The OWASP Top 10 are mitigated in the development of web applications.
Insecure Design: Design the LLM application with security controls in place from the start. Conduct thorough threat modeling to identify security requirements and avoid design flaws that could leave the application vulnerable. Differentiate between design and implementation flaws, ensuring that both secure-by-design and secure-by-default principles are followed.
Adopt a secure development lifecycle, engaging AppSec professionals to guide the integration of security and privacy controls. Establish a library of secure design patterns and pre-vetted components to streamline consistent security implementations. Leverage threat modeling to address vulnerabilities in authentication, access control, business logic, and other critical workflows. Incorporate security measures directly into user stories and implement plausibility checks across all tiers of the application, from frontend to backend. Develop unit and integration tests aligned with the threat model to validate the resilience of key application flows. Document comprehensive use-cases and misuse-cases for every layer of the architecture. Design robust segregation for system and network tiers based on exposure and protection requirements. Implement strong tenant isolation throughout all application tiers and enforce resource consumption limits per user or service to prevent abuse. These measures ensure a foundation of security in the application's design phase, reducing risk and enhancing overall resilience.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-13-04-01-01 | Integrate secure development lifecycle practices | Embed security professionals into the development lifecycle to evaluate and Development security and privacy controls for large language model applications. | Preparation | Security team, Development teams, AppSec experts |
| SSS-02-13-04-01-02 | Use threat modeling and secure Development patterns | Perform threat modeling for critical workflows (e.g., authentication, access control) and adopt pre-validated secure Development patterns and reusable components. | Preparation | Security team, Architects, Development teams |
| SSS-02-13-04-01-03 | Validate critical flows and implement plausibility checks | Write unit and integration tests for key workflows to validate resistance to identified threats and ensure plausibility checks are integrated across all tiers of the application. | Development | QA team, Security team, Development teams |
| SSS-02-13-04-01-04 | Segregate and limit resources robustly | Development robust segregation for tenants across system tiers and enforce resource limits for users and services to prevent abuse or unintended resource exhaustion. | Deployment | IT operations, Security team, DevOps team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1850) The Open Worldwide Application Security Project Top 10 (A04:2021) The Open Worldwide Application Security Project Top 10 (A04:2021) |