Blog de Joe Freeman

LLM-supported AI is being stuffed into every computer-based and computer-assisted process. A lot is being said about the benefits of LLM, with some secondary discussions about security and behavioral risks. Many of the risk discussions have been unstructured bullet points or anecdotal stories of hacked systems. The OWASP Top 10 for LLM Applications 2025 provides a framework for understanding the top risks of an LLM-integrated system. The OWASP Top 10 for LLM Applications deserves the same attention the OWASP Top 10 for Web applications has held for over a decade. The Developer's Playbook for Large Language Model Security  by Steve Wilson provides a solid foundation for understanding risks existing in an LLM ecosystem. It also led me to the  OWASP Top 10 for LLM Applications 2025 .  This is a great resource for anyone looking to integrate LLMS into business processes or existing systems. I got this book as part of a set of O'Reilly books in a Humble Bundle. OWASP Top 10 fo...

Google Drive is one of those cloud technologies that democratized cloud access to data storage. It lets you securely push all kinds of data into and out of the cloud via Google-provided APIs. APIs and documents are bound to permissions, roles, and identities. Programs accessing Google Docs require credentials, preferably least-privilege credentials, which exist just for a single program's needs. Google IAM supports Service Accounts that are not tied to any human .  They can be enabled and disabled without impacting individual users.  Accessing Google Docs via API means you have to enable  Google Drive API  in a project, create an identity/credentials for the program, and then give the identity access to the docs or the API.  There are plenty of good tutorials that walk you through setting up an account. They are often light on the overall process or how the steps tie together.  It can be confusing the first time or 10 you go through it. Google services are...

Users potentially leak data every time they send information as part of an email or some other message transport.  Data access controls are rendered useless by data sent as email or other attachments.  Potentially sensitive data is impossible to control or remediate once it is outside the reporting system. Reports with incorrect data live on forever as attachments or saved to local file systems.  The data can never be fixed globally  because no one knows where all the copies are.  This creates data consistency issues and potential regulatory issues We heard this     The new system makes it hard to mail data to my external partners. And our answer was      Yes, it is and you should never have been doing that. Recommendations Admit you have a data problem. Create a policy and train people to stop sending sensitive data as attachments. Recognize that transmitti...

I wanted to test the relative performance of two drives on a Windows 10 machine and get a feel for how much overhead my anti-virus products cost me.  To that end, I created a program to copy in different combinations between the two drives.  I ran that test with different Anti-Malware versions and configurations  From the README.md on GitHub The Program 1. It takes the names of two directories 2. It creates the number of files that you specify of a size you specify in both of the directories passed in.     1. You want big numbers for both.  The default is 10,000 files of 200,000B each. 3. It copies the large number of files in the 4 possible source/destination pair combinations. 4. It writes the timings to the console and deletes the test files. In my case I ran a couple different variations to see what was happening 1. Drive A anti-malware enabled .  Drive B anti-malware enabled 2. Drive A anti-malware enabled .  Drive B anti-malware disab...

The Microsoft Accounts mess can make it hard to use your Azure credits that come bundled with MSDN/VSOL. You  can end up with two accounts with the same name, one work/school in your corporate domain and one personal  Microsoft ID outside the corporate domain.  Enterprise users run into this when they want to learn in Azure using their Corporate MSDN Azure credits. Both accounts have the same email domain which means they both have corporate accessibility zone restrictions even though the two accounts are not connected in any way and have no way of seeing each other's resources. We can share this subscription with your personal, non-corp domain, account or create an ID that only exists in the ID that is tied to the subscription.  This lets you learn Azure  while sitting at home or the coffee shop.  This blog assumes you are allowed to use your Azure credits for your education from personal gear.  If not, then stop here. Video Discussion Initia...

Companies often manage multiple identity pools, I nternal users, B2C customers, B2B customers, Partner interactive  and , Partner M2M .  Internal, Customer, and Partners often use completely different systems for identity management, authentication  AuthN,  and authorization  AuthZ .  Their automation and identity controls are different even when their security risk profile is the same. The different user types have similar requirements but we often implement them separately. User types are often implemented and managed differently even though they should have the same top-level compliance and security requirements.  Identity systems all need to provide some basic functions. Identity Persistence Identity Creation and Deletion Identity Validation API and integration points for systems and applications. Group and role manipulation Group and role exposure. Self-management via API or Console ...

Software as a Service can be an equalizer, giving organizations access to best-of-breed capabilities with lower entry costs than custom-built or self-managed services.  Product evaluation involves business requirements and non-technical and technical Non Functional Requirements.   The following are part of my list of mandatory NFRs for a modern internet-connected SaaS product. All of these are discussed in more detail in the video. Video Control and Data Plane Platform Control Plane  Software management functionality used by the SaaS vendor must be isolated from the Tenant control and data plane. It must not overlap functionality that is delegated to the tenant. This plane should not have access to business API or data. It should be easy to block access from the public internet. Tenant C...

Identity and Permission inventories first step towards understanding your identity and permission exposure. We want to create a common understanding of the identities and roles used by our systems. Actors that reach out to other capabilities operate with an identity . Capabilities that are asked to do something on behalf of actors are configured to allow or disallow work requests based on the role that the Actor's identity has in the receiving system. Individual components may be operate as both Actors and Capabilities at different parts of their processing. The principal of least privilege says that tasks execute with the minimum permission to do the work request. The simplest way to do this to isolate each actor by giving them their own identities. Each system contacted by the actors maintains an identity/role map that describes the identity's permissions in the receiving system. The table at the right shows The iden...

Azure EventHubs can be secured via IAM Role Permissions and Resource Access Policies.  They each have their own advantages and disadvantages as discussed in a previous blog posting .  We can see how the various Authorization techniques come together in the Azure Portal .  GitHub Repository The Azure portal images in this blog were generated using the 8/2021 version of this Github repository: Azure EventHubs Example Example Security Posture Our sample uses different authorization bindings to suit different client types. It applies those bindings at different places in the resource hierarchy. Individual EventHubs and Namespacesuse Identity Access Management with a Managed Identity and  Standard Azure Roles for some use cases.  They use Shared Access Policies  and signed requests for other use cases. Permissions are applied at the Namespace  and individua...