Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance the OWASP LLM Applications Project with a Related Patterns Functionality #230

Open
GangGreenTemperTatum opened this issue Oct 25, 2023 · 2 comments
Open

Enhance the OWASP LLM Applications Project with a Related Patterns Functionality #230

GangGreenTemperTatum opened this issue Oct 25, 2023 · 2 comments
Assignees
@GangGreenTemperTatum
Labels
enhancement Changes/additions to the Top 10; eg. clarifications, examples, links to external resources, etc extension Something that extends the Top 10; eg. cheat-sheets, guides, intentionally-vulnerable apps, etc

Comments

@GangGreenTemperTatum
Copy link
Collaborator

GangGreenTemperTatum commented Oct 25, 2023
edited
Loading

IMO, we should look to provide a glossary or CAPEC approach to the OWASP LLM Application vulnerabilities - Similar to the way it is done with The OWASP Web Application standards framework, see "OWASP Related Patterns"

A typical CAPEC entry includes a detailed Execution Flow. This consists of 3 sections:

  • Explore – Guidance on what to look for that may indicate that the software may be vulnerable to this attack.
  • Experiment – Guidance on possible ways to test if the software may be vulnerable to this attack.
  • Exploit – Summary of possible ways to exploit the software if your experiments are successful.
    In many of the CAPEC entries, there will also be an external mapping to one of three possible other data sources:

WASC Threat Classification 2.0 – A comprehensive framework from The Web Application Security Consortium that categorizes and organizes key security threats to web applications to facilitate standardizing threat reporting and response.
ATT&CK Related Patterns – A curated set of adversary behavior descriptors collected by MITRE, providing invaluable insights into the techniques used by threat actors to compromise and maneuver within systems.
OWASP Related Patterns – A set of techniques that attackers use to exploit the vulnerabilities in applications.

Kudos to SilverStr for the awesome blog post which triggered my inspiration for us to adopt this
@GangGreenTemperTatum GangGreenTemperTatum added extension Something that extends the Top 10; eg. cheat-sheets, guides, intentionally-vulnerable apps, etc enhancement Changes/additions to the Top 10; eg. clarifications, examples, links to external resources, etc labels Oct 25, 2023
@DanaEpp
Copy link

DanaEpp commented Oct 25, 2023

Appreciate you pointing to my blog post. But I don’t think the LLM Top 10 should be mapping to CAPEC directly. Instead, you should be mapping to the appropriate CWE entries. The CWE will already be properly mapping to appropriate CAPEC entries.

I don’t envy the work needed to map the LLM Top 10 to appropriate CWEs. But by identifying the common weaknesses and mapping them to each of the 10 entries you will automatically then allow both the offense and defense teams to analyze the risks appropriately.

Good luck!!

@GangGreenTemperTatum
Copy link
Collaborator Author

Thanks for the feedback! I already put this on our triage board 🙂 #224

@GangGreenTemperTatum GangGreenTemperTatum self-assigned this Apr 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GangGreenTemperTatum GangGreenTemperTatum

Labels
enhancement Changes/additions to the Top 10; eg. clarifications, examples, links to external resources, etc extension Something that extends the Top 10; eg. cheat-sheets, guides, intentionally-vulnerable apps, etc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DanaEpp @GangGreenTemperTatum