Daily DevOps & .NET - Where Code Meets Culture

Your [Authorize] Attribute Is Compliance Theater

Published on 1/27/26 5:00 pm by Martin Stühmer

Your [Authorize] attributes give you a false sense of security. ISO 27001 auditors see right through it.

I’ve reviewed dozens of ASP.NET Core apps that authenticate flawlessly — then scatter role strings across business logic, skip audit logs, and wonder why they fail compliance. Here’s the pattern that kills audits, and how to actually fix it.

Why ISO Standards Actually Matter for .NET Developers

Published on 1/22/26 5:00 pm by Martin Stühmer

Cloud-native .NET development has transformed ISO/IEC 27001, 27017, and 27701 from abstract compliance requirements into concrete daily coding decisions. This guide shows .NET developers how security standards directly map to Azure Key Vault integration, Azure AD authentication, and proper logging—with real code examples demonstrating compliant vs. non-compliant implementations.

Pod Identity & Access Control in AKS: What Actually Breaks

Published on 1/21/26 5:00 pm by Jendrik Brack

Traditional AKS authentication relied on service principals and mounted secrets. Workload Identity Federation eliminates credential lifecycle problems, but introduces new failure modes. This article covers the operational realities: where credentials still leak, how RBAC layers compound across Kubernetes and Azure, and validation patterns that prevent identity failures in production.

Real Professional Software Engineering in the AI Era

Published on 1/20/26 5:00 pm by Martin Stühmer

Throughout this series, we’ve established that AI-generated code without understanding creates productivity illusions that collapse in production (Part 1), and that the feedback loop between code and reality—compilation, testing, profiling, production—sharpens thinking in ways AI can’t replicate (Part 2). Now we confront the practical question: What defines professional software engineering when code generation becomes trivial? This final part examines the irreplaceable skillset: understanding execution characteristics (recognizing allocation patterns that cause GC pressure before deployment), asking questions AI can’t formulate (What’s the failure mode when this service is unavailable?), recognizing when plausible AI solutions diverge from correct ones, debugging production failures AI has no execution model to reason about, and evaluating maintainability for code that becomes tomorrow’s burden. We explore why prompt engineering optimizes for speed while architecture optimizes for survival, why “AI productivity” often means faster technical debt accumulation, and why the economic reality favors organizations that measure system reliability over lines of code generated. The feedback loop can’t be automated because closing it requires learning from production failures and applying that knowledge to prevent future ones—the irreplaceable discipline that defines real professionals in 2026 and beyond.

Stoßlüften: The Architecture of Intentional Resets

Published on 1/16/26 11:30 am by Martin Stühmer

A Swabian habit teaches a DevOps lesson: open windows fully and often, or invisible decay accumulates. Stoßlüften isn’t about comfort—it’s about forcing systems to prove they’re healthy. Regular restarts, infrastructure-as-code, and reproducibility checks catch the problems that green metrics miss.