About Thomas (classic)

-> Switch to simple CV

CV – Thomas Springer
Penetration Tester / Analyst / Consultancy
Owner & Managing Partner at Restle & Springer GmbH

Birthday: 04/23/1969
Nationality: German
Address: Jahnstr. 3, 87757 Kirchheim i.Schw., Bavaria, Germany
Mail: thomas.springer@restle-und-springer.de,
Fon: +49 151 5262 5518

Professional Experience
Since 2021:
Security Analyst at international Stock Exchange including
o Managing of regulatory and CERT-driven penetration tests
o Creation and implementation of pentest-procedures, including process, policys and procedures, toolbased managment, auditsafe documentation

2016 – 2020: Security Analyst for international High Street Bank, including
o Managing of regulatory and CERT-driven penetration tests
o Managing remediation of longterm-open findings & root cause analysis
o Consultancy & workshops for developers, architects and managements
o Diverse internal projects, e.g. security-testing of mobile apps, inventarisation and remediation of widespread vulnerabilities, central findings management & remediation driver using Splunk , Tanium and own scripts

2014-2016: System engineer WiFi, Security, Testing & 3rd-Level, Kraftcom GmbH
WiFi-Solutions for hospitality
Consulting / Architect for rewriting central gateway-software
Management of complex WiFi-Systems in more than 200 locations with >10.000
active WiFi-access-points
Third level support, onsite & offsite
Security testing of company-built systems, software and devices (WiFi, Smart-TV,
Firewalls, DSL, PowerLine)
Set up test-environment and plan for company-built software
Set up ISO 9000 QM-system from scratch up to certification-audit

2013-2014: Senior Engineer SmartHome, SmartMetering & Industrial IT-Security, TÜV SÜD
Driving business development & technical sales worldwide
ISO VDE 4105, ISO 62433 & ISO 61850 accreditation & testing
Pentesting of industrial hardware (gateways, controller, smartmeters) and systems
Pentesting of several home automation systems (RF, Wifi, LAN – controlers and
gateway)

2007-2012: Senior Specialist and technical coordinator IT-Security, TÜV SÜD MS
Managing >500 penetration tests per year (Teamlead, QA)
Sales & technical sales
Expert witness & auditor (onsite/offsite) for data protection authority (Bavaria)
and nuclear authorities (Baden Württemberg)
Pentesting of active medical devices, mapping “conventional” requirements to connected devices

2001-2007: Specialist data protection and IT-Security TÜV SÜD ICS
Supporting buildup of worldwide IT-security-organization of company (>80
countries, >2000 locations)
Penetration testing (internal/external customers)
Supported TÜV-SÜD certification program “Safer-Shopping” with creating
requirements for network- and application security as well as requirement for
security-organization for onsite-audits)
Technical audit-support for ISO 27k-auditing
Authored and implemented an intelligent pentest-managment framework for
internal use, handling more than 500 penetration-tests per year
Sales & technical sales
Expert witness & auditor (onsite/offsite) for data protection authority (Bavaria)
and nuclear authorities
Company internal security & forensics consulting (3rd level)

1997-2001: Online-Editor, -producer and webmaster PC-WELT and others
Set up websites (apache/php/mysql) “from scratch”
Programming and operating complex state of the art web-applications (“GameStar
Clan League”)
Linux- & Solaris Administration
Database-architect for web applications
Performance tuning for high-profile websites
Developed and set up a content management system for websites (Java, PHP, VB & VBA)

1995-1997: Editor PC-WELT Germany
“Praxis”-Section, Security/Virus-Section, lowlevel windows coding & research

1993/94: Freelance author „64er Magazin“, first book publications
1992-1995: Markt und Technik, support and customer service for software and books
Second level Support for C64, Amiga, Atari ST and some Microsoft-DOS-Products
(Word etc.), that were distributed by Markt & Technik at this time

1989-1992: Apprenticeship: Chemical Worker, City of Munich, Public Services Powerplants

1989: Fachabitur, Landwirtschaftliche Lehranstalten Schönbrunn (Landshut)

IT-Knowledge – Thomas Springer


Administration and Programming
Unix, Windows, Databases
In-depth knowledge of common network-technology (TCP-IP, Firewalls, Server, Webserver)
Broad knowledge of Best Practices in most IT-areas with more than 10 years experience auditor and expert witness
Broad and practical on-site knowledge of power-industry relevant topics, ranging from electrics, power-generation (nuclear/conventional/renewables)
Working knowledge in embedded-systems and IoT (RF-Protocols, Hardware, Unix-based)

Operating Systems
More than 10 years experience as (lead-)penetration-tester, consultant and expert witness with project-ranges from a few days up to years.

Certifications/Education
Data Protection Officer (2001)
CISSP-Exam (2004)
ISO 27k LeadAuditor (2009)

Work Experience
Professional team-lead (2 fellow employees, up to 8 external headcount), coordination and quality-assurance of more than 300 pentetration-tests per year. (Germany / EU)
Development and maintenance of a project-management- and reporting-framework for penetration-tests
Technical sales for own projects, both singlehanded and teamed with sales-personel
Project-handling and lead of smaller projects (<€100.000), secondary lead and handling of longterm contracts (volumes <€1.000.000)
Consulting, certification and expert witness for a broad range of companies and government authorities in the fields of it-security and data-protection for websites, SCADA-systems, medical systems and power industry. (Germany, Italy)
Pentesting, Testhandling & Compliance in largescale banking-environment (Germany)

Languages
German: Mother tongue
English: Proficient and business fluent
Basic knowledge in French, Spanish and Italian

Windows
Professional experience with all versions, clients since Windows 2.1, Windows-Server since Windows NT 3.1

Linux
Professional experience with SuSe- und Debian-Linux in the server field
Working knowledge of common embedded-systems (QNX, Android, Linux)

Networks
In-depth-knowledge of TCP/IP (IPv4, IPv6)
Broad experience in Unix- and Windows-Networking
Working knowledge of other technologies like WLAN, Token Ring etc.

Programming
Working knowledge in Perl, PHP, Python und Visual Basic
Basic knowledge and understanding in JavaScript, Shellscripting, Powershell, Java, Pascal, C and Assembler
Proficiency in HTML, XML, CSS etc.

Hardware
Working knowledge of common 386-based hardware
Working knowledge of embedded-systems hard- and software (Home-Automation, Industry-automation, Smartmetering, Medical Devices, Automotive)
Basic experience with PKI and Chipcards
Basics in common communication protocols (CAN, FieldBus, ZigBee, Bluetooth, NFC etc.)

Internet
Design, operations and auditing of firewalls (IPtables, Checkpoint, SonicWall, Genua)
Working knowledge of most common internet protocols
Experience in design, operation and auditing of complex and high-volume websites covering the most common server-technologies and frameworks

Databases
Working knowledge of common systems (MySQL, MS-SQL-Server, PostgreSQL etc.)

IT-Security and Data-Protection
Knowledge of common security-tools, >15 years of hands-on experience in penetration testing in projects ranging from days to years.
Familiar with Kali Linux, Burp Suite (Licensed user), Nessus, Nmap, Metasploit, Maltego, Nikto, Wireshark and other security tools.
Knowledge and experience with most relevant standards (BSI Grundschutz, ISO 2700x, PCI-DSS, OWASP Top 10, OSSTMM etc.)
More than 10 years experience as expert-witness in the field of it-systems as well as control- and communication-systems in nuclear power-plants
Experience in blackbox-pentesting of embedded-hardware

Standards
Familiar with BSI Baseline Protection, Smartmeter Protection Profile and underlying Technical Guidelines, BDEW Whitepaper, common ISO-Standards (2700x, 61850, 62443 etc) as well as UL2900 & IEC/TR 80001

Editorial knowledge, Marketing and Social Media
Many years of training & experience as editor (print and online) for magazines and books
Thorough understanding of print- and online-media and common social networks