Together with a large team of highly technical engineers and talented colleagues in product and design, I’m building CodeQL, the analysis engine that powers GitHub code scanning. As part of GitHub Advanced Security, code scanning helps thousands of open-source developers, contributors, and enterprises catch security vulnerabilities before they reach production deployments. I joined GitHub in 2021 from SolarWinds, where I previously navigated tech strategy, technical business development and ultimately the hardening of our release security strategy after The Breach as Technical Program Manager. I also have experience in engineering management, startup founding (and consulting for founders), and public engagements around IT security (speaking, TV, Radio, policy consulting). I am based in Berlin.

Follow me on LinkedIn for more updates.

GitHub (2021 - current)

If you want to know more about code scanning, please let Past Me explain. Here I demonstrate CodeQL usage via our then-beta (now GA!) support for Ruby:

Since then our team has delivered massive improvements to CodeQL, including near-complete coverage of all common security issues categorized by SANS, OWASP, and others, beta support for Kotlin, performance improvements and much more. Code scanning is free for open-source and security researchers, so go set it up on your repos and receive actionable security alerts right on your pull requests!

You can find me on GitHub at github.com/turbo.

SolarWinds / Protected Networks (2017 - 2021)

In 2017, I joined Protected Networks, a rising star in the Berlin startup scene. PN’s success story was built on their main product 8MAN, an access rights management solution for Active Directory networks. At PN, I led the newly founded engineering team for cloud-connected functionality (mostly Azure Active Directory). During my time, I also helped document and shape the future tech strategy for PN’s product portfolio, especially during EU research grant negotiations and the M&A process that was ramping up at the time. Shortly after, SolarWinds (NYSE:SWI) acquired PN and it’s Berlin employees, integrating 8MAN into their 70+ product portfolio as Access Rights Manager. I moved to SWI’s Tech Strategy team and spent the next few years iterating on internal and external special projects, including everything from employee engagement platforms to Kubernetes security management.

Later, I moved to the release management team as Technical Program Manager. Here I helped establish better systems for tracking and securing the supply chain of releases for the majority of our products, mostly in response to the SWI security breach. As you can imagine, this posed interesting challenges and eventually motivated a massive industry movement to reinforce the importance of supply chain security. Fun trivia: part of the adversaries encountered in this incident were already being tracked as high-profile APTs by the industry protection arm of the German state and federal agencies in charge of responding to cyber (shudders) threats. The cover image of this page is me presenting to (among others) a representative of this office, outlining risks of insure network connected systems. Small world.

Prior Work (2014-2017)

Prior to PN, I worked as a founder and consultant in the the German IT security startup scene, which included public speaking at industry and government events, writing and interviews in various media from Radio to TV.

  • SPIEGEL: Collaboration with the German newspaper on uncovering nearly 200,000 unsecured file servers and analyzing the potential impact of the leaks, affecting large companies such as BMW. I later repeated this experiment and published the results as openftp4
  • MDR: The German public broadcaster did a profiled me here
  • ENIGMA / MDR: An industry-meets-the-hackers conference organized in collaboration with an event management company. I demo’d a rootkit for Windows 10 that allowed me to extract a user’s password at boot time and send it to the TV presenter’s phone.
  • Other events / interviews include: guest writing for IDG’s ComputerWeek, presenting at IDG’s Channel Partner Chances conference, performing live hacks for the state of Saxony-Anhalt at IT conference CeBit, analyzing the IT threat landscape at Saxony-Anhalt’s Foreign Trade conference, and others…
  • Also seen in or highlighted by: SPIEGEL ONLINE, PCGH, PC Magazin, WinFuture, DerStandard, future zone, Almakos, MDR, CSO Online, Security Intelligence, ChannelPartner, Volksstimme, Cost Logis, BR Netzwelt, TopTarif, Avira, Softpedia, DeFrag This, Bleeping Computer, SecurityLab.ru