Lead Expert for Quantum Technologies
At TÜVIT, you are driving forward the topic of IT security in the quantum age. How can we imagine this in concrete terms? What exactly are you working on?
I'm working on the transition from traditional security methods to those that are suitable for the post-quantum era. My role involves evaluating and researching solutions that will provide security in the long term. This includes new algorithms running on classical computers as well as entirely new methods based on quantum technologies. I am involved in establishing new standards, developing new test procedures and acting as a central point of contact for these topics.
How did your interest in this area develop? What do you think makes the topic of quantum technologies so exciting?
I was already intensively involved with post-quantum cryptography during my studies. My interest in technology and security has been a constant companion throughout my academic career. Now I find it extremely exciting to be able to play an active role in shaping the future of IT security. I am particularly fascinated by quantum-based technologies and their far-reaching impact, not only on IT security.
Lead Expert for Artificial Intelligence
You say about yourself that you are the “spoilsport in the whole AI issue”. Can you explain that? What exactly are you working on?
Basically, we're not so much interested in how well artificial intelligence works, but rather how poorly or where the weak points of AI systems lie. In other words, we ultimately try to identify precisely these weak points in our daily work. The aim is to “stress” the AI systems to such an extent that they perform incorrect classifications.
So I am a “spoilsport” in the sense that I look at AI systems as a strict tester and am therefore primarily concerned with what can actually go wrong and with what probability. In the best case scenario, weak points are uncovered during development so that they can be eliminated at an early stage.
What potential does artificial intelligence have in your view?
AI ultimately has an impact on many different areas, in other words on every aspect of modern life. One of the reasons for this is that it is developing rapidly. This means that the development steps are becoming ever shorter and the effects ever bigger.
A few years ago, many people would probably not have imagined that academic professions in particular would be the first to be affected by AI. However, the technology is already having an impact on medicine and software development, for example. And these are just two cases of areas where everyone thought for a long time that humans were irreplaceable.
The other side of the coin, however, is that the risks also rise with the increasing spread and automation. The two are therefore directly linked.
Lead Expert for Management Systems
You are driving the topic of management systems at TÜVIT. What does that mean? What does your work look like in concrete terms?
First of all, the term management system refers to a strategic instrument for corporate management and the achievement of corporate goals. It involves systematically mapping and organizing complex structures and processes in order to ensure that processes run as smoothly as possible, meet existing requirements and initiate continuous improvement. A management system is therefore a kind of toolbox that provides employees with tools and methods to achieve goals and use resources more effectively.
In my role as a technical expert for management systems, particularly for information security and data protection, I take on various tasks. On the one hand, I represent TÜVIT in its public image. This means, for example, that I travel to trade fairs or give presentations on the latest developments in my field.
Within the company, I am also the first point of contact for all questions relating to management systems. In this context, I also run internal training courses on changes and challenges, for example, or support colleagues with regard to product development. My activities also include publishing specialist articles and creating links to other subject areas.
What did your path to becoming a technical expert look like?
In my early days at TÜVIT, I was initially involved in a large number of national and international projects as a technical data protection auditor and assessor. Due to the increasingly close links in the projects on the subject of management systems and the daily work in our interdisciplinary projects, the opportunity arose to further advance this area as a lead expert.
Lead Expert for Source Code Analysis
You are a lead expert for source code analysis. What exactly does that mean?
For us in the Software Evaluation (SWE) product group, source code is the start and end point of all security analyses. It is the blueprint from which - at least in theory - all the properties of the product can be read. However, this is also what makes source code analysis so challenging: it is just as difficult to design a secure product as it is to examine the blueprint of the product, i.e. the source code, for security vulnerabilities. This can be seen from the fact that, even years later, new security vulnerabilities are still being found in old open source packages, known as CVEs, which are published in security advisories.
My role as a lead expert is twofold: On the one hand, I support employees in being able to find security vulnerabilities specifically in the source code, e.g. through training in source code review, or through tools that can reliably replace manual work. On the other hand, I help to document the source code in the first place so that our customers and employees can understand the processes in the product.
The buzzword is security-by-design. Are the processes in the product designed in such a way that problems cannot arise in the first place, i.e. is it a product that already has security built in? Or does the user have to be extremely careful not to make any mistakes during operation so as not to be robbed or spied on? You can actually read this from the source code, even if it is difficult.
How did your interest in source code analysis develop? What excites you about it?
I was actually already an expert in source code review as a teenager, even though I didn't know the word back then. I studied documentation and the source code of my home computers and wondered what could go wrong.
Later, I worked as a “full-stack developer” alongside my studies and immediately afterwards, without ever losing the fun of analysis. As an evaluator at TÜVIT, I analyzed a lot of source code right from the start and now continue to do so seamlessly as a lead expert.