IT Consultant, Architect, Full Stack, DevOps

Brief description: Subproject management for modernizing the identity and access management of an online banking application. The focus was on migrating a tenant from an existing SAML-based integration (Shibboleth) to an SSO approach based on the existing Keycloak IAM architecture, preserving existing tenant extensions (central user management, TAN flow generators), and limiting additional complexity in the core domain.

Responsibilities and activities:

Analyzing the existing SAML integration of the Spring Boot application via Shibboleth, including authentication and session flows and interfaces to the online banking solution.

Reviewing the existing Keycloak IAM architecture, including customer-specific extensions (central user management, cross-tenant TAN flow generators, session management).

Designing a new Keycloak extension as a custom authenticator (proxy pattern) that forwards authentication requests to the existing online banking solution in a controlled way, aiming to reduce coupling, limit extra complexity, and keep the core domain encapsulation intact.

Technical and functional management of the development team (prioritization, architectural decisions, quality assurance, dependencies/impediments).

Regular reporting to the steering committee, including status, risks, decision requirements, and migration progress.

Achievements:

Defined a migration-ready target architecture for SSO that protects the existing online banking core domain (proxy authenticator instead of deep application logic changes).

Supported consolidation and reuse in the IAM landscape by considering and compatibly extending existing Keycloak extensions and tenant mechanisms.

Improved program control and decision-making through structured stakeholder and steering committee reporting.

Technologies used:

Java.

Spring Boot.

Spring Security.

React.

Keycloak (incl. extensions, session management).

Shibboleth.

SAML (legacy integration / migration).

Infrastructure and concepts used:

Tomcat.

Nginx.

Methods used:

Scrum.

Identity & Access Management (IAM).

DevOps.

Standards & patterns: OAuth 2.0 / OpenID Connect (typical for SSO with Keycloak), token and session hardening, back-channel logout.

Security engineering: threat modeling, security by design, audit logging/tracing for auth flows, OWASP ASVS-relevant controls.

Brief description: Architecture and performance consulting for internal Group IT customers in the context of provided private cloud services based on OpenStack. Focus areas were building an IaaS service offering for running a customer-facing software in the cloud, diagnosing and resolving storage/disk I/O performance issues in virtualized OpenStack environments, and enabling operational capability of proprietary legacy appliances in OpenStack through targeted hypervisor/image configuration.

Responsibilities and activities:

Advising a business unit on building an IaaS service offering based on OpenStack to enable customers to run the Medistar software in the cloud (service/architecture design, operational and platform requirements, technical guardrails).

Identifying disk I/O jitter in virtualized guest operating systems of an OpenStack cluster; creating structured analysis and benchmark reports based on fio, diskspd, and Phoronix.

Working closely with the infrastructure/platform team on root cause analysis and remediation (hypothesis formation, measurement concept, re-tests, result validation).

Investigating the impact of I/O jitter on database workloads (e.g., Oracle, PostgreSQL), including analysis of Oracle-specific I/O mechanisms and calibration procedures.

Supporting the deployment of proprietary Linux-based legacy firewalls in OpenStack by adjusting the VM boot environment and the libvirt/SCSI layer using image properties/metadata (KVM/libvirt configuration parameters).

Using IaC approaches for repeatable provisioning/parameterization (Terraform) in the context of private cloud services.

Achievements:

Provided performance transparency and decision-making basis by reproducibly detecting, quantifying, and documenting I/O jitter in actionable benchmark reports.

Improved operational capability of mission-critical workloads in the private cloud (database workloads and legacy appliances) by analyzing technical causes and implementing targeted configuration measures.

Enabled a business unit to build a market-ready IaaS service offering on OpenStack through hands-on architecture and platform consulting.

Technologies used:

Terraform.

Ansible.

fio, diskspd, Phoronix, iostat, vmstat, sar (benchmarking/performance analysis).

PowerShell.

Infrastructure and concepts used:

OpenStack: Nova, Cinder, Neutron, Glance, Heat.

KVM hypervisor.

libvirt (SCSI/storage stack).

Cloudbase-Init (Windows Cloud-Init).

Operating systems: Linux, Windows.

Databases: Oracle, PostgreSQL.

Storage: Pure Storage.

Methods used:

Cloud shared responsibility model.

Performance/benchmark-driven troubleshooting (measurement concept, reproducibility, validation).

Storage/VM tuning: Virtio-SCSI, I/O threading, queue depth tuning, NUMA/CPU pinning.

Brief Description: Led full-stack development and software architecture for EjectX, an AI-powered inspection system for detecting safety-relevant product deviations in the pharmaceutical domain. Focused on modernizing and stabilizing the tech stack, interfaces to data science pipelines, introducing an API gateway and standardizing security/IAM, as well as automating AWS deployments and setting up observability in Kubernetes.

Tasks and Responsibilities:

Technical and functional leadership of a development team (4 FTE) including architecture decisions, prioritization, and quality assurance.

Analysis of existing inspection systems, considering interfaces and integration constraints (system/interface assessment).

Reducing technical debt and migrating outdated framework versions to improve maintainability, security, and delivery capability.

Developing and stabilizing interfaces to data science pipelines (integrating ML/AI components into the product platform).

Backend and frontend development based on defined user stories using Definition of Ready/Definition of Done criteria.

Introducing and enforcing coding guidelines with a focus on clean code (consistency, testability, review standards).

Implementing an API gateway based on OpenResty/OpenNginx, including integration with Keycloak via OpenID Connect for centralized authentication/authorization.

Replacing manual infrastructure provisioning in AWS with automated application deployment using GitHub Actions, Terraform, and Ansible (infrastructure/deployment automation).

Setting up a monitoring/observability stack with Prometheus/Grafana, deployed in a Kubernetes cluster, including an operational baseline for operations and troubleshooting.

Achievements:

Increased delivery and operational readiness of the system by reducing technical debt and performing framework migrations (reduced maintenance risk, modernized foundation).

Unified security and access concepts by introducing a central API gateway with OIDC integration to Keycloak (consistent AuthN/AuthZ layer).

Established repeatable deployments and improved scalability through IaC and CI/CD automation (Terraform/Ansible + GitHub Actions) and a Kubernetes-based operating platform.

Improved operational transparency by adopting Prometheus/Grafana as the monitoring standard in the cluster.

Technologies Used:

JavaScript, TypeScript.

Node.js, AdonisJS.

Vue.js.

Cypress (E2E/frontend testing).

Python, TensorFlow (data science/ML integration).

Nginx, OpenResty (API gateway).

Terraform.

Infrastructure & Concepts:

AWS.

Docker.

Kubernetes.

Ansible.

GitHub Actions (CI/CD).

IAM / Identity: Keycloak, OpenID Connect (OpenIDC).

Observability: Prometheus, Grafana.

Methods:

Scrum.

Clean Code (coding guidelines, reviews, quality standards).

Architecture and engineering practices: domain-driven interface separation (e.g., bounded contexts), API design (REST/async), ADRs (architecture decision records).

Kubernetes ops: Helm/Kustomize, ingress standards, resource limits/requests, horizontal pod autoscaling.

Brief Description: Leadership role in engineering and consulting with power of attorney, responsible for building, scaling, and managing a software delivery organization. Main focus was building seven full-stack teams (about 60 developers and business analysts), executing several parallel client initiatives (public sector, healthcare, automotive), establishing DevOps/IaC, taking on security responsibility, and launching a tech-business incubator with spin-offs.

Tasks and Responsibilities:

Built and scaled seven full-stack delivery teams (about 60 staff) including recruiting, team composition, delivery structures, coaching/mentoring, and architecture and technology governance.

Acted as lead software/devops architect and developer in critical projects; enabled teams through standards, reviews, best practices, and technical coaching.

Served as security officer: built a full-stack team for a federal authority (14 staff-years) under security clearance rules (SÜG §10) and relevant regulations (BVerfSchG §3 para. 2).

Established a machine-learning team for healthcare clients (10 staff-years) focusing on object detection, pose estimation, and natural language processing; managed functionally and organizationally.

Set up a tech business incubator unit including concept, team building, delivery, and successful spin-off/capitalization of two startups in healthcare (AI-driven real-time analysis of surgical procedures, ubiquitous patient monitoring).

Built a DevOps team (10 staff-years) and evangelized/introduced Infrastructure as Code (standardization, automation, faster delivery).

Created an infrastructure team (2 staff-years) for on-prem/hybrid platform topics (VMware ESX, Proxmox, Unifi, Active Directory, Keycloak) including operations and integration aspects.

Led end-to-end implementation of an ERP system (Odoo) at an automotive client (10 staff-years) including organizational and process consulting, integration, and delivery management.

Migrated a legacy insurance policy management software (30 staff-years) including program control, modernization focus, and transition/parallel operation aspects.

Achievements:

Built a scalable delivery organization (7 teams, ~60 FTE) enabling parallel, multi-domain client programs.

Established DevOps and IaC capabilities in delivery (higher repeatability, lower operational/deployment risks).

Operationalized innovation/business building: created an incubator unit and supported two spin-offs through to capitalization.

Strengthened public sector capability by building a team under high security requirements including formal security clearances.

Technologies Used:

Java, Spring Boot.

Python.

Node.js.

ECMAScript/TypeScript, HTML5, CSS, Sass/Less.

Angular.

TensorFlow, YOLO (ML/CV).

Maven, Gradle.

Terraform, Vagrant.

OpenID (including OIDC context), OpenAPI.

Infrastructure & Concepts:

Jira, Confluence.

GitLab, Bitbucket.

CI/CD & Platform: Jenkins, OpenShift, Kubernetes, Docker, Rancher.

Cloud/Compute: AWS EC2.

IAM: Keycloak, Active Directory.

Data/Storage: InfluxDB, MongoDB, PostgreSQL.

Computer Vision: OpenCV.

Interfaces: REST.

Methods:

Scrum.

Engineering leadership: OKR/goal systems, capability/skill matrix, communities of practice, architecture governance through architecture review boards.

Delivery excellence: SDLC standards, Definition of Ready/Done, quality gates, testing strategies (E2E/contract/performance).

Security & compliance: secure SDLC, threat modeling, IAM hardening, audit/logging standards (especially public sector).

DevOps practices: GitOps, IaC module standards, platform self-service, observability standards (metrics/logs/traces).

Brief Description: VP Operations at a startup developing a digital interface for a tactical COFDM modem with a very small ROM footprint (max. 50 KB). Responsible for business and financing activities (business plan, investor acquisition, funding rounds) as well as prototypical hardware and signal path design (ADC cascade, dynamic range/noise optimization), field test tooling (GPS-based measurement), and full-stack development of a web interface including bare-metal embedded backend (minimal IP/TCP stack and web server without RTOS on SmartFusion2/ARM Cortex).

Tasks and Responsibilities:

Created the business plan including defining product/market assumptions, cost/financial planning, and investor pitch.

Secured investor capital and coordinated funding rounds (pipeline, documentation, stakeholder management).

Prototyped the receiver unit and ADC cascade including optimizing dynamic range and noise thresholds (signal quality, robustness in field conditions).

Developed a GPS-based measurement tool for capturing transmit/receive values in pilot frequencies; conducted and supported field tests with pilot customers and processed measurement results.

Full-stack development of a web interface under strict resource constraints (ROM footprint) with frontend (jQuery/HTML/CSS/SASS; occasional Vue.js/Angular) and backend as a minimal TCP/IP stack plus web server.

Implemented key embedded components bare metal without RTOS on SmartFusion2 (ARM Cortex IP core) to maximize control over resource usage and deterministic runtime behavior.

Technically coordinated measurement and test setups (e.g., spectrum/network analyzer) to validate RF and reception characteristics.

Achievements:

Realized a prototype end-to-end solution (embedded backend + web UI + field test tools) enabling development, demonstration, and pilot testing with customers.

Enabled operation under extreme resource constraints (ROM footprint optimization) through minimalistic protocol/web server implementation and a strictly lean UI architecture.

Improved measurement and field test capability with a GPS-based measurement tool and structured data collection in pilot frequencies.

Professionalized funding preparation and investor interactions with a business plan and coordinated funding rounds.

Technologies Used:

C (embedded, bare metal).

JavaScript.

HTML5, CSS3, SASS.

jQuery.

Vue.js, AngularJS/Angular (2).

Infrastructure & Concepts:

SmartFusion2 (SoC/FPGA environment), ARM Cortex (IP core).

Jira.

Leaflet (maps/GPS visualization in measurement tool).

RF/test equipment: R&S spectrum analyzer, network analyzer.

Receiver circuit design & noise optimization (hardware/RF design activities).

ADC dynamic range optimization (signal path optimization).

Methods:

Scrum.

Embedded engineering practices: linker script/memory layout optimization, static analysis, unit tests on target, deterministic timing analysis.

Networking/protocols: lwIP-like minimal stacks, HTTP/1.1 minimal profiles, secure update mechanisms (bootloader/OTA).

RF/field testing: standardized measurement protocols, automated report generation, heatmaps/geo-fencing for coverage analysis.

Short Description: Founded and built Panaccess as a conditional access platform for digital video services. Scope included strategic business development and global partnerships, building sales channels in LATAM and EMEA, seed financing (EUR 2 million), and project management in developing safety-critical hardware and embedded components (FPGA/embedded) for PCMCIA-based conditional access modules (CAM) in integrated receiver decoder (IRD) and multiplex/modulator infrastructure (QAM/QPSK) environments.

Tasks and Activities:

Strategic business development with building global partnerships with established industry providers (partner strategy, go-to-market, contract and cooperation initiation).

Building and scaling sales channels in LATAM and EMEA (channel strategy, pipeline development, partner enablement).

Raising investor capital and conducting EUR 2 million seed financing (investor relations, fundraising process, capitalization coordination).

Project management in the development of security hardware based on FPGA and embedded systems for PCMCIA-based conditional access modules (CAM).

Managing development and integration in the context of IRDs (integrated receiver decoders) and multiplex/modulator systems for QAM and QPSK (interfaces, system testing, integration in headend environments).

Implementing/coordinating technical components around DVB-specific signal and metadata processing (e.g., multiplexing/remultiplexing) and scrambling and decryption chains.

Achievements:

Secured EUR 2 million in seed financing, enabling startup growth and product development.

Supported international market entry by building sales channels in LATAM and EMEA and forging strategic industry partnerships.

Established technical product readiness in safety-critical broadcast environments through developing and integrating FPGA/embedded security hardware for CAM, IRD, and headend ecosystems.

Technologies used:

C / C++ (embedded/systems).

Perl (scripting/tooling).

HTML5, CSS3.

JavaScript, jQuery.

PHP5.

DVB multiplex, NIT remultiplex.

Common Scrambling Algorithm (CSA2, CSA3).

FPGA.

Infrastructure and concepts used:

Jenkins (build/automation).

PostgreSQL.

Methods used:

Scrum.

Secure engineering: key management and KMS concepts, secure boot and hardware root of trust, penetration testing in embedded contexts.

Broadcast/headend: DVB-C, S, and S2 environments, CAS/DRM processes, monitoring entitlement, ECM, and EMM flows.

Product and go-to-market: channel partner programs, pricing and packaging for B2B platforms, partner certification and enablement.