iamyi.net
iamyi.net is my personal profile site and a collection of my personal writings about security.
The content here is primarily focused on application security, cloud security, GenAI and ML security, security architecture, and related research notes.
Latest writing
Updated at June 1, 2026, 4:46 PM
| Writing | Keywords | Summary |
|---|---|---|
| Review OAuth 2.0 Implementation | security code review, oauth 2.0, authorization code, pkce, redirect uri, state parameter | How to review OAuth 2.0 client and server code for authorization code with PKCE, redirect URI binding, state, client authentication, and token storage. |
| Review OpenID Connect Implementation | security code review, openid connect, oidc, id token, nonce, userinfo | How to review OpenID Connect code for id_token validation, nonce, issuer, audience, and userinfo endpoint usage. |
| Review JWT Implementation | security code review, jwt implementation, rs256, jwks, refresh token rotation | How to review secure JWT issuance and validation—RS256 signing, JWKS publication, key rotation, and refresh token rotation beyond basic parse flaws. |
| Review SAML Federation | security code review, saml, assertion signature, acs url, replay attack, metadata trust | How to review SAML federation code for assertion signature validation, ACS URL binding, replay prevention, and metadata trust. |
| Review TLS and SSL Protocol Configuration | security code review, TLS, TLS 1.2, TLS 1.3, cipher suites, certificate verification, hostname validation | How to review TLS client and server configuration—protocol versions, cipher suites, certificate chain validation, and hostname checks without legacy SSL. |
| Review mTLS and Service Identity | security code review, mutual TLS, mTLS, client certificates, service mesh, workload identity | How to review mutual TLS and service identity—client certificate validation, SPIFFE-style workload IDs, and mesh-sidecar trust boundaries. |
| Review API Keys and Request Signing | security code review, API keys, HMAC, request signing, key rotation, API authorization | How to review API key and HMAC request-signing implementations—scope, storage, rotation, replay resistance, and constant-time verification. |
| Review Snowflake Security Configuration | security code review, Snowflake, network policy, RBAC, row access policy, data sharing | How to review Snowflake account configuration—network policies, RBAC grants, row access policies, secrets, MFA, and data sharing—for least privilege and auditability. |
| Review Databricks Clean Room Configuration | security code review, Databricks, clean room, data collaboration, output restrictions, participant isolation | How to review Databricks clean room rules, output restrictions, audit settings, and participant isolation so collaborative analytics does not leak raw data. |
| Review AWS IAM and Secrets Configuration | security code review, AWS IAM, Secrets Manager, least privilege, long-lived credentials | How to review AWS IAM policies, Secrets Manager usage, and application credential patterns for least privilege and no long-lived keys in code. |
Browse by section
| Section | What you will find |
|---|---|
| Whoami | Short profile and how to interpret this site. |
| Topics → GenAI & ML security | Longer, theme-led notes (starting with framing secure GenAI/ML). |
| Security musings | Essays and notes on security engineering practice and role. |
| Incidents & trends | Timely analysis of reports, breaches, and technical shifts. |
License
Unless otherwise noted, the original writing in this repository is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
See https://creativecommons.org/licenses/by/4.0/ for the license terms.