OWASP Top 10 for LLM Applications Newsletter - September '24 Edition

Call For Action !!

Author

Krishna Sankar
September 24, 2024

Greetings Gen AI Security Enthusiasts and OWASP Community Members!

Generative Insights : Reflections from the Editorial Desk

  • This month’s newsletter is concise - we’re highlighting a set of insightful work coming out of the various OWASP Top 10 LLM Apps groups. Nothing more, nothing less.

  • Things are heating up ! There’s been a sudden surge in activities, with some very useful deliverables taking shape (see Scott’s Projects & Initiatives roadmap below) — all with the clock ticking toward a tight deadline!

  • Call for Action : Your feedback and guidance are invaluable! Choose the projects that excite you, click on the links provided in following sections, dive into the documents, and share your insightful comments.

🔟 OWASP Top 10 LLM 2.0 ! 2️⃣

The top priority right now is driving the v2 progression forward. We’ve hit a small bump, slipping by ~four weeks, but we’ve solidified into 13 strong entries (and consolidating two) - which you can see in Steve’s T10v2 Entry Status worksheet below. Soon, we’ll be voting to narrow these down to the top 10, so stay tuned!

I’ve got a little shameless plug for y’all—check out Row #13 Model Augmentation Vulns (worksheet below), now renamed RetrievalAugmentedGeneration.

In the future, it will grow to be Model_Adaptation_Vulnerabilities, as and when the other mechanisms become more main stream. For now, we will focus on Retrieval Augmented Generation. Please check out the RetrievalAugmentedGeneration writeup [Here].

The deadline is Oct 4th - I encourage everyone to dive in sooner and add your feedback to help strengthen the entry, and …

… when the voting time comes, cast your vote for RetrievalAugmentedGeneration as well, to make sure it gets the recognition it deserves !

Not that I love the other candidates any less, but I definitely love the RAG_Vulnerabilities more ! 

Steve’s T10v2 Entry Status worksheet

All the candidate write-ups are [Here]. Worth your time to go through and refer to, especially when the voting starts. The folder is being populated.

The SupplyChainVulnerabilities[Here] has gone through revisions - John & Aruneesh would be thrilled to have your feedback.

👩‍🚒 AI Red Teaming 👨🏻‍🚒

The GAI Red Teaming Methodologies, Guidelines & Best Practices initiative is officially underway, and you won’t want to miss it ! Be sure to check out Sandy’s compelling blog [Here], then dive into the slides from our first meeting [Here].

Lastly, please review the outline [Here]—and don’t forget to share your insights and get involved. Your participation can make all the difference! We have a very short timeline …

🕵️‍♂️💻 Deepfake Guidance 🚨🔥🚒

Very interesting, very detailed and timely work by Rachel, Brian, Sandy and team

Hot off the press - published today !! Guide for Preparing and Responding to Deepfake Events [Here]

🏜️ Solutions Landscape ⛰️

Next one is the solutions doc, formally known as LLMSecOps Cybersecurity Solution Landscape. Announcement of the final version coming up in next edition

The work came together pretty fast, thanks to Scott Clinton. I really like the Solutions Landscape diagram - succinct yet have a broad coverage. There are tons of these landscape diagrams …

👍🏽 Security Center of Excellence (CoE) 👍🏽

Scott Clinton has another very useful doc (I don’t think he ever sleeps!) the LLM and Gen AI Security Center of Excellence (CoE) Guide. Announcement of the final version coming up in next edition

It has all kinds of details that will help us towards an effective CoE practice viz. objectives and KPIs, roles and responsibilities, implementation phases et al. Definitely worth read …

💭 Closing Thoughts 💭

That’s it ! As I mentioned, very short and straightforward … I hope y’all did click on your favorite links and have added feedback !!

And, when the time comes, vote early and vote often … no hanging chads, please !!

We look forward to seeing you in our Slack channels and at our upcoming meetings!

🔗 OWASP LLM Documents & Links 🔗

  • Previous newsletters (to catchup after marveling our eloquence 🙃) [Here]

  • OWASP Top 10 LLM main site [Here]

  • OWASP Top 10 for LLM Applications v1.1 [Here]

  • LLM AI Security & Governance Checklist v1.1 [Here]

📱Stay Connected📱

Aubrey King has expanded our social media reach across various platforms including LinkedIn, Youtube, Twitter (Agree with Will, not going to say X), and soon even more! Follow and don’t be shy to re-share any content we post! BTW, if you're presenting anything related to our project externally, do let us know at [email protected] so we can review and blast out to our social media followers!

Till next time … Stay Secure & Stay Sharp

Krishna Sankar
LinkedIn | Medium | Github