https://muhammadamal.my.id/tags/security/ Recent content in Security on Hi, I'm Muhammad Amal Hugo en-us Wed, 24 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/supply-chain-security-ai-models-signing-and-sbom/ Wed, 24 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/supply-chain-security-ai-models-signing-and-sbom/ How to sign models, produce SBOMs that mean something for ML, and verify everything at runtime without slowing your team down. https://muhammadamal.my.id/blog/content-moderation-for-llms-llama-guard-3-2/ Mon, 22 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/content-moderation-for-llms-llama-guard-3-2/ How to deploy Llama Guard 3.2 for input and output moderation without crippling latency, with custom rules and real benchmarks. https://muhammadamal.my.id/blog/policy-as-code-opa-1-0-production-walkthrough/ Wed, 17 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/policy-as-code-opa-1-0-production-walkthrough/ How to run OPA 1.0 in production without footguns, with real policies, bundle infrastructure, and the operational habits that keep it healthy. https://muhammadamal.my.id/blog/spiffe-spire-service-identity-hands-on-tutorial/ Mon, 15 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/spiffe-spire-service-identity-hands-on-tutorial/ Install SPIRE 1.10, register workloads, and use SVIDs from real applications without faking your way through the docs. https://muhammadamal.my.id/blog/securing-rag-against-data-exfiltration-2025/ Wed, 10 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/securing-rag-against-data-exfiltration-2025/ Practical controls that stop the most common RAG exfiltration vectors without breaking retrieval quality. https://muhammadamal.my.id/blog/devsecops-ai-ml-pipelines-comprehensive-tutorial/ Mon, 08 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/devsecops-ai-ml-pipelines-comprehensive-tutorial/ How to wire real security gates into ML pipelines without grinding training to a halt, with code and policies that actually work. https://muhammadamal.my.id/blog/zero-trust-architectures-ai-services-step-by-step-setup/ Wed, 03 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/zero-trust-architectures-ai-services-step-by-step-setup/ How to build a real Zero Trust setup around your model-serving stack without drowning in vendor jargon. https://muhammadamal.my.id/blog/advanced-prompt-injection-defenses-2025-practical-guide/ Mon, 01 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/advanced-prompt-injection-defenses-2025-practical-guide/ Layered prompt injection defenses that actually hold up in production, with code, diagrams, and the failure modes nobody talks about. https://muhammadamal.my.id/blog/managing-secrets-and-credentials-in-n8n-for-enterprise/ Fri, 15 Aug 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/managing-secrets-and-credentials-in-n8n-for-enterprise/ Move n8n credentials out of the database and into Vault or Infisical, wire up Keycloak or Auth0 SSO, and build a rotation story that doesn’t break workflows. https://muhammadamal.my.id/blog/securing-internal-microservices-jwt-spiffe-2025/ Mon, 14 Jul 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/securing-internal-microservices-jwt-spiffe-2025/ SPIFFE gives you trustworthy workload identity. JWT gives you portable claims. Together, they replace static service tokens. https://muhammadamal.my.id/blog/llm-red-teaming-practical-techniques-2024/ Wed, 30 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/llm-red-teaming-practical-techniques-2024/ How to run an LLM red team that produces actionable findings instead of party tricks, with attack inventory and triage flow. https://muhammadamal.my.id/blog/container-image-signing-cosign-sigstore-2024/ Mon, 28 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/container-image-signing-cosign-sigstore-2024/ A working guide to signing container images with cosign and Sigstore, including keyless signing and Kubernetes admission enforcement. https://muhammadamal.my.id/blog/securing-rag-systems-against-data-exfiltration/ Wed, 23 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/securing-rag-systems-against-data-exfiltration/ How to design RAG systems so that prompt injection and over-eager retrieval don’t become an exfiltration channel. https://muhammadamal.my.id/blog/sast-semgrep-ai-triage-real-codebases/ Mon, 21 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/sast-semgrep-ai-triage-real-codebases/ Combining Semgrep with LLM triage to make SAST output actionable on production-sized codebases. https://muhammadamal.my.id/blog/secrets-scanning-trufflehog-gitleaks-ci-2024/ Wed, 16 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/secrets-scanning-trufflehog-gitleaks-ci-2024/ A working setup for secrets scanning across TruffleHog and Gitleaks, with pre-receive enforcement and verifier-based prioritization. https://muhammadamal.my.id/blog/auto-remediation-cloud-security-findings/ Mon, 14 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/auto-remediation-cloud-security-findings/ A pragmatic blueprint for safe auto remediation of cloud security findings across AWS Security Hub and GCP SCC. https://muhammadamal.my.id/blog/ai-assisted-detection-rules-sigma-yara-2024/ Wed, 09 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/ai-assisted-detection-rules-sigma-yara-2024/ A pragmatic look at LLM-assisted authoring of Sigma and YARA detections, including evaluation harnesses and review gates. https://muhammadamal.my.id/blog/prompt-injection-defenses-llm-apps-2024/ Mon, 07 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/prompt-injection-defenses-llm-apps-2024/ Hardening patterns for prompt injection across system prompts, tools, and retrieval, with code and policy guidance. https://muhammadamal.my.id/blog/securing-ot-it-boundary/ Wed, 21 Aug 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/securing-ot-it-boundary/ Practical OT/IT boundary security in 2024, with segmentation, auth and monitoring. https://muhammadamal.my.id/blog/mtls-service-mesh-or-application-layer/ Wed, 24 Jul 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/mtls-service-mesh-or-application-layer/ Choosing between mesh-terminated and application-terminated mTLS in 2024, with Envoy 1.30 and Go 1.22 implementations and the failure modes that decide it. https://muhammadamal.my.id/blog/securing-go-microservices-jwt/ Wed, 10 Jul 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/securing-go-microservices-jwt/ Production JWT patterns for Go microservices in 2024 using golang-jwt v5, covering signing, validation, and context plumbing. https://muhammadamal.my.id/blog/rag-security-access-control-multi-tenant/ Mon, 19 Feb 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/rag-security-access-control-multi-tenant/ Multi-tenant RAG without leaks. Metadata filtering at retrieval, ACL design, audit trails, and prompt-side defenses for what filters miss. https://muhammadamal.my.id/blog/securing-internal-llm-chatbot-data/ Tue, 14 Nov 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/securing-internal-llm-chatbot-data/ A practical guide to securing internal LLM chatbots — prompt injection, leakage, access control, and the gaps people miss. https://muhammadamal.my.id/blog/pod-security-standards-migration/ Thu, 28 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/pod-security-standards-migration/ Migrating from PodSecurityPolicy to Pod Security Standards on Kubernetes 1.28 — namespace labels, audit-mode rollout, and the workloads guaranteed to break. https://muhammadamal.my.id/blog/slsa-provenance-build-attestations/ Mon, 25 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/slsa-provenance-build-attestations/ Pragmatic SLSA v1.0 provenance with GitHub Actions and Cosign — what Level 2 actually delivers, and the operational lift to reach Level 3. https://muhammadamal.my.id/blog/opa-gatekeeper-admission-policy/ Thu, 21 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/opa-gatekeeper-admission-policy/ Practical Gatekeeper 3.13 admission policy patterns — constraint templates, audit mode, mutation, and Rego that is actually maintainable. https://muhammadamal.my.id/blog/falco-runtime-security-kubernetes/ Mon, 18 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/falco-runtime-security-kubernetes/ Running Falco 0.35 in production Kubernetes with the modern eBPF driver — rule tuning, output routing to Slack and SIEM, and the defaults to switch off. https://muhammadamal.my.id/blog/vault-dynamic-secrets-kubernetes/ Thu, 14 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/vault-dynamic-secrets-kubernetes/ Running Vault 1.14 dynamic database secrets in Kubernetes 1.28 — injector vs CSI, lease renewal, and the failure modes that bite under load. https://muhammadamal.my.id/blog/sbom-syft-cyclonedx-pipeline/ Mon, 11 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/sbom-syft-cyclonedx-pipeline/ Producing accurate SBOMs with Syft and CycloneDX 1.5, the gaps you will not see, and how to attach them as signed attestations. https://muhammadamal.my.id/blog/sigstore-cosign-keyless-signing/ Thu, 07 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/sigstore-cosign-keyless-signing/ Production-grade keyless container signing with Cosign 2.2 and Sigstore — the OIDC trust chain, Rekor verification, and air-gap caveats. https://muhammadamal.my.id/blog/trivy-container-scanning-pipeline/ Mon, 04 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/trivy-container-scanning-pipeline/ Trivy 0.45 in CI: severity gating, ignore policies, DB caching, and the gotchas that bite teams shipping containers daily. https://muhammadamal.my.id/blog/rustls-vs-openssl-backend-tls/ Fri, 28 Jul 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/rustls-vs-openssl-backend-tls/ When to pick rustls and when to stay with OpenSSL for Rust backend TLS — performance, deployment, and compliance trade-offs from production experience. https://muhammadamal.my.id/blog/building-secure-clis-clap-4/ Tue, 18 Jul 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/building-secure-clis-clap-4/ Design patterns for secure CLI tools in Rust using clap 4: secret handling, input validation, static binaries, and predictable exit codes. https://muhammadamal.my.id/blog/memory-safety-without-gc/ Tue, 11 Jul 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/memory-safety-without-gc/ The real scope of Rust’s memory safety guarantees, the classes of bugs they eliminate, and the ones they don’t. https://muhammadamal.my.id/blog/kubernetes-1-27-multi-tenancy-patterns/ Fri, 09 Jun 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/kubernetes-1-27-multi-tenancy-patterns/ Namespace-as-tenant works for most internal platforms. Here are the controls that make it safe on Kubernetes 1.27 and the failure modes that still demand cluster separation. https://muhammadamal.my.id/blog/november-retro-api-security/ Wed, 30 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/november-retro-api-security/ November retro: API security audits. What changed, what’s still open, reader notes. https://muhammadamal.my.id/blog/backend-audit-logging/ Mon, 28 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/backend-audit-logging/ Backend audit logging: what to log, what not, immutable storage, retention. https://muhammadamal.my.id/blog/input-validation-owasp-top-10/ Fri, 25 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/input-validation-owasp-top-10/ Input validation + OWASP Top 10: SQLi, XSS, SSRF, command injection. The discipline. https://muhammadamal.my.id/blog/csrf-defense-patterns/ Wed, 23 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/csrf-defense-patterns/ CSRF defense: synchronizer tokens, double-submit, SameSite, custom headers. Layered approach. https://muhammadamal.my.id/blog/cors-security/ Mon, 21 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/cors-security/ CORS demystified: same-origin policy, what it protects, preflight, safe configurations. https://muhammadamal.my.id/blog/api-keys-vs-oauth/ Fri, 18 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/api-keys-vs-oauth/ API keys vs OAuth for third-party access: use cases, security, scopes, rotation. https://muhammadamal.my.id/blog/redis-rate-limiting-distributed/ Wed, 16 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/redis-rate-limiting-distributed/ Distributed rate limiting in Redis: token bucket via Lua, sliding window via sorted sets. https://muhammadamal.my.id/blog/rate-limiting-algorithms/ Mon, 14 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/rate-limiting-algorithms/ Rate limit algos: token bucket, leaky bucket, fixed + sliding window. When each wins. https://muhammadamal.my.id/blog/oauth-21-vs-20/ Fri, 11 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/oauth-21-vs-20/ OAuth 2.1: PKCE always, no implicit, no password grant. Aligning your implementation. https://muhammadamal.my.id/blog/refresh-tokens-revocation/ Wed, 09 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/refresh-tokens-revocation/ Refresh tokens correctly: short access + long refresh, rotation, revocation lists, defeat theft. https://muhammadamal.my.id/blog/jwt-for-sessions-usually-wrong/ Mon, 07 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/jwt-for-sessions-usually-wrong/ JWT vs server sessions. When JWT pays off, when it costs. Migration paths. https://muhammadamal.my.id/blog/jwt-done-right/ Fri, 04 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/jwt-done-right/ JWT done right: RS256/ES256, expiry, audience, JWKS rotation. Patterns that prevent disaster. https://muhammadamal.my.id/blog/backend-api-security-2022/ Wed, 02 Nov 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/backend-api-security-2022/ Backend API security threat model 2022: real threats, working mitigations, priority order. https://muhammadamal.my.id/blog/mqtt-security-acls-certificates/ Fri, 26 Aug 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/mqtt-security-acls-certificates/ MQTT security: TLS, per-device creds, ACLs, cert rotation. Real threats + mitigations. https://muhammadamal.my.id/blog/self-host-mosquitto-tls-auth/ Mon, 08 Aug 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/self-host-mosquitto-tls-auth/ Mosquitto 2.0 production setup. TLS, auth, ACLs, persistence, Compose stack. https://muhammadamal.my.id/blog/n8n-security-credentials-oauth/ Wed, 25 May 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/n8n-security-credentials-oauth/ Secure n8n: credentials manager, OAuth, encryption key mgmt, network exposure, audit checklist. https://muhammadamal.my.id/blog/webhooks-101-engineering-workflows/ Wed, 18 May 2022 09:00:00 +0700 https://muhammadamal.my.id/blog/webhooks-101-engineering-workflows/ Webhooks for engineering automation. How they work, signatures, retries, idempotency, replay protection.