Let security fully blend into development and team culture.
Seek simple solutions for complex problems, for their power lies in easy application.
Empower customers, teams, and the community by sharing knowledge and tools.
I pursued a successful career as a freelance software developer since 1997 and expanded it in 2005 to include the focus on IT-Security. My major areas of work are penetration testing, security architecture consulting, and agile threat modeling.
As a trainer, I regularly conduct inhouse and online workshops and enjoy coaching agile projects to include security as part of their process by applying DevSecOps concepts.
Eager to present security topics, I regularly speak and give open trainings on major national and international conferences.
I’ve created and actively maintain the open-source project and the growing community of Threagile plus offer various services around Threagile like individual trainings and custom risk-rule development.
Threagile enables teams to execute Agile Threat Modeling as seamless as possible, even highly-integrated into DevSecOps environments.
Threagile is the open-source toolkit which allows to model an architecture with its assets in an agile declarative fashion as a YAML file directly inside the IDE or any YAML editor. Upon execution of the Threagile toolkit a set of risk-rules execute security checks against the architecture model and create a report with potential risks and mitigation advice. Nice-looking data-flow diagrams are automatically created, as well as other output formats (Excel and JSON).
The risk tracking can also happen inside the Threagile YAML model file, so that the current state of risk mitigation is reported as well. Threagile can either be run via the command-line (also a Docker container is available) or started as a REST-Server.
Threagile was released as the open-source toolkit for agile threat modeling at Black Hat Arsenal 2020 and DEF CON 2020 AppSec Village conferences.
For more details about Threagile see threagile.io, GitHub Repo, and DockerHub Repo.
Video and slides of my talk at DEF CON 2020 AppSec Village about Threagile as well an introduction video with demos:
As a speaker with international conference experience (Black Hat Arsenal USA, DEF CON AppSec Village USA, RSA Conference USA, Oracle JavaOne, Black Hat Arsenal Europe, Black Hat Arsenal Asia, DeepSec, BruCON, OWASP AppSecEU, OWASP AppSec Days, DevOpsCon Berlin/Munich/London/Singapore, JAX, Heise DevSec, Heise Sec-IT, Heise Herbstcampus, RuhrSec, JCon, JavaLand, Internet Security Days, IT-Tage Frankfurt, OOP, and others) I’m definitely enjoying to speak and train about IT-Security topics.
From time to time I write articles in IT-Security journals about topics like DevSecOps automation and vulnerability research. The most recent ones include:
As part of my security research I have found and reported security vulnerabilities, leading to over 30 CVE (the highest rated one with CVSS score 10.0) and a bug bounty payout from Google for identifying a vulnerability inside the Google Chrome browser.
Low-volume newsletter to announce new trainings, services, and conference talks (about six mails per year)