The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.
Broken Access Control: Implement strict access control policies in the LLM application to ensure users and APIs can only access permitted data and functionality. Enforce role-based access, prevent privilege escalation, and ensure sensitive data is not inadvertently exposed. This prevents unauthorized access, modification, or deletion of data.
Access control mechanisms must be enforced server-side or via trusted server-less APIs, avoiding client-side reliance. Follow a default denial policy, granting access only to explicitly defined resources after proper authentication and authorization. Centralize and reuse access controls across the application to ensure consistency and reduce errors. Validate record ownership using domain models, restricting users to authorized resources. Define and enforce application-specific business rules, such as operational limits. Disable directory listing and block access to sensitive file metadata like .git or backup files. Log access control failures, set alerts for suspicious attempts, and apply API rate limiting to prevent automated attacks. Session identifiers should be invalidated upon logout, and JWT tokens must be short-lived or follow OAuth-compliant revocation for extended use. Minimize CORS usage, limiting it to trusted origins. These measures ensure robust security, mitigate privilege escalation risks, and protect sensitive data effectively.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-01-01-01 | Design and implement robust access control policies | Establish "deny by default" access control mechanisms that enforce permissions based on user roles and record ownership, integrated into the domain models. | Preparation | Security team, Development leads |
| SSS-02-05-01-01-02 | Integrate and reuse access control mechanisms across applications | Ensure access control mechanisms are implemented consistently across server-side and serverless APIs, minimizing CORS usage and applying shared access logic. | Development | Development teams, IT operations |
| SSS-02-05-01-01-03 | Monitor and enforce access control with logs and alerts | Log all access control failures and configure alerts for repeated unauthorized access attempts. Implement rate limiting to mitigate automated attacks on APIs or controllers. | Deployment | Security team, Monitoring team |
| SSS-02-05-01-01-04 | Audit and review application access control regularly | Periodically audit the access control implementation, ensuring compliance with OWASP Top 10 principles and verifying no sensitive metadata or files are exposed in web roots. | Post-deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A01:2021) The Open Worldwide Application Security Project Top 10 (A01:2021) |