I. The Trust Gap

     GenAI tools, such as ChatGPT, Claude, and Google Gemini have an immense potential to improve our quality of life and help out with a lot of global issues. Yet, there is a fairly strong and widely discussed consensus that GenAI can be inaccurate.

     A recent KPMG survey^[1] with over 48,000 people globally shows that even though 66% of them use GenAI regularly, only 46% felt willing to trust AI systems. It’s because many people are relying on GenAI output without evaluating its accuracy, which led to mistakes in their work.

     In my opinion, the problem is often not the technology itself, but the way it’s being used. GenAI, without a doubt, is incredibly powerful, but the quality of its output depends heavily on the quality of the prompt users provide. Learning how to create a clear, specific, and well-structured command or request when working with GenAI is the key to unlock these tools real potential.

II. What is prompt Engineering?

     Prompt Engineering is the essential skill of designing and refining prompts to improve the output of GenAI systems. Because GenAI models respond based on the specific input they receive, a well-structured prompt allows you to:

• Produce more detailed and relevant responses.
• Significantly improve output accuracy.
• Control the format and style of the final result.

III. Prompt Engineering Techniques.

     Now that we understand what Prompt Engineering is, let’s break down some of the widely used techniques to craft prompts^[2].

1. Zero-Shot Prompting:

          This is a technique where you present a task to the AI model without providing any examples or task-specific demonstrations. Its accuracy relies heavily on the strength of the underlying foundation model. The more advanced and capable the foundation model, the more likely the AI is to produce accurate results.

          Zero-shot prompting is often more suitable for straightforward tasks or when a quick response is needed, even though it can still handle more complex tasks with varying reliability.

2. Few-Shot Prompting:

          This technique involves providing a few examples within the prompt to guide the AI’s output. Instead of training the model, you guide it during inference by providing specific contextual examples (input-output pairs).

          If you provide the AI with only one example, then this technique is also called “Single -shot” or “One-Shot Prompting”.

3. Chain-of-Thought (CoT) Prompting:

          This is a technique where you break a task into a sequence of intermediate reasoning steps. This helps the AI model process logic more effectively, leading to more structured and accurate results. You can trigger this by providing examples of step-by-step reasoning or by simply adding instructions like “Break this into steps”.

          However, CoT prompting should be used selectively, mainly for tasks that require multi-step reasoning, where accuracy matters more than speed. In simpler cases, forcing step-by-step reasoning may slow the AI down or introduce unnecessary verbosity.

IV. Conclusion

     GenAI effectiveness depends largely on how it is used. Rather than viewing them as unreliable, It’s more productive to see AI as a tool that requires skill and thoughtful interaction.

     Mastering AI communication is becoming an essential skill in today’s digital world. By crafting clear and structured prompts, users can unlock the full potential of GenAI and use it more confidently and responsibly in their work and daily lives.

     If you're eager to take your Prompt Engineering skill to the next level and apply them to impactful, real-world projects, ISB VIETNAM offers an environment where Passions, Teamwork, Innovations, and continuous learning are part of our everyday work. Visit the official website now to learn more about our company services, and how you can become part of a team that values thoughtful, high-quality software engineering.

References:

[1] KPMG survey: https://kpmg.com/xx/en/our-insights/ai-and-technology/trust-attitudes-and-use-of-ai.html

[2] Inspired by: https://www.udemy.com/course/aws-ai-practitioner-certified/

Identity is one of the most important security layers of modern systems. Modern apps must connect to numerous services, making a centralized and stable login system essential.

In this context, Microsoft 365 login is a logical choice for enterprise systems. Azure provides a standardized identity platform, eliminating the need to build authentication mechanisms from scratch.

Overall

At the high level, ExpressJS only acts as the client. Azure AD is the main entity, acting as the identity provider. The browser only handles redirects, while all sensitive processing, such as exchanging code for tokens, takes place in the backend.

The basic flow would be:

User → ExpressJS → Microsoft login → ExpressJS callback → session creation

Most importantly, the token never appears on the frontend. This is extremely important from a security perspective.

Setting up Azure AD

First, create a new application in Azure Active Directory via the Azure Portal.

Then create a Client Secret. Simply put, this is the "password" for the backend.

Finally, we will have three values; these three are the backbone of the entire login process:

• Client ID – app identifier
• Tenant ID – organization identifier
• Client Secret – backend authentication

MSAL node configuration

Microsoft provides @azure/msal-node so developers don't have to manually code OAuth2. MSAL handles the headaches of code generation, token changes, token caching, and token refresh.

Installation:

npm install express @azure/msal-node express-session dotenv

Basic configuration:

// msalConfig.js

require("dotenv").config();

module.exports = {

    auth: {

        clientId: process.env.CLIENT_ID,

        authority: "https://login.microsoftonline.com/" + process.env.TENANT_ID,

        clientSecret: process.env.CLIENT_SECRET

}};

The Authority URL simply tells MSAL which tenant we are authenticating with.

After defining the config, we will create the other file to initialize the instance to use in the project

// msalClient.js

const { ConfidentialClientApplication } = require("@azure/msal-node");
const msalConfig = require("../config/msalConfig");

const cca = new ConfidentialClientApplication(msalConfig);

module.exports = cca;

Scope: Request only what we need

Scope refers to access permissions. It determines what the app can do on behalf of the user.

Here are some common scopes:

• user.read – read basic profiles
• mail.read – read email
• files.read – read OneDrive files

The first time a user logs in, they will see a consent screen. This is very good, as it helps them know what permissions the app is requesting.

Actual login flow

Here, we use the OAuth2 authorization code flow – almost the default standard for backends.

The token is not exposed to the frontend. There is a refresh token widely accepted by enterprises

Route /login

const cca = require("./services/msalClient"); 

app.get("/login", async (req, res) => {

   const url = await cca.getAuthCodeUrl({

     scopes: ["user.read"],

     redirectUri: "http://localhost:3000/redirect"

    });

   res.redirect(url);

 });

This route only serves to redirect the user to the Microsoft login page.

Note: The redirectUri in the code must match the Redirect URI declared in Azure AD.
If they don't match, the login will fail.

Route /redirect

const cca = require("./services/msalClient"); 

app.get("/redirect", async (req, res) => {

   const tokenResponse = await cca.acquireTokenByCode({

     code: req.query.code,

     scopes: ["user.read"],

     redirectUri: "http://localhost:3000/redirect"

   });

   req.session.user = tokenResponse.account;

   req.session.accessToken = tokenResponse.accessToken;

   res.redirect("/dashboard");

 });

This is the main processing point: the backend exchanges the code for a token and then saves the session.

Sessions and Middleware

After establishing the session, protecting the route with middleware is all we need to do.

 function requireAuth(req, res, next) {

   if (!req.session.user) {

     return res.redirect("/login");

   }

   next();

 }

Conclusion

Microsoft 365 login is becoming the standard for modern enterprise systems. Instead of managing users, passwords, and complex security rules ourselves, we can directly use Azure Active Directory as a trusted identity provider.

In practice, this offers better security, less maintenance, and a login system that can scale across the organization without significant changes.

Whether you need scalable software solutions, expert IT outsourcing, or a long-term development partner, ISB Vietnam is here to deliver. Let’s build something great together—reach out to us today. Or click here to explore more ISB Vietnam's case studies.

[References]

1. https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
2. https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-nodejs-webapp-msal
3. https://www.freepik.com/free-photo/email-messages-network-circuit-board-link-connection-technology_1198384.htm (Image source)

In the world of software testing, if automation tools ensure that a system works, then Burp Suite ensures that the system cannot be broken. As we move further into the era of complex architectures like UI-BFF-API, simply checking features is no longer enough. To truly level up your career, you must master the gold standard of security testing: Burp Suite.

But what makes this tool so indispensable? Let’s dive into its most effective applications.

1. The Core Power: Intercepting Proxy

The most effective and fundamental application of Burp Suite is its Intercepting Proxy.

How it works: Burp Suite sits between your browser and the server. When you click Submit, Burp catches the request. This allows you to pause, inspect, and modify the data before it ever reaches the server. Why is this a "Game Changer" for Testers?

• Bypassing Front-end Validation: You can bypass UI restrictions (like disabled buttons or character limits) to see if the Server-side is truly secure.
• Parameter Tampering: Have you ever wondered what happens if you change a product price from $1,000 to $1 during checkout? With the Proxy, you can test this in seconds.  
• Broken Access Control: In a multi-site system (Candidate, Parent, Admin), you can swap authorization tokens to see if a Parent can sneak into the Admin panel.

2. Top 3 Features to Supercharge Your Testing

Beyond intercepting traffic, Burp Suite offers specialized modules that act like superpowers for a QC:

• Repeater: Unlimited Experimentation

Instead of re-loading the web page and re-filling forms, Repeater allows you to send the same request over and over with different modifications. It’s the fastest way to pinpoint logic flaws and edge cases.

• Intruder: Automated Attacks

Need to test 1,000 different password combinations? Or check for IDOR (Insecure Direct Object Reference) by cycling through 500 different User IDs? Intruder automates these repetitive tasks, saving you hours of manual work.

• Scanner (Pro Version): Automated Vulnerability Detection

For busy QCs, the Scanner automatically crawls the application to find common vulnerabilities like SQL Injection, XSS, and Security Misconfigurations while you focus on more complex testing scenarios.

3. Applying Burp Suite to the UI-BFF-API Model

In your daily work with the UI-BFF-API architecture, Burp Suite becomes a surgical tool:

• Testing the BFF Layer: Ensure that the Backend-for-Frontend is properly filtering sensitive data before sending it to the UI.
• Role-Based Testing: With four distinct sites (Candidate, Parent, University Admin, System Admin), Burp makes it easy to manage multiple sessions and ensure that users stay within their permitted boundaries.

4. Tips for Junior QCs Starting with Burp Suite

Don’t let the complex interface intimidate you. Here is how to start:

• Learn Proxy Configuration first: This is your gateway to understanding how the web talks.
• Monitor the HTTP History: Simply observing the flow of requests and responses will teach you more about web architecture than any textbook.
• Ethics First: Always use Burp Suite in a staging/UAT environment. Never use it on a production system without explicit permission.

Would you like me to create a Quick Start Guide for configuring Burp Suite with your UI-BFF-API application?

To test an architecture consisting of an Exam Candidate, Parent, and Admin sites, you need to see exactly how the UI talks to the BFF (Backend-for-Frontend).

Step 1: The Basic Connection (The Proxy)

1. Launch Burp Suite: Open the application and select Temporary Project.
2. Use the Built-in Browser: Go to the Proxy tab > Interceptor sub-tab > Click Open Browser. 
   • Why? This is much easier than configuring Firefox or Chrome manually, as Burp handles the SSL certificates for you automatically.
3. Turn Intercept off: For now, keep it off so you can browse the sites freely while Burp records the history in the background. 

Step 2: Organize Your Scope (Crucial for 4 Sites)

Since you are working with four different sites, your history will get messy quickly.

1. Go to the Target tab > Scope sub-tab.
2. Add the URLs of all four sites (e.g., https://candidate.example.com, https://admin.example.com).
3. Go to the Proxy tab > HTTP History.
4. Click the Filter bar at the top and check Show only in-scope items.
   • Result: You will now only see traffic related to your project, hiding background noise like Windows updates or Google analytics.

Step 3: Mapping the UI-BFF-API Flow

1. Open your Candidate Site in the Burp Browser and perform a Login.
2. Look at the HTTP History. You will see a request going from the UI to the BFF.
3. The Secret Sauce: Right-click that Login request and select Send to Repeater.
4. In Repeater, you can now manually change the username or password and hit Send to see how the BFF responds without re-typing anything in the browser.

Step 4: Testing Roles (The Parent vs. Admin Test)

This is the most effective test for your specific architecture:

1. Log in as a Parent in the browser.
2. Find a request in the history that fetches Parent Data from the BFF. Look for the Authorization: Bearer <TOKEN>
3. Now, try to access an Admin API URL by pasting it into the Repeater.
4. If the BFF returns 200 OK instead of 403 Forbidden, you've found a Critical Security Bug!

Finally, if AI is the assistant that helps you write test cases faster, Burp Suite is the microscope that helps you find the invisible bugs that could destroy a company’s reputation. By mastering Burp Suite, you transition from a standard Tester to a Security-Aware Quality Engineer.

Whether you need scalable software solutions, expert IT outsourcing, or a long-term development partner, ISB Vietnam is here to deliver. Let’s build something great together—reach out to us today. Or click here to explore more ISB Vietnam's case studies.