iamyi.net
iamyi.net is my personal profile site and a collection of my personal writings about security.
The content here is primarily focused on application security, cloud security, GenAI and ML security, security architecture, and related research notes.
Latest writing
Updated at May 3, 2026, 2:03 AM
| Writing | Keywords | Summary |
|---|---|---|
| Build security code review confidence: from uncertain to certain | code review, threat modeling, STRIDE, MITRE ATT&CK, risk, security domains | Security code review as a structured path from ambiguity to defensible confidence—intent, decomposition, threat modeling, validation, critical controls, dependencies, and logging tradeoffs. |
| From mental model to security model | mental model, architecture review, threat modeling, STRIDE, security engineering | How a security engineer’s work rests on two layers: an architecture model (how the system works) and a security model (how it can fail)—and how to move from understanding to adversarial analysis. |
| How-to: End-to-end ML model and GenAI application security | ML security, GenAI, MLSecOps, lifecycle, checklist, threat modeling | How ML/AI AppSec overlaps with traditional AppSec, what is different, lifecycle security anchors, and a phase-by-phase developer checklist from intent through maintenance. |
| Research: China PIPL and U.S. PADFAA / DOJ DSP compliance | PIPL, China, PADFAA, DOJ DSP, data privacy, compliance, vendor due diligence, PIPIA | Working notes comparing China’s PIPL with the U.S. Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) and DOJ Data Security Program (DSP)—obligations, vendor checklist, and Legal / Security / Engineering roles. |
| Security as coding intelligence | AI development, security engineering, organization design, code generation | How AI shifts development toward system design, and why security must become embedded rules, parallel intelligence, and intentional friction—not downstream review. |
| Study note — Prompt engineering (PE4LLM) | prompt engineering, LLM, study notes, context engineering | Personal notes from Prompt Engineering for LLMs—what PE is, layers of sophistication, and why LLMs complete text rather than reason like humans. |
| Template — Security architecture review document | security architecture review, template, checklist, threat modeling, CIA, application security, risk analysis | Reusable outline for application context, risk, architecture, controls, and references in a security architecture review. |
| Threat Modeling Case Study: Car Firmware Update via USB Stick | threat modeling, automotive, firmware, USB | Interview-style case study on car firmware updates over USB—structured threats and mitigations beyond "sign and encrypt." |
| Understanding threats, vulnerabilities, and risk | threat modeling, vulnerability, risk, definitions, security fundamentals | How threat, vulnerability, and risk differ in practice—industry language vs a consistent mental model, with examples and a compact comparison table. |
| 10. Appendix — additional resources | GenAI, MLSecOps, OWASP, reading list | Curated links and references consulted while building this minibook—threat modeling, OWASP cheat sheets, MLSecOps, tools, and further reading. |
Browse by section
| Section | What you will find |
|---|---|
| Whoami | Short profile and how to interpret this site. |
| Topics → GenAI & ML security | Longer, theme-led notes (starting with framing secure GenAI/ML). |
| Security musings | Essays and notes on security engineering practice and role. |
| Incidents & trends | Timely analysis of reports, breaches, and technical shifts. |
License
Unless otherwise noted, the original writing in this repository is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
See https://creativecommons.org/licenses/by/4.0/ for the license terms.