About me

Hi 🙋🏻‍♂️

My name is Christian and I am from Germany. I am a software engineer in the devops space with keen intrest in security from websec and reverse engineering over pentesting to malware. Over the last decade I worked with security companies and recently with partners in the automotive industry. I was able to gain good knowledge in automation, continuous integration and continuous delivery, cloud technologies and virtualization and containerization.

I like the part between application development and low-level electronics engineering. Just application development is too boring for me, especially when it is just Java. IMHO, there is so much more than just developing an app. I like the interaction between lower levels and application layer and the automation of things. If you do things twice, you should automate it, right?

My language expierience spectrum ranges from Assembler, C/C++ over Python and Javascript to Go, Rust and WebAssembly, where Python is the one I am fluent in. The favourite operating system is MacOS and GNU/Linux.

... and I like the terminal 👨🏻‍💻

Automotive and Embedded

The automotive industry renders a more conservative picture of the IT world. Adopting new technologies as well as introducing new methodologies like DevOps is more challenging than in other industries. This is also caused by the tools landscape and the high security and safety standards involved. But especially DevOps can help to open the view to new concepts and leave old structures behind because the rule to never touch a running system is considered old-school today, and a company that clings to obsolete strategies risks to quickly become out-of-date.

Virtualization and Cloud Technology

Managing infrastructure depends on virtualization more than ever before. Containerized applications, bare-metal or software hypervisors, virtual machines or even more growing managed cloud services are key aspects for a stable and future-proof environment for development, testing and production. By abstracting infrastructure components from the physical layer it enables rapid adoption to new or changed requirements and avoids potential problems with static systems.

Application Containers and Deployment

Containers gained a lot of traction in the last years though the concept is not new. FreeBSD Jails and Solaris Zones are complete implementations with similar concept but lack popularity. Especially in testing and DevOps containers proved easy to use. The product or service is packed in containers and deployed without having to deal with dependencies. Container orchestration tools like Kubernetes are industry standard to schedule containers across physical borders at scale or even across datacenters at a production-grade level and enable horizontal scaling.

Infrastructure As Code and Configuration Management

Infrastructure is important in every IT Project but Infrastructure as Code gives the possibility to set up entities with a push of a button. The Terraform tool for example could be used to utilise an on-premise bare-metal hypervisor like VMware or a cloud-provider like Amazon AWS. Configuration of such entities becomes auditable and therefore reviewable because it manifests in code. This is an important step forward and helps to create infrastructure in a fraction of the time and avoids configuration drift. Infrastructure as Code (IaC) together with immutable infrastructure renders the next step in a modern cloud-native IT environment.

Continuous Integration and Continuous Delivery

To create a better product the team needs to collaborate and share thoughts and results about builds and tests of the features currently developed. The continuous integration and continuous deployment paradigm helps to shorten the development cycles and integrate all parties in a responsive loop. The SDLC gets more transparent and the team can focus on the real things to create a better product. Having good and robust pipelines is important to the whole SDLC but is also a challenging task especially in more hardware-related projects like embedded AUTOSAR.

Information Security

Awareness of emerging security risks like zero-day exploits or ransomware has been growing in recent years. Ransomware especially poses a great risk to smaller companies, and supply-chain attacks against CICD pipelines with cloud-services and open-source software bring new challanges. Not just technologies but also the attack vectors became more sophisticated. Exploits like Shellshock showed that vulnerabilities could remain hidden for years. Fixing vulnerabilities for web apps could lead to a big effort which would be easily mitigated with a web application firewall that helps to block such attacks. Working at the WAF brought in-depth awareness of IT security, and ongoing trainings and self-study from pen testing to reverse engineering helps to keep this growing field in mind.

Experience

Robbers and Cops

An iOS and android-based mobile game. Flutter-based frontend and backend in server-side javascript with nodejs. Client and server communication over a custom grpc protocol. On-premise kubernetes backend infrastructure with nginx SSL ingress load balancer. Apple and Google authentication providers and JWT token-based authorization mechanism.

Crypto Lending Platform

A python-based agent network automating customer tasks for different crypto exchanges. Hybrid kubernetes-based setup with on-premise self-managed cluster nodes and public cloud ingress nodes communicating over a VPN connections to the on-prem network perimeter. The UI served from the edge and login nodes mapped to user specific CNAMEs for private login domains.

Side Quests