Blog posts en open-source projecten



  • Security software engineer

In 2021 maakte Arjen de overstap naar Tweede golf. Als expert op het gebied van security met een achtergrond in pentesting gaat hij zich met name focussen op IRMA en andere security gerelateerde projecten. Daarnaast wil Arjen zijn kennis verder verbreden door ervaring op te doen met o.a. Rust backends en JavaScript frontend frameworks.

Arjen is een echte problem solver. Hij loste de laatste jaren talloze ‘Hack The Box’ challenges op en de Dr. Denker kerstpuzzel van het Dagblad van het Noorden blijft nooit lang liggen.

Als hij niet achter zijn computer zit is Arjen graag aan het sporten (zwemmen, hardlopen, fietsen) of thuis aan het klussen.

Information Security MScPentestingSwimming

Blog posts

Toon alle
When conducting a penetration test (also known as a hack test) on a website, one of the first things that will catch my eye is the configured (or better, not-configured) security headers on the targeted website. Security headers are a defense-in-depth measure, in the form of response headers, that let the browser know what is allowed and what is not. Browsers will respect the rules defined by these headers and thereby protect visitors from client-side attacks and potentially leaking sensitive information.

When you enabled Google Analytics (GA) on your website maybe you thought "I don't really have another viable option". Or maybe you thought "the negative effect on my visitors isn't that bad, is it?" Both are relatable, but recently Data Protection Authorities have put GA under a microscope and concluded it actually is pretty bad. Some things in GA violate the GDPR. Apart from the question of whether it is legal or not, the fact that your visitors are tracked across the internet - we feel - is just awful. And, as it turns out, you do have options.

Sending documents over the internet can be a pain. Email providers generally support attachments with a maximum size between 10 and 50 MB, for larger files one would need to find another way. Most people would probably use one of the many public cloud or file sender solutions. But what if the files to be sent contain personal information, medical information or are private family photos? And how do you know that only the recipient can access and download these files?

Open-source projecten

Toon alle


TGuard is a web-based sending and decrypting service for irmaseal-encrypted messages that is currently in development at Tweede Golf.

TGuard utilizes IRMA to allow a user to encrypt messages client-side. These messages can be decrypted client-side once the receiver proves to be the owner of attributes the message was encrypted for, like an e-mail address, name, or an identifying number.


For ID Contact we researched the possibilities of digital identification: how can residents organize their personal government affairs in a simpler and more reliable way? By telephone, via chat or via a video call.

The ID Contact innovation pilot is a collaboration between the municipalities of Arnhem, Nijmegen and the Drechtsteden and knowledge partners such as the Tax Authorities and iHub (Radboud University).

Within the ID Contact team we developed the software that makes secure digital identification possible.