnation is regression. I like discovering new things and enjoy learning. Routine is better left in other hands.

#dependableIT

Information technology shapes our everyday lives and has become as indispensable as power from the socket. I am interested in the question of how it can be made resilient and dependable despite global networking and increasing consolidation.

From student trickery to secure software development

I have been intensively involved with information technology since my school days, that is from the mid-1980s. Together with a school friend, I developed my first commercially used software.

Do you think we knew the term “requirements engineering”?

No.

There were three requirements: “We want to print on DIN A5, pre-configure pizzas and be able to add and remove ingredients.”

Did we have any idea about iterative improvement and test management?

Probably not.

Our software had a correspondingly impressive track record in production. And was certainly replaced a year later by a more expensive but professional solution.

We learned a lot in the process and the customer also paid his lesson. But even long after that, it was still “one of the better-known pizza delivery services in the city.”

During my studies in physics, I started programming “professionally” on the side.

Even here, there was still no question of methodological professionalism.

But there were no complaints and my code ran quickly and reliably.

At least for the “Happy Path.” I was completely unfamiliar with terms such as “edge cases” or methods such as “fuzzing”.

I first learned real software engineering as a working student. With veteran developers as mentors, but still without formal training.

Probably the best teachers for designing and implementing lean and solid software yourself. Minimal code was almost a sport.

The small team worked in the spirit of the “agile manifesto” long before it was formulated and published.

Building on this, I worked as a freelance system and web programmer on a whole series of smaller start-up projects from 2002 to 2016.

At the beginning of this time, I first came into contact with the topic of IT security as a member of the management team of the then freshly founded Open Web Application Security Project (OWASP®).

However, this moved to the background because the projects usually had such tight budgets that they had to focus almost entirely on the development of initial product features.

Could I live with that?

Of course not. Since April 2022, I have come full circle and have been working to improve information security. I have come to the conclusion that reliable software with integrated security (security by design) has become an absolute necessity.

My focus is on secure software development (SDLC), embedded in certified information security management systems (ISMS) in accordance with the international standard ISO 27001.

Useless Knowledge

Is a Tru64 machine with the central business process still running in your basement?

Hopefully not.

If you used to have one, you will appreciate all the more what came afterwards.

And so I too have developed a range of knowledge over the course of time, which fortunately are hardly relevant today.

However, they still help me to analyse your weak points.

Certain patterns are recurring. Your mistakes have been made by others before you. My own were rarely new either.

You can avoid much of this by building on proven international standards. This will save you time and money.

These standards require continual improvement from you and me. In addition, information technology is developing rapidly.

That’s why I don’t stop and expand and update my knowledge every day.

Standards – often boring, but helpful

Do you know that? Are you talking to colleagues from outside your field and being misunderstood? Do you feel like you always have to start from scratch?

It helps to work with well-defined terminology and common concepts. For your ISMS, you can find this foundation in the ISO 27000:2018 standard (available free of charge)

I was in charge of implementing large parts of the operational processes and documentation of an ISMS in accordance with the ISO 27001:2013 standard.

The recommendations from the ISO 27002:2013 standard served as a good guideline for the specification of the measures. The reward for this work was successful initial certification with no major or minor nonconformities.

To meet the requirements for the use of cryptography, I planned and implemented procedures based on the recommendations of BSI TR-02102.

ISO 27001:2022, ISO 27002:2022 standards now apply to your initial ISMS certification and re-certifications. Compared to the previous versions, they are modernized and massively restructured. This makes them more comprehensible and easier to follow.

A key aspect of the ISO management system standards is the definition of and compliance with documented operating procedures. I recommend modelling and documenting your processes using the semiformal description language BPMN 2.0.

I graduated with a bachelor’s thesis on the BSI IT-Grundschutz Compendium and the BSI standard 200-2 applied to container platforms. In this context, for you as a user or provider of “cloud” services, the Cloud Computing Compliance Criteria Catalogue BSI C5:2020 is relevant, which implements the requirements of the EU Cybersecurity Act (EUCA).

CC version 3.1 and 2022 have served me and my customers well as a guideline for selecting secure IT products.

The OWASP Top 10 (last revised in 2021) are established as the unofficial industry standard for the secure implementation of web applications. They are supplemented by the OWASP ASVS (now in version 4.0.3), which provide a multi-stage model for the systematic testing of web applications. You can use both together as the cornerstone for securing your web applications. You can systematically record and improve the maturity level of your software development lifecycle (SDLC) with the OWASP SAMM (current version 2.0.3).

Built for the Road that’s Flat

The anecdotes I could tell about the use of the technology would probably fill volumes. But they are repetitive and tend to be more interesting in personal conversations.

This is why I am only showing you a list of the products I have used throughout my professional career.