The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.
Cryptographic Failures: Use strong cryptographic protocols to protect sensitive data used by the LLM, both in transit and at rest. Encrypt data such as user inputs, model outputs, and training data if they contain sensitive information. Ensure that cryptographic methods comply with standards like GDPR for data privacy and PCI DSS for financial data.
All sensitive data must be encrypted at rest using robust, up-to-date algorithms and strong key management practices. In transit, data should be secured using TLS with forward secrecy, cipher prioritization, and secure parameters, enforcing encryption directives like HTTP Strict Transport Security (HSTS). Ensure encryption methods prevent legacy vulnerabilities by avoiding deprecated algorithms such as MD5 and SHA1 and replacing them with AES-GCM or similar authenticated encryption standards. Dispose of unnecessary sensitive data securely using tokenization or truncation methods. Passwords must be stored using adaptive, salted hashing functions like Argon2 or bcrypt, ensuring strong security even under brute force attempts. Initialization vectors should be random and non-reused, adhering to cryptographic best practices, and keys must be generated using cryptographically secure pseudo-random number generators (CSPRNGs). Legacy protocols like FTP and SMTP must not be used to transport sensitive data. All cryptographic configurations must be independently tested for compliance and effectiveness. By implementing these practices, the application ensures compliance with privacy regulations, safeguards user data, and maintains resilience against cryptographic failures.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-02-01-01 | Classify and minimize sensitive data usage | Identify sensitive data processed, stored, or transmitted by the application, and eliminate unnecessary storage by truncating, tokenizing, or discarding sensitive data where possible. | Preparation | Data governance team, Security team |
| SSS-02-05-02-01-02 | Implement robust encryption for data at rest and in transit | Encrypt all sensitive data using up-to-date algorithms and strong key management practices. Enforce secure communication protocols (e.g., TLS) for data in transit and disable caching for sensitive responses. | Development | Security team, DevOps team |
| SSS-02-05-02-01-03 | Enforce cryptographic standards and verify configurations | Ensure cryptographic randomness, avoid deprecated functions (e.g., MD5, SHA1), and apply authenticated encryption for data handling. Independently verify cryptographic configurations and settings. | Deployment | Security team, Compliance team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A02:2021) The Open Worldwide Application Security Project Top 10 (A02:2021) |