Martin Stühmer

Who I Am

I’m Martin, CTO at Integrated Worlds GmbH in the Stuttgart region. I’ve been building .NET systems for nearly 20 years—since Framework 2.0 when SOAP was cutting-edge and ORMs were controversial.

Today I lead technology strategy for cloud-native solutions on Azure. Before this, I was Director Consulting Services at CGI, working with enterprise teams on architecture and transformation. I’m a Microsoft Certified Trainer and IHK-certified instructor, and I maintain several open-source NuGet packages.

What I Do

As CTO, I don’t just make decisions from a distance. I write code, review PRs, debug production issues, and mentor teams. Technology leadership means staying hands-on and feeling the consequences of your choices.

As a trainer and mentor, I focus on fundamentals that outlast framework hype. Static analyzers, testing strategies, performance patterns, maintainable architecture—the stuff that actually prevents production fires.

As an open-source maintainer, I publish packages that solve problems I’ve hit repeatedly in real systems. When strangers depend on your code, you write better tests and clearer docs.

What I’ve Learned

Almost two decades means I’ve made every mistake: over-engineered systems, bet on Silverlight and WCF (oops), built “flexible” architectures that were just complicated, shipped code I’m not proud of.

Here’s what stuck:

Quality isn’t optional – Analyzers catch bugs in milliseconds, tests prevent regressions, and both are faster than firefighting
Fundamentals outlast frameworks – Patterns and principles survive; specific tools don’t always
Context beats dogma – “Best practices” depend on your team, domain, and constraints
Evidence beats opinion – Measure, benchmark, validate before deciding
Pragmatism wins – Good-enough architecture that ships beats perfect architecture that doesn’t

What I Write About

I share perspectives from production systems and real teams. I’m skeptical of buzzword-driven development and allergic to cargo-cult practices. If a trend lacks substance or a pattern doesn’t hold up under pressure, I’ll say so.

This blog is for developers, solution architects and operators who maintain production systems and care about quality, not just shipping fast.

Published blogs

Your Encryption Is Broken — .NET Data Protection Done Right

Every developer who has tried simple encryption with XOR and hardcoded keys eventually faces the audit that exposes their house of cards. I’ve watched production systems fail compliance assessments because someone believed base64 encoding was good enough or that compilation obscures secrets. The .NET Data Protection API exists precisely because Microsoft’s cryptography team spent years solving problems most developers don’t know they have. This isn’t about learning yet another library—it’s about understanding why professional implementations outperform clever hacks, and how Azure Key Vault integration transforms theoretical security into auditable compliance.

Your appsettings.json Is a Compliance Violation

Hardcoded secrets aren’t just bad practice—they’re ISO 27017 violations with real consequences: failed audits, denied insurance claims, contractual penalties. That connection string in your appsettings.Production.json? It represents a compliance gap your organization probably doesn’t even know exists. Azure Key Vault with Managed Identity isn’t an optional security enhancement—it’s the minimum viable implementation of standards you already claim to follow.

Audit Logging That Survives Your Next Security Incident

Your audit logs probably won’t survive a real security incident. Most implementations log too much, protect too little, and provide zero value when something breaks at 2 AM. Here’s how to fix that with structured logging that actually works.

Your [Authorize] Attribute Is Compliance Theater

Your [Authorize] attributes give you a false sense of security. ISO 27001 auditors see right through it.

I’ve reviewed dozens of ASP.NET Core apps that authenticate flawlessly — then scatter role strings across business logic, skip audit logs, and wonder why they fail compliance. Here’s the pattern that kills audits, and how to actually fix it.

Why ISO Standards Actually Matter for .NET Developers

Cloud-native .NET development has transformed ISO/IEC 27001, 27017, and 27701 from abstract compliance requirements into concrete daily coding decisions. This guide shows .NET developers how security standards directly map to Azure Key Vault integration, Azure AD authentication, and proper logging—with real code examples demonstrating compliant vs. non-compliant implementations.