Martin Stühmer

Who I Am

I’m Martin, CTO at Integrated Worlds GmbH in the Stuttgart region. I’ve been building .NET systems for nearly 20 years—since Framework 2.0 when SOAP was cutting-edge and ORMs were controversial.

Today I lead technology strategy for cloud-native solutions on Azure. Before this, I was Director Consulting Services at CGI, working with enterprise teams on architecture and transformation. I’m a Microsoft Certified Trainer and IHK-certified instructor, and I maintain several open-source NuGet packages.

What I Do

As CTO, I don’t just make decisions from a distance. I write code, review PRs, debug production issues, and mentor teams. Technology leadership means staying hands-on and feeling the consequences of your choices.

As a trainer and mentor, I focus on fundamentals that outlast framework hype. Static analyzers, testing strategies, performance patterns, maintainable architecture—the stuff that actually prevents production fires.

As an open-source maintainer, I publish packages that solve problems I’ve hit repeatedly in real systems. When strangers depend on your code, you write better tests and clearer docs.

What I’ve Learned

Almost two decades means I’ve made every mistake: over-engineered systems, bet on Silverlight and WCF (oops), built “flexible” architectures that were just complicated, shipped code I’m not proud of.

Here’s what stuck:

Quality isn’t optional – Analyzers catch bugs in milliseconds, tests prevent regressions, and both are faster than firefighting
Fundamentals outlast frameworks – Patterns and principles survive; specific tools don’t always
Context beats dogma – “Best practices” depend on your team, domain, and constraints
Evidence beats opinion – Measure, benchmark, validate before deciding
Pragmatism wins – Good-enough architecture that ships beats perfect architecture that doesn’t

What I Write About

I share perspectives from production systems and real teams. I’m skeptical of buzzword-driven development and allergic to cargo-cult practices. If a trend lacks substance or a pattern doesn’t hold up under pressure, I’ll say so.

This blog is for developers, solution architects and operators who maintain production systems and care about quality, not just shipping fast.

Published blogs

Your Logout Button Is Lying: ASP.NET Session Security Done Right

That StackOverflow answer suggesting Session.Timeout = Int32.MaxValue for “better UX”? It’s how security becomes checkbox theater. Sessions that never expire, logout buttons that don’t invalidate tokens, cookies transmitted over HTTP—auditors catch these patterns immediately. Here’s how to configure ASP.NET Core authentication that actually works.

Your TLS Config is Probably Wrong: Five Audit Failures I Keep Finding

Production systems with HTTP endpoints wide open and TLS 1.0 enabled for backward compatibility that died in 2020 are still everywhere. If auditors haven’t flagged your encryption config yet, they will. This guide shows the fatal configurations that fail security audits and the Azure Front Door patterns that actually pass.

Trust Is Not a Control: ISO 27001 Compliance via GitHub

Process documents don’t impress auditors. “We trust our developers” isn’t a control mechanism. ISO 27001 demands technical enforcement, not organizational promises. This guide shows how GitHub branch protection, CODEOWNERS, and environment protection transform compliance from checkbox theater into system enforced reality with a six week implementation path.

Cookie Banners Won't Save You From ISO 27701

That boolean column you call “consent”? Regulators will laugh at it.

ISO 27701 demands granular, auditable, expiring consent, not cookie theater. Here’s the complete .NET implementation with Entity Framework Core, middleware validation, and Azure Functions that survives an audit.

NuGet Packages: The Suppliers You Forgot to Audit

Every NuGet package is a supplier relationship under ISO 27001. Learn how to implement Central Package Management, automated vulnerability scanning, and package signature verification to transform your .NET dependency management from security liability into auditable compliance control.