I’m Martin, CTO at Integrated Worlds GmbH in the Stuttgart region. I’ve been writing production .NET code since Framework 2.0 — back when SOAP was still considered modern and ORMs were a heated debate. A lot has changed since then. My opinions have changed too, usually because I was wrong about something.
Before Integrated Worlds, I was Director of Consulting Services at CGI, leading teams through architecture decisions and digital transformation projects across multiple industries. These days I set technology strategy and stay close enough to the code to feel the consequences of those decisions firsthand.
I’m a Microsoft Certified Trainer and IHK-certified instructor, maintain several open-source NuGet packages, and write about what I’ve actually learned rather than what sounds good in theory.
Nearly two decades of production work leaves marks. Here’s where I’ve built up depth and, frankly, strong opinions:
.NET and C# — I’ve tracked this ecosystem from the framework era to .NET 10. Source generators, Roslyn analyzers, performance engineering, testing strategies, static analysis. I know what actually improved over the years and what just changed names.
Cloud-native architecture on Azure — AKS at scale, multi-cluster networking, zero-downtime upgrade strategies, cost governance, observability. I’ve spent enough time in Azure to know the gap between what it can do and what you should actually use.
DevOps and supply-chain security — GitHub Actions, dependency management, container security, Bicep-based infrastructure compliance. The organisational side matters as much as the tooling.
Application security and privacy — Azure Key Vault, managed identities, GDPR-relevant .NET patterns, data minimisation, AI coding tool content exclusions. Security that works in practice, not just in architecture diagrams.
Engineering culture — What AI coding assistants actually change about software quality (less than the hype, more than the skeptics admit), how to introduce static analysis without poisoning team morale, and when “best practices” are earned principles versus cargo-cult repetition.
As CTO I stay close to the code. I write, review PRs, debug production issues, and mentor — because technology leadership that operates purely from a distance eventually loses touch with the real cost of decisions.
As a trainer I focus on fundamentals that outlast the current framework cycle. Static analysis, testing discipline, performance patterns, maintainable architecture. The things that prevent fires, not just the things that look good in a job posting.
As an open-source maintainer I publish packages that solve problems I’ve hit repeatedly. Knowing that strangers depend on your code is one of the better ways to raise your standards.
I’ve over-engineered systems that should have been simple. I bet on Silverlight and WCF. I built “flexible” architectures that were really just complicated ones. I’ve shipped code I’m not proud of.
Here’s what held up after all that:
Quality isn’t optional — analyzers find bugs in milliseconds, tests prevent regressions, and neither is slower than a production incident
Fundamentals outlast frameworks — the patterns and principles stick around long after the tools are deprecated
Context beats dogma — “best practices” always depend on your team, domain, and actual constraints
Evidence beats intuition — measure, benchmark, validate; don’t just decide
Pragmatism wins — architecture that ships beats architecture that’s perfect on paper
Everything here comes from production systems and real teams, not documentation rewrites. I’m skeptical of buzzword-driven development and allergic to advice that’s never been tested under load or deadline. If something doesn’t hold up, I’ll say so.
The topics I keep returning to: .NET and C# performance and evolution, Azure and AKS architecture decisions, DevOps and supply-chain risk, application security and GDPR implementation, what AI coding tools actually change (and what they don’t), and the economics of technical debt and code quality.
I write for developers, architects, and operators who maintain production systems and care about getting it right — not just getting it shipped.
The code you create is a valuable legacy, so it’s important to build it carefully.
Your application just crashed in production. Azure App Service kept routing traffic to the failing instance for ninety seconds. Users saw timeouts. Your monitoring dashboard stayed green because the web server responded with HTTP 200 while the database connection pool was exhausted.
I’ve watched this exact scenario play out at three different organizations in the past year. Each time, the post-mortem revealed the same root cause: health checks that verified the process was breathing without checking whether it could actually do its job. ISO/IEC 27001 Control A.17.2.1 exists precisely for this reason—availability is a security control, not an operational afterthought.
“We have backups” is the IT equivalent of “thoughts and prayers.” Comforting words that mean nothing when disaster strikes. I’ve watched teams discover their Azure SQL Database backups expired just before an audit, or worse, during an actual outage. The default seven-day retention feels generous until you need data from day eight.
Compliance standards demand information backup in cloud environments, but no standard can enforce what most teams ignore: actually testing those backups. The gap between “we configured backups” and “we can restore our data” has ended careers and companies. This isn’t about checking compliance boxes. It’s about whether your business survives the next outage.
Your exception handler returns detailed stack traces to be “helpful.” Congratulations, you’ve just handed attackers your internal file paths, database technology, and architecture details. This guide shows how to implement error handling that satisfies security audits: comprehensive internal logging paired with generic client responses, correlation IDs for support, and environment-aware middleware.
“Storage is cheap” — until your data retention strategy becomes evidence in a GDPR lawsuit.
After 15+ years in enterprise software, I’ve seen this pattern in project after project: elaborate wiki documentation, a cleanup script nobody runs, and production databases growing exponentially with personal data that should have been deleted years ago. The compliance checkbox is marked, but the actual deletion never happens.
When regulators investigate, they don’t want your policy documents. They want execution logs proving deletion actually happened. Azure Storage lifecycle policies, Cosmos DB TTL, and scheduled Functions give you exactly that — automated retention that runs without human intervention, with full audit trails.
That StackOverflow answer suggesting Session.Timeout = Int32.MaxValue for “better UX”? It’s how security becomes checkbox theater.
Sessions that never expire, logout buttons that don’t invalidate tokens, cookies transmitted over HTTP—auditors catch these patterns immediately. Here’s how to configure ASP.NET Core authentication that actually works.
