Profile

Three characteristic hashtags

#goodquestions

Good questions inspire me, and I like to ask questions. I am not afraid to ask you awkward questions.

#curiosity

Stagnation is regression. Routine bores me. I like discovering new things and enjoy learning.

#dependableIT

Information technology shapes our everyday lives and has become as indispensable as power from the socket. I am interested in the question of how it can be made resilient and dependable despite global networking and increasing consolidation.

From pupil nerd to expert in secure software development

I have been intensively involved with information technology since my school days, that is from the mid-1980s. In collaboration with a school friend I developed a first commercially used software shortly before I started studying physics.

During my studies I started programming professionally part-time.

From 2002 to 2016, I worked as a freelance system and web programmer on a number of small start-up projects.

At the beginning of this time, I first came into contact with the topic of IT security as a member of the management team of the then freshly founded Open Web Application Security Project (OWASP).

However, this moved to the background because the projects usually had such tight budgets that they had to focus almost entirely on the development of initial product features.

Could I live with that?

Of course not. Since April 2022, I have come full circle and work as a Security Engineer. I have come to believe that dependable software with built-in security (security by design) has become an absolute necessity more than ever.

My focus is on a secure software development life-cycle (SDLC) within the framework of a certified Information Security Management System (ISMS) according to the international standard ISO 27001.

Some of my knowledge will not be directly useful to you

In the course of time, I have gained a number of pieces of knowledge that are unlikely to be of any relevance today.

However, they will still help you analyze your vulnerabilities and weaknesses.

Certain patterns are recurring. Your mistakes have also been made by others before you. Just like my own.

You can avoid much of this by building on proven international standards. This will save you time and money.

These standards require continuous improvement from you and me. In addition, information technology is developing rapidly.

That’s why I don’t stop and expand and update my knowledge every day.

Standards

It helps to work with well-defined terminology and common concepts. For your ISMS, you can find this foundation in the ISO 27000:2018 standard(available free of charge)

I was in charge of implementing large parts of the operational processes and documentation of an ISMS in accordance with the ISO 27001:2013 standard.

The recommendations from the ISO 27002:2013 standard served as a good guideline for the specification of the measures. This work was rewarded with a successful initial certification with no major or minor non-conformities.

To meet the requirements for the use of cryptography, I planned and implemented procedures based on the recommendations of BSI TR-02102.

ISO 27001:2022, ISO 27002:2022standards now apply to your initial ISMS certification and re-certifications. Compared to the previous versions, they are modernized and massively restructured. This makes them more comprehensible and easier to follow.

A key aspect of the ISO management system standards is the definition of and adherence to documented operating procedures. I recommend modeling and documenting your processes with the semi-formal description language BPMN 2.0.

I graduated with a bachelor’s thesis on the BSI IT-Grundschutz Compendium and the BSI Standard 200-2 for container platforms. In this context, for you as a user or provider of “cloud” services, the Cloud Computing Compliance Criteria Catalogue BSI C5:2020 is relevant, which implements the requirements of the EU Cybersecurity Act (EUCA).

As a guideline for selecting secure IT products, CC version 3.1 and 2022 have already served me and my customers well.

OWASP Top 10 2021, OWASP ASVS 4.0.3

Technology

Security

HashiCorp Vault, OSSEC HIDS, f5 BIG-IP Advanced WAF, OPSWAT MetaDefender ICAP Server, LogRhythm Security Information and Event Management (SIEM), OpenVAS, kali Linux

Network

PowerDNS, f5 BIG-IP LTM, FortiOS

IPFire

Automatisierung, CI/CD

ansible, FAI

Concourse CI, Jenkins, GitLab CI, octodns, Terraform

Productivity, Documentation

Jira

kolab, Outlook/O365

GitLab, GitHub

Confluence, miro, OmegaT

Word, Excel, Powerpoint

draw.io, Inkscape, GIMP, gnuplot, Dia

Markup / DTP

HTML, XHTML, CSS, hugo

TeX, Scribus

Programming

C, C++, Java, Fortran, Pascal/Delphi, x86 Assembler

Lua, Python, PHP, Perl, ruby, Bash

JSP, Javascript/ECMA, Actionscript/Flex, tcl/tk

Operating system

Linux (kali, debian, CentOS, Ubuntu, alpine, Suse, LinuxFromScratch, raspbian, Zenwalk)

Solaris, Tru64 Unix

Windows 3.1 bis Windows 10

MSDOS bis 6.2

Database, Index

PostgreSQL, MySQL/MariaDB, MongoDB, Consul, Oracle

Berkeley DB, TDB, CDS/ISIS

Xapian

Protocol, Interface

TCP/IP, HTTP, FTP, SMTP

SOAP, XML-RPC, REST, BiPRO

Web Server

nginx, Apache, Lighttpd

fnord, coronita, gatling

Virtualization, Containers

libvirt/KVM, Xen, Qubes OS, Solaris Zones, VMware

kubernetes, buildah, podman, runc, katacontainers

Logging, Monitoring

ELK, syslog-ng

icinga2, site24x7, dnscheck.co

Languages

I am proficient in English at a certified C1 level according to the Common European Framework of Reference for Languages (CEFR) and have a basic knowledge of French.

C’est tout - la fin.