Independent software consultant and contractor.

I have given presentations and led workshops at several conferences, including OWASP, XPDays Benelux and BCS Software Practice Advancement conference (SPA) on software architecture, security and performance engineering.

Here are some of my papers and presentations which may be of interest.

Agile development and security

Everyone claims to be agile these days, but how is that reconciled with meeting Non-Functional Requirements (NFR)? Security is the non-functional I am most interested in, which led me to present a position paper on Agile Security Requirements Engineering to the Symposium on Requirements Engineering for Information Security at the IEEE International Requirements Engineering Conference in 2005 in which I coin the term abuser stories, an interpolation between agile’s user stories and McDermott & Fox’s abuse cases. Running a workshop on this topic at SPA in 2006, I met Paul Dyson - our discussion on NFRs led to follow-up workshops at XP Days Benelux in 2006 and SPA in 2007. We also wrote a column on Cost-Effective Security for the May/June issue of IEEE Security & Privacy magazine. You may also be interested in Quality in Agile Software Development, a handout for a workshop I led with Nelis Boucké and Alexander Helleboogh comparing techniques for tracking and planning NFRs at XP Days Benelux 2011.

Access control for REST services

Making sense of the standards and products used for protecting REST services is challenging. A video of me explaining current practices and pitfalls at SecAppDev 2017 is available on YouTube. There is plenty of discussion with the off-camera audience, particularly Jim Manico. I learned from this lecture that this topic needs to be discussed interactively and demo-ed, so at SPA 2017, I led a workshop on the same topic together with Michael Boeynaems.


TLS may not be perfect, but it is a very convenient way of protecting communication and should be used more widely. I have helped clients in consultancy engagements to do so and advocated its correct use in a number of public fora, including OWASP conferences, SecAppDev courses and, most recently, SPA 2017 together with Nelis Boucké.