The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.
Broken Access Control: Implement strict access control policies in the LLM application to ensure users and APIs can only access permitted data and functionality. Enforce role-based access, prevent privilege escalation, and ensure sensitive data is not inadvertently exposed. This prevents unauthorized access, modification, or deletion of data.
Access control mechanisms must be enforced server-side or via trusted server-less APIs, avoiding client-side reliance. Follow a default denial policy, granting access only to explicitly defined resources after proper authentication and authorization. Centralize and reuse access controls across the application to ensure consistency and reduce errors. Validate record ownership using domain models, restricting users to authorized resources. Define and enforce application-specific business rules, such as operational limits. Disable directory listing and block access to sensitive file metadata like .git or backup files. Log access control failures, set alerts for suspicious attempts, and apply API rate limiting to prevent automated attacks. Session identifiers should be invalidated upon logout, and JWT tokens must be short-lived or follow OAuth-compliant revocation for extended use. Minimize CORS usage, limiting it to trusted origins. These measures ensure robust security, mitigate privilege escalation risks, and protect sensitive data effectively.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-01-01-01 | Design and implement robust access control policies | Establish "deny by default" access control mechanisms that enforce permissions based on user roles and record ownership, integrated into the domain models. | Preparation | Security team, Development leads |
| SSS-02-05-01-01-02 | Integrate and reuse access control mechanisms across applications | Ensure access control mechanisms are implemented consistently across server-side and serverless APIs, minimizing CORS usage and applying shared access logic. | Development | Development teams, IT operations |
| SSS-02-05-01-01-03 | Monitor and enforce access control with logs and alerts | Log all access control failures and configure alerts for repeated unauthorized access attempts. Implement rate limiting to mitigate automated attacks on APIs or controllers. | Deployment | Security team, Monitoring team |
| SSS-02-05-01-01-04 | Audit and review application access control regularly | Periodically audit the access control implementation, ensuring compliance with OWASP Top 10 principles and verifying no sensitive metadata or files are exposed in web roots. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A01:2021) The Open Worldwide Application Security Project Top 10 (A01:2021) |
Cryptographic Failures: Use strong cryptographic protocols to protect sensitive data used by the LLM, both in transit and at rest. Encrypt data such as user inputs, model outputs, and training data if they contain sensitive information. Ensure that cryptographic methods comply with standards like GDPR for data privacy and PCI DSS for financial data.
All sensitive data must be encrypted at rest using robust, up-to-date algorithms and strong key management practices. In transit, data should be secured using TLS with forward secrecy, cipher prioritization, and secure parameters, enforcing encryption directives like HTTP Strict Transport Security (HSTS). Ensure encryption methods prevent legacy vulnerabilities by avoiding deprecated algorithms such as MD5 and SHA1 and replacing them with AES-GCM or similar authenticated encryption standards. Dispose of unnecessary sensitive data securely using tokenization or truncation methods. Passwords must be stored using adaptive, salted hashing functions like Argon2 or bcrypt, ensuring strong security even under brute force attempts. Initialization vectors should be random and non-reused, adhering to cryptographic best practices, and keys must be generated using cryptographically secure pseudo-random number generators (CSPRNGs). Legacy protocols like FTP and SMTP must not be used to transport sensitive data. All cryptographic configurations must be independently tested for compliance and effectiveness. By implementing these practices, the application ensures compliance with privacy regulations, safeguards user data, and maintains resilience against cryptographic failures.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-02-01-01 | Classify and minimize sensitive data usage | Identify sensitive data processed, stored, or transmitted by the application, and eliminate unnecessary storage by truncating, tokenizing, or discarding sensitive data where possible. | Preparation | Data governance team, Security team |
| SSS-02-05-02-01-02 | Implement robust encryption for data at rest and in transit | Encrypt all sensitive data using up-to-date algorithms and strong key management practices. Enforce secure communication protocols (e.g., TLS) for data in transit and disable caching for sensitive responses. | Development | Security team, DevOps team |
| SSS-02-05-02-01-03 | Enforce cryptographic standards and verify configurations | Ensure cryptographic randomness, avoid deprecated functions (e.g., MD5, SHA1), and apply authenticated encryption for data handling. Independently verify cryptographic configurations and settings. | Deployment | Security team, Compliance team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A02:2021) The Open Worldwide Application Security Project Top 10 (A02:2021) |
Injection: Validate and sanitize all inputs to the LLM to prevent injection attacks. Ensure user-supplied data does not contain harmful code, such as malicious SQL or shell commands, that could manipulate the underlying system or model. Use parameterized queries and context-aware escaping to safeguard against injection in LLM inputs.
All user-supplied input must be handled securely by separating data from commands. Utilize safe APIs that avoid direct interaction with interpreters by employing parameterized interfaces or Object Relational Mapping Tools (ORMs). Be cautious of stored procedures that concatenate queries and data, as they can still be vulnerable when using commands like EXECUTE IMMEDIATE or exec(). Enforce strict server-side input validation to filter out harmful characters, recognizing that this defense may not suffice in all cases, such as APIs requiring special characters. For dynamic queries, apply context-specific escape mechanisms tailored to the interpreter in use. Structure names such as table and column names, often unescapable, must never rely on user-supplied input to avoid structural query manipulation. Implement SQL constraints, such as LIMIT, to restrict query scope and mitigate the risk of mass data exposure during an injection attack. These practices ensure robust defenses against injection vulnerabilities while preserving functionality for legitimate use cases.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-03-01-01 | Validate and sanitize user inputs | Implement robust server-side input validation to filter and sanitize user-supplied data, ensuring no hostile or malformed input is processed by the application. | Development | Development teams, Security team |
| SSS-02-05-03-01-02 | Use parameterized queries and safe APIs | Replace dynamic queries with parameterized queries or ORM tools that safely handle user inputs, avoiding direct concatenation in SQL or other interpreters. | Development | Security team, Database administrators |
| SSS-02-05-03-01-03 | Implement residual query escaping and SQL controls | For cases requiring dynamic queries, escape special characters using interpreter-specific syntax and use SQL controls (e.g., LIMIT) to restrict mass record access. | Development | Development teams, Security team |
| SSS-02-05-03-01-04 | Monitor and test for injection vulnerabilities | Perform static and dynamic application testing to identify and remediate injection vulnerabilities. Use automated tools and penetration testing to ensure no untrusted input reaches queries. | Post-deployment | QA team, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A03:2021) The Open Worldwide Application Security Project Top 10 (A03:2021) |
Insecure Design: Design the LLM application with security controls in place from the start. Conduct thorough threat modeling to identify security requirements and avoid design flaws that could leave the application vulnerable. Differentiate between design and implementation flaws, ensuring that both secure-by-design and secure-by-default principles are followed.
Adopt a secure development lifecycle, engaging AppSec professionals to guide the integration of security and privacy controls. Establish a library of secure design patterns and pre-vetted components to streamline consistent security implementations. Leverage threat modeling to address vulnerabilities in authentication, access control, business logic, and other critical workflows. Incorporate security measures directly into user stories and implement plausibility checks across all tiers of the application, from frontend to backend. Develop unit and integration tests aligned with the threat model to validate the resilience of key application flows. Document comprehensive use-cases and misuse-cases for every layer of the architecture. Design robust segregation for system and network tiers based on exposure and protection requirements. Implement strong tenant isolation throughout all application tiers and enforce resource consumption limits per user or service to prevent abuse. These measures ensure a foundation of security in the application's design phase, reducing risk and enhancing overall resilience.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-04-01-01 | Integrate secure development lifecycle practices | Embed security professionals into the development lifecycle to evaluate and design security and privacy controls for large language model applications. | Preparation | Security team, Development teams, AppSec experts |
| SSS-02-05-04-01-02 | Use threat modeling and secure design patterns | Perform threat modeling for critical workflows (e.g., authentication, access control) and adopt pre-validated secure design patterns and reusable components. | Preparation | Security team, Architects, Development teams |
| SSS-02-05-04-01-03 | Validate critical flows and implement plausibility checks | Write unit and integration tests for key workflows to validate resistance to identified threats and ensure plausibility checks are integrated across all tiers of the application. | Development | QA team, Security team, Development teams |
| SSS-02-05-04-01-04 | Segregate and limit resources robustly | Design robust segregation for tenants across system tiers and enforce resource limits for users and services to prevent abuse or unintended resource exhaustion. | Deployment | IT operations, Security team, DevOps team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A04:2021) The Open Worldwide Application Security Project Top 10 (A04:2021) |
Security Misconfigurationicon: Regularly review and configure all components of the LLM environment securely, including servers, libraries, and frameworks. Disable unnecessary features, ensure secure error handling, and configure the application stack with strict security settings. This reduces the risk of misconfigurations that could expose the system to attacks.
Adopt a standardized hardening process to securely deploy environments efficiently. Development, QA, and production environments should share consistent configurations, with unique credentials applied to each. Automate this process to reduce manual effort and ensure consistent security. Create minimal platforms by removing unnecessary features, components, and sample configurations. Regularly review and update settings in line with security patches, vulnerability reports, and best practices. For cloud environments, verify permissions, such as S3 bucket configurations, to minimize exposure risks. Utilize a segmented architecture to enforce isolation between tenants or components, employing tools like containerization or access control lists (ACLs). Enhance client security through directives like HTTP security headers, and implement automated validation mechanisms to verify configuration integrity across all environments. These measures safeguard the system against misconfiguration vulnerabilities.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-05-01-01 | Establish and automate secure configuration baselines | Implement a repeatable hardening process to configure development, QA, and production environments consistently, removing unnecessary features and ensuring minimal platforms. | Preparation | IT operations, DevOps team, Security team |
| SSS-02-05-05-01-02 | Review and update security settings regularly | Regularly review application and infrastructure configurations to apply security updates, patches, and best practices, including secure permissions for cloud services. | Deployment | Security team, Cloud administrators |
| SSS-02-05-05-01-03 | Implement security headers and directives | Enforce security settings on clients by sending HTTP security headers (e.g., HSTS, X-Content-Type-Options) and other directives to prevent misconfigurations at the client side. | Development | Development teams, Security team |
| SSS-02-05-05-01-04 | Continuously monitor and audit configurations | Use automated tools to verify the effectiveness of configurations and identify vulnerabilities or misconfigurations across all environments. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A05:2021) The Open Worldwide Application Security Project Top 10 (A05:2021) |
Maintain an up-to-date inventory of all LLM-related components, including libraries, frameworks, and dependencies. Regularly scan for vulnerabilities, subscribe to security alerts, and apply patches promptly. Ensure that any third-party components used in the LLM are compatible with secure versions and tested for security compliance.
Develop and maintain a robust patch management process to address vulnerabilities and ensure component security. Remove unused dependencies, components, and documentation to minimize attack surfaces. Use tools like OWASP Dependency Check or software composition analysis tools to inventory and monitor both client-side and server-side components for vulnerabilities. Leverage sources like the Common Vulnerabilities and Exposures (CVE) database and the National Vulnerability Database (NVD) for updates. Only procure components from verified, secure sources, preferring signed packages to mitigate risks of tampered or malicious files. Actively monitor for unmaintained or unsupported libraries, prioritizing the replacement of outdated dependencies. If patching is not feasible, employ virtual patching mechanisms to detect, monitor, and protect against known issues. Regularly update this inventory and associated processes to maintain system integrity and security.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-06-01-01 | Inventory and monitor component versions | Continuously inventory all client-side and server-side components, including their dependencies, and monitor for vulnerabilities using tools like OWASP Dependency Check. | Development | Security team, Development teams |
| SSS-02-05-06-01-02 | Establish a risk-based patch management process | Implement a patching process that prioritizes updates based on risk severity, ensuring timely application of patches or deployment of virtual patches for unmaintained components. | Deployment | DevOps team, Security team |
| SSS-02-05-06-01-03 | Remove and replace unused or unmaintained components | Regularly identify and remove unused dependencies, features, or components. Replace outdated or unsupported libraries with actively maintained alternatives. | Development | Development teams, QA team |
| SSS-02-05-06-01-04 | Automate vulnerability scanning and subscription alerts | Use tools like Dependabot for automated alerts on vulnerable dependencies and integrate updates into CI/CD pipelines. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A06:2021) The Open Worldwide Application Security Project Top 10 (A06:2021) |
Identification and Authentication Failures: Implement robust authentication mechanisms to verify user identities and manage sessions securely. Use multi-factor authentication (MFA) where appropriate and secure API keys for accessing LLM functionalities, ensuring only authorized users can interact with the LLM.
Integrate multi-factor authentication (MFA) to mitigate risks such as credential stuffing, brute force attacks, and credential reuse. Ensure no default credentials are deployed, especially for administrative accounts. Strengthen password security by verifying new or changed passwords against widely known weak password lists, and align password policies with NIST 800-63b guidelines for memorized secrets. Harden user registration, credential recovery, and API interactions to prevent account enumeration by using uniform response messages for all outcomes. Implement rate limiting or incremental delays for failed login attempts to counteract brute force attacks while avoiding denial-of-service risks. Log authentication failures and notify administrators of suspicious activity. Deploy a secure server-side session manager that generates high-entropy, random session IDs on login. Ensure session identifiers are stored securely, are not included in URLs, and are invalidated upon logout, timeout, or absolute expiration. These measures establish a secure foundation for user authentication and session integrity.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-07-01-01 | Implement multi-factor authentication (MFA) | Require MFA for all user accounts, particularly admin accounts, to mitigate automated attacks such as credential stuffing and brute force. | Development | Security team, Development teams |
| SSS-02-05-07-01-02 | Enforce modern password policies | Align password complexity, length, and rotation requirements with evidence-based guidelines like NIST 800-63b, and check passwords against a known weak password list. | Development | Security team, Development teams |
| SSS-02-05-07-01-03 | Harden authentication and recovery workflows | Prevent account enumeration attacks by standardizing error messages across registration, login, and recovery workflows, and limit failed login attempts to mitigate abuse. | Development | QA team, Security team |
| SSS-02-05-07-01-04 | Use secure session management practices | Use server-side session management to securely handle session identifiers, invalidate them upon logout or timeout, and generate new random session IDs after login. | Deployment | DevOps team, IT operations, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A07:2021) The Open Worldwide Application Security Project Top 10 (A07:2021) |
Software and Data Integrity Failures: Ensure the integrity of code, models, and data within the LLM application. Use trusted sources for dependencies, verify the integrity of updates, and secure the CI/CD pipeline to prevent tampering. Implement integrity checks for all updates and inputs to safeguard against data manipulation and unauthorized changes.
Verify software and data authenticity using digital signatures or similar mechanisms to ensure they originate from expected sources and remain unaltered. Source dependencies, such as libraries and frameworks, from trusted repositories like npm or Maven. For higher-risk scenarios, consider hosting an internal, vetted repository of known-good components. Employ software supply chain security tools, such as OWASP Dependency Check or CycloneDX, to detect vulnerabilities within dependencies. Institute a robust review process for code and configuration changes to prevent the introduction of malicious elements into the pipeline. Maintain strict segregation, configuration, and access controls within the CI/CD pipeline to safeguard the integrity of code during builds and deployments. Prohibit sending unsigned or unencrypted serialized data to untrusted clients, mandating integrity checks or digital signatures to detect tampering or replay attacks. These measures ensure resilience against software and data integrity failures throughout the development lifecycle.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-08-01-01 | Verify software supply chain integrity | Use digital signatures or similar mechanisms to verify the source and integrity of software, libraries, and dependencies. Only use trusted repositories or host an internal vetted repository. | Development | Security team, DevOps team |
| SSS-02-05-08-01-02 | Implement secure CI/CD pipeline controls | Enforce segregation, secure configurations, and strict access controls in CI/CD pipelines to protect code integrity throughout the build and deployment processes. | Deployment | DevOps team, Security team |
| SSS-02-05-08-01-03 | Review code and configuration changes | Establish a review process for all code and configuration changes to minimize the risk of introducing malicious components or vulnerabilities into the software pipeline. | Development | Development teams, QA team |
| SSS-02-05-08-01-04 | Protect serialized data with integrity checks | Use encryption, digital signatures, or other mechanisms to secure serialized data shared with clients, ensuring tampering or replay attacks are detectable. | Deployment | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A08:2021) The Open Worldwide Application Security Project Top 10 (A08:2021) |
Security Logging and Monitoring Failures: Set up comprehensive logging and monitoring for the LLM application to detect, escalate, and respond to security incidents promptly. Log access attempts, data modifications, and unusual behaviors, and implement real-time monitoring to identify potential breaches. Regularly review logs and monitor for indicators of compromise.
Ensure all login attempts, access control events, and server-side validation failures are logged with sufficient user context to identify malicious accounts or behaviors. Logs should be retained for an adequate period to allow delayed forensic analysis. Format log data to be compatible with log management tools and encode it to prevent injection attacks targeting monitoring systems. High-value transactions must include tamper-proof audit trails, such as append-only databases, to prevent unauthorized changes or deletions. DevSecOps teams should deploy monitoring and alerting systems capable of identifying and escalating suspicious activities in real time. Adopt an incident response and recovery framework, such as NIST 800-61r2, to handle detected threats effectively. Utilize tools like the OWASP ModSecurity Core Rule Set and log correlation frameworks, including the ELK stack, to enable custom dashboards and alert configurations. These measures ensure swift detection and response to potential compromises.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-09-01-01 | Implement comprehensive logging for key events | Log failed login attempts with user identifiers and IP addresses for forensic analysis, using structured JSON logs. | Development | Development teams, Security team |
| SSS-02-05-09-01-02 | Integrate log management and monitoring tools | Configure Kibana dashboards to visualize login failures, access violations, and suspicious activity in real-time. | Deployment | DevOps team, Security team |
| SSS-02-05-09-01-03 | Establish alerts and incident response plans | Set up alerts for multiple failed login attempts within a short period and create a playbook for responding to brute-force attacks. | Deployment | Security team, Incident response team |
| SSS-02-05-09-01-04 | Ensure audit trails and log integrity | Use blockchain-based logs or write-once-read-many (WORM) storage for transaction logs to prevent tampering. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A09:2021) The Open Worldwide Application Security Project Top 10 (A09:2021) |
Server-Side Request Forgery (SSRF): Validate all URLs and external resource requests made by the LLM application to prevent SSRF attacks. Ensure that the LLM does not fetch unauthorized resources or communicate with untrusted endpoints. Use allow-lists for URL validation and implement network controls to prevent unauthorized data access.
To prevent SSRF, segment remote resource access functionality into isolated networks, minimizing potential exposure. Apply “deny by default” firewall or network access control rules to restrict traffic to only essential intranet resources. Maintain and review firewall rules regularly, logging all allowed and blocked network flows for accountability and monitoring purposes. At the application level, sanitize and validate all client-supplied URLs. Enforce strict URL schemas, ports, and destination policies using a positive allow-list approach. Avoid relying on deny-lists or regular expressions, as these are easily bypassed by sophisticated payloads. Do not send raw responses to clients, and disable HTTP redirections to reduce potential abuse. Be vigilant about consistency checks to prevent DNS rebinding or TOCTOU (time of check, time of use) race conditions. Avoid deploying additional critical security services like OpenID on systems exposed to SSRF risks, and ensure local traffic is strictly monitored. For systems with highly sensitive use cases, consider network encryption mechanisms such as VPNs for added security. These measures collectively establish robust defenses against SSRF exploitation.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-10-01-01 | Implement network layer protections | Enforce "deny by default" firewall rules and segment remote resource access functionality to separate networks, minimizing the impact of SSRF vulnerabilities. | Deployment | Network administrators, Security team |
| SSS-02-05-10-01-02 | Sanitize and validate input urls | Validate and sanitize user-supplied URLs, enforcing a positive allow list for URL schema, port, and destination. Reject requests with disallowed URLs. | Development | Development teams, QA team |
| SSS-02-05-10-01-03 | Harden application response handling | Strip metadata from fetched resources before sending responses and disable automatic HTTP redirections in the application. | Development | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project (A10:2021) The Open Worldwide Application Security Project (A10:2021) |