Martin Stühmer — CTO, Enterprise Architect & DevOps Engineer

Who I Am

I’m Martin, CTO at Integrated Worlds GmbH in the Stuttgart region. I’ve been writing production .NET code since Framework 2.0 — back when SOAP was still considered modern and ORMs were a heated debate. A lot has changed since then. My opinions have changed too, usually because I was wrong about something.

Before Integrated Worlds, I was Director of Consulting Services at CGI, leading teams through architecture decisions and digital transformation projects across multiple industries. These days I set technology strategy and stay close enough to the code to feel the consequences of those decisions firsthand.

I’m a Microsoft Certified Trainer and IHK-certified instructor, maintain several open-source NuGet packages, and write about what I’ve actually learned rather than what sounds good in theory.

LinkedIn · GitHub · Bluesky

What I Know Well

Nearly two decades of production work leaves marks. Here’s where I’ve built up depth and, frankly, strong opinions:

.NET and C# — I’ve tracked this ecosystem from the framework era to .NET 10. Source generators, Roslyn analyzers, performance engineering, testing strategies, static analysis. I know what actually improved over the years and what just changed names.

Cloud-native architecture on Azure — AKS at scale, multi-cluster networking, zero-downtime upgrade strategies, cost governance, observability. I’ve spent enough time in Azure to know the gap between what it can do and what you should actually use.

DevOps and supply-chain security — GitHub Actions, dependency management, container security, Bicep-based infrastructure compliance. The organisational side matters as much as the tooling.

Application security and privacy — Azure Key Vault, managed identities, GDPR-relevant .NET patterns, data minimisation, AI coding tool content exclusions. Security that works in practice, not just in architecture diagrams.

Engineering culture — What AI coding assistants actually change about software quality (less than the hype, more than the skeptics admit), how to introduce static analysis without poisoning team morale, and when “best practices” are earned principles versus cargo-cult repetition.

How I Work

As CTO I stay close to the code. I write, review PRs, debug production issues, and mentor — because technology leadership that operates purely from a distance eventually loses touch with the real cost of decisions.

As a trainer I focus on fundamentals that outlast the current framework cycle. Static analysis, testing discipline, performance patterns, maintainable architecture. The things that prevent fires, not just the things that look good in a job posting.

As an open-source maintainer I publish packages that solve problems I’ve hit repeatedly. Knowing that strangers depend on your code is one of the better ways to raise your standards.

What I’ve Learned the Hard Way

I’ve over-engineered systems that should have been simple. I bet on Silverlight and WCF. I built “flexible” architectures that were really just complicated ones. I’ve shipped code I’m not proud of.

Here’s what held up after all that:

  • Quality isn’t optional — analyzers find bugs in milliseconds, tests prevent regressions, and neither is slower than a production incident
  • Fundamentals outlast frameworks — the patterns and principles stick around long after the tools are deprecated
  • Context beats dogma — “best practices” always depend on your team, domain, and actual constraints
  • Evidence beats intuition — measure, benchmark, validate; don’t just decide
  • Pragmatism wins — architecture that ships beats architecture that’s perfect on paper

What I Write About

Everything here comes from production systems and real teams, not documentation rewrites. I’m skeptical of buzzword-driven development and allergic to advice that’s never been tested under load or deadline. If something doesn’t hold up, I’ll say so.

The topics I keep returning to: .NET and C# performance and evolution, Azure and AKS architecture decisions, DevOps and supply-chain risk, application security and GDPR implementation, what AI coding tools actually change (and what they don’t), and the economics of technical debt and code quality.

I write for developers, architects, and operators who maintain production systems and care about getting it right — not just getting it shipped.

The code you create is a valuable legacy, so it’s important to build it carefully.

Published blogs

Your Incident Response Plan Is a Lie. Here's How to Fix It.

Your Incident Response Plan Is a Lie. Here's How to Fix It.

That incident response plan in your Confluence? Nobody reads it. The on-call engineer can’t find it. And when your production API is bleeding at 3 AM, you’ll improvise—badly. ISO 27001 A.16 doesn’t care about your documentation theater. It demands procedures that work. GitHub Actions turns incident response from compliance fiction into executable reality.
Stop Hoarding Personal Data in Entity Framework

Stop Hoarding Personal Data in Entity Framework

The classic monolithic User entity—stuffed with birth dates, phone numbers, employment history, and marital status “just in case”—turns into a compliance nightmare the moment someone requests data deletion. You can’t delete without breaking referential integrity. You can’t keep the data without violating GDPR. You can’t anonymize without retaining fields that should never have existed. The solution isn’t complex: separate operational data from personal data, make consent-based fields nullable and purpose-documented, implement soft deletes with query filters, and validate your API boundaries with integration tests that fail when unnecessary fields leak through. Data minimization isn’t regulatory overhead—it’s architectural hygiene that makes your deletion logic straightforward and your audit responses honest.
Your Encryption Is Broken — .NET Data Protection Done Right

Your Encryption Is Broken — .NET Data Protection Done Right

Every developer who has tried simple encryption with XOR and hardcoded keys eventually faces the audit that exposes their house of cards. I’ve watched production systems fail compliance assessments because someone believed base64 encoding was good enough or that compilation obscures secrets. The .NET Data Protection API exists precisely because Microsoft’s cryptography team spent years solving problems most developers don’t know they have. This isn’t about learning yet another library—it’s about understanding why professional implementations outperform clever hacks, and how Azure Key Vault integration transforms theoretical security into auditable compliance.
Your appsettings.json Is a Compliance Violation

Your appsettings.json Is a Compliance Violation

Hardcoded secrets aren’t just bad practice—they’re ISO 27017 violations with real consequences: failed audits, denied insurance claims, contractual penalties. That connection string in your appsettings.Production.json? It represents a compliance gap your organization probably doesn’t even know exists. Azure Key Vault with Managed Identity isn’t an optional security enhancement—it’s the minimum viable implementation of standards you already claim to follow.
Audit Logging That Survives Your Next Security Incident

Audit Logging That Survives Your Next Security Incident

Your audit logs probably won’t survive a real security incident. Most implementations log too much, protect too little, and provide zero value when something breaks at 2 AM. Here’s how to fix that with structured logging that actually works.