The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.
Software and Data Integrity Failures: Ensure the integrity of code, models, and data within the LLM application. Use trusted sources for dependencies, verify the integrity of updates, and secure the CI/CD pipeline to prevent tampering. Implement integrity checks for all updates and inputs to safeguard against data manipulation and unauthorized changes.
Verify software and data authenticity using digital signatures or similar mechanisms to ensure they originate from expected sources and remain unaltered. Source dependencies, such as libraries and frameworks, from trusted repositories like npm or Maven. For higher-risk scenarios, consider hosting an internal, vetted repository of known-good components. Employ software supply chain security tools, such as OWASP Dependency Check or CycloneDX, to detect vulnerabilities within dependencies. Institute a robust review process for code and configuration changes to prevent the introduction of malicious elements into the pipeline. Maintain strict segregation, configuration, and access controls within the CI/CD pipeline to safeguard the integrity of code during builds and deployments. Prohibit sending unsigned or unencrypted serialized data to untrusted clients, mandating integrity checks or digital signatures to detect tampering or replay attacks. These measures ensure resilience against software and data integrity failures throughout the development lifecycle.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-05-08-01-01 | Verify software supply chain integrity | Use digital signatures or similar mechanisms to verify the source and integrity of software, libraries, and dependencies. Only use trusted repositories or host an internal vetted repository. | Development | Security team, DevOps team |
| SSS-02-05-08-01-02 | Implement secure CI/CD pipeline controls | Enforce segregation, secure configurations, and strict access controls in CI/CD pipelines to protect code integrity throughout the build and deployment processes. | Deployment | DevOps team, Security team |
| SSS-02-05-08-01-03 | Review code and configuration changes | Establish a review process for all code and configuration changes to minimize the risk of introducing malicious components or vulnerabilities into the software pipeline. | Development | Development teams, QA team |
| SSS-02-05-08-01-04 | Protect serialized data with integrity checks | Use encryption, digital signatures, or other mechanisms to secure serialized data shared with clients, ensuring tampering or replay attacks are detectable. | Deployment | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1923) The Open Worldwide Application Security Project Top 10 (A08:2021) The Open Worldwide Application Security Project Top 10 (A08:2021) |