Back

Home

/

Glossary

/

OWASP Top 10 for LLM Applications (2025)

OWASP Top 10 for LLM Applications (2025)

AI Bias

Systematic and repeatable errors in a computer system that create unfair outcomes, such as privileging one arbitrary group of users over others.

AI Data Governance

AI data governance involves the management of data quality, legality, and ethical standards to ensure responsible AI deployment.

AI Governance

AI Governance involves the systematic framework that oversees the ethical design, development, and implementation of AI technologies to ensure accountability, transparency, and fairness.

AI Impact Assessment

AI Impact Assessment is a critical process that evaluates the potential effects and implications of AI technologies on society, the environment, and the economy.

AI Inventory

Comprehensive cataloging and management of all artificial intelligence systems, models, datasets, and related resources within an organization.

AI Red Teaming

Security practice where experts simulate attacks on AI systems to identify vulnerabilities, assess their robustness, and improve their resilience against real-world threats.

AI Security Posture Management

Continuously monitoring, assessing, and improving the security measures and defenses of AI systems to ensure they are protected against threats and vulnerabilities.

AI Supply Chain Security

Safeguarding the integrity and security of AI systems and their components throughout the supply chain, from development to deployment, to prevent vulnerabilities and ensure trustworthiness.

API Security

Protecting Application Programming Interfaces (APIs) from vulnerabilities, ensuring secure data exchange, and preventing unauthorized access or malicious activities.

Application Security Posture Management (ASPM)

Tools and processes for continuously monitoring, assessing, and improving the security posture of software applications throughout their development lifecycle, with a focus on identifying, assessing, and mitigating vulnerabilities and risks associated with applications to ensure they remain secure against potential cyber threats.

Application Security Testing

Evaluating applications to identify and mitigate security vulnerabilities, ensuring that they are secure against threats and comply with security standards.

Artifact Repository

A storage location for software artifacts, including binaries and dependencies, used in the development and deployment process.

Audit Trail

A chronological record of all activities and changes that have occurred in a system or process, ensuring transparency and accountability.

Automated Security Testing

The use of automated tools and processes to continuously test applications for security vulnerabilities throughout the development lifecycle.

Bug Bounty

A a program that rewards individuals for finding and reporting security vulnerabilities in an organization's software, encouraging proactive identification and resolution of potential security issues.

CISA Known Exploited Vulnerabilities (KEV)

List compiled by the US Cybersecurity and Infrastructure Security Agency which identifies vulnerabilities confirmed as being exploited in the wild.

Code Repository

A storage location for source code, often using version control systems like Git.

Common Vulnerabilities and Exposures (CVE)

A list of publicly know vulnerabilities maintained by NIST.

Common Vulnerability Scoring System (CVSS)

A standardized, repeatable, and vendor agnostics method to compare application vulnerabilities.

Common Weakness Enumeration (CWE)

A community-developed list of common software and hardware weaknesses, which could introduce vulnerabilities.

Compliance

Adhering to industry standards, regulations, and best practices to ensure that applications meet legal and security requirements

Compliance Audit

A comprehensive review of an organization's adherence to regulatory guidelines.

Compliance Risk

The potential for losses or legal penalties due to violations of laws, regulations, or prescribed practices.

Container

A lightweight, standalone executable package of software that includes everything needed to run it, ensuring consistency across environments.

Contextual Risk Engine (CoRE)

AppSOC�s proprietary technology for prioritizing security issues based on severity, exploitability, and business context.

Continuous Integration/Continuous Deployment (CI/CD)

A practice that automates the integration and deployment of code changes, enabling frequent and reliable updates to applications.

Continuous Threat Exposure Management (CTEM)

A proactive and continuous program to monitor, evaluate, and reduce levels of exploitability and validate analysis and remediation processes.

Data Privacy

The aspect of information technology that deals with the ability of an organization or individual to determine what data can be shared with third parties.

Dependency Resolution

The process of determining and fetching the correct versions of dependencies for a software project.

DevOps

A methodology that combines software development (Dev) and IT operations (Ops) to shorten the development lifecycle, deliver high-quality software continuously, and improve collaboration between development and operations teams.

DevSecOps

An approach that integrates security practices into the DevOps process, ensuring that security is incorporated at every stage of the software development lifecycle to enhance the overall security posture of applications.

Dynamic Application Security Testing (DAST)

A testing method that analyzes applications in their running state to identify vulnerabilities by simulating external attacks.

Endpoint Detection and Response (EDR)

A system that monitors and analyzes endpoint activities to detect, investigate, and respond to security incidents in real-time.

Exploit Prediction Scoring System (EPSS)

A process developed by First.org for estimating the likelihood that a software vulnerability will be exploited in the wild.

False Negative

A failure to detect an actual vulnerability or threat, leading to a potential security risk remaining unaddressed.

False Positive

A security alert that incorrectly indicates the presence of a vulnerability or threat when none exists.

General Data Protection Regulation (GDPR)

European Union regulation that mandates strict data privacy and security measures for protecting personal data, giving individuals greater control over their personal information.

Generative Artificial Intelligence (Gen AI)

Artificial intelligence systems that create new content, such as text, images, or music, by learning patterns from existing data, exemplified by models like OpenAI's GPT-4.

Health Insurance Portability and Accountability Act (HIPAA)

U.S. law that sets national standards for the protection of sensitive patient health information, ensuring that such information is kept confidential and secure, particularly in electronic form.

Incident Management

The process used to manage the lifecycle of incidents to ensure that normal service operation is restored as quickly as possible.

Incident Response

The process of identifying, managing, and mitigating security incidents to minimize their impact on the organization.

Infrastructure as Code (IaC)

The ability to provision and support computing infrastructure using code instead of manual processes and settings.

Integrity Check

Verification that software has not been altered or tampered with.

Internal Audit

An independent, objective assurance and consulting activity designed to add value and improve an organization's operations.

Key Risk Indicators (KRIs)

Metrics used to provide an early signal of increasing risk exposures in various areas of an enterprise.

LLMOps

Practices and tools used to deploy, manage, and maintain large language models (LLMs) efficiently and effectively.

Large Language Models (LLM)

Advanced AI systems, such as OpenAI's GPT-4, that generate human-like text by processing and understanding vast datasets, enabling applications from automated customer service to content creation.

License Compliance

Ensuring that software components comply with licensing agreements and open-source licenses.

MITRE ATLAS

A knowledge base that catalogs the tactics, techniques, and case studies of adversarial attacks on machine learning (ML) and artificial intelligence (AI) systems to help organizations understand and mitigate these threats.

MITRE ATT&CK

Knowledge base of adversary tactics and techniques based on real-world observations, used as a foundation for developing threat models and methodologies in the cybersecurity community.

MLOps

The practice of deploying, managing, and monitoring machine learning models in production to ensure they operate efficiently and effectively.

Model Deployment

The process of integrating a machine learning model into a production environment where it can make predictions on new data and deliver business value.

Model Fuzzing

Testing technique used to identify vulnerabilities and weaknesses in machine learning models by inputting random, unexpected, or malformed data to observe how the model responds.

Model Monitoring

Continuously tracking the performance, accuracy, and behavior of deployed machine learning models to ensure they operate correctly and efficiently over time.

Model Scanning

The process of analyzing machine learning models for vulnerabilities, biases, and compliance with security and ethical standards to ensure they are safe and reliable for deployment.

Model Serving

The process of deploying machine learning models into production environments where they can process real-time data and generate predictions or insights.

Model Supply Chain Security

Protecting the integrity and security of machine learning models throughout their development, deployment, and operational lifecycle to prevent tampering, unauthorized access, and vulnerabilities.

National Institute of Standards and Technology (NIST)

An agency of the US Department of Commerce whose mission is to promote American innovation and industrial competitiveness

National Vulnerability Database (NVD)

U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).

OWASP Top 10

A standards list from the non-profit Open Worldwide Application Security Project representing a broad consensus about the most critical security risks to web applications.

OWASP Top 10 for LLM Applications (2025)

List of the most critical security risks associated with large language models (LLMs), providing guidance for identifying, understanding, and mitigating these vulnerabilities to enhance the security and integrity of AI systems.

Open Source Software (OSS)

Software that is released with a license allowing anyone to view, modify, and distribute the source code.

Package Manager

A tool that automates the process of installing, upgrading, configuring, and removing software packages.

Patch Management

The process of distributing and applying updates to software to fix vulnerabilities and improve functionality.

Penetration Testing

A simulated cyberattack against an application to identify security weaknesses that could be exploited by malicious actors.

Personally Identifiable Information (PII)

Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Prompt Injection

A type of attack where malicious input is crafted to manipulate or alter the behavior of an AI system, particularly those using natural language processing (NLP) models.

Provenance

The history and origin of software components, tracking their creation, modification, and distribution.

Regulatory Compliance

The act of following relevant laws, regulations, and guidelines set by governing bodies to operate within legal frameworks.

Regulatory Framework

A set of standards and principles that guide the operations and governance of an organization within its industry.

Remediation

The process of correcting or mitigating identified security vulnerabilities to protect applications from potential threats.

Risk Appetite

The amount and type of risk that an organization is willing to take in order to meet their strategic objectives.

Risk Assessment

The systematic process of evaluating potential risks that may be involved in a projected activity or undertaking.

Risk Management

The process of identifying, assessing, and prioritizing risks followed by coordinated efforts to minimize, monitor, and control the impact of unfortunate events.

Risk Mitigation

The steps taken by an organization to reduce the impact and likelihood of a risk occurring.

Risk Scoring

The process of evaluating and assigning a score to vulnerabilities based on their severity, exploitability, and potential impact on the organization.

Risk-Based Vulnerability Management Explained - AppSOC

Navigate risk-based vulnerability management with AppSOC. Our glossary aids in understanding threat intelligence and vulnerability prioritization.

SANS Top 25

Guidance for developers on the most dangerous software errors of the Common Weakness Enumeration (CWE) list that have been found web applications.

Security Architecture Review

A continuous process, often initiated early in SDLC, to review security controls present within the architecture of a system or application.

Security Assessment

A comprehensive evaluation of an application's security posture, including vulnerability scans, penetration tests, and compliance checks.

Security Baseline

A set of minimum security standards and configurations that must be met to ensure an acceptable level of security for applications.

Security Configuration Management

The practice of ensuring that applications and systems are configured securely, following best practices and organizational policies.

Security Information and Event Management (SIEM)

A system that collects, analyzes, and reports on security-related data from various sources to provide a comprehensive view of an organization's security posture.

Security Maturity

The level of development and capability an organization has in implementing, managing, and continuously improving its security practices and controls to protect against threats and vulnerabilities.

Security Orchestration, Automation, and Response (SOAR)

A set of tools and processes designed to automate and streamline security operations, including incident response and threat management.

Security Policy

A set of rules and practices that govern how an organization protects its information and IT assets.

Security Vulnerability

A weakness in a system, application, or network that can be exploited by attackers to gain unauthorized access, cause disruptions, or steal sensitive information.

Shadow AI

Shadow AI refers to the use of artificial intelligence systems and tools within an organization without explicit approval or oversight by its central IT or AI department.

Shift Left

The practice of performing testing earlier in the software development lifecycle to identify and fix issues promptly.

Software Bill of Materials (SBOM)

A comprehensive list of components, libraries, and dependencies used in software development.

Software Composition Analysis (SCA)

A process that identifies and manages open source and third-party components within an application, ensuring they are secure and compliant with licensing requirements.

Software Dependency

External code libraries or modules that a software project relies on to function properly.

Software Supply Chain Security

Process of protecting the entire lifecycle of software, from development through deployment and maintenance, to prevent vulnerabilities and ensure the integrity, authenticity, and security of software components.

Software Supply Chain Vulnerability

Potential security weaknesses within the processes and components involved in developing, managing, and distributing software, which can be exploited by malicious actors.

Static Application Security Testing (SAST)

A testing method that analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program.

Threat Modeling

The process of identifying, categorizing, and evaluating potential threats to an application to develop strategies for mitigating those threats.

Threat and Vulnerability Management

A proactive approach to identifying, assessing, and mitigating security threats and vulnerabilities within an organization's IT environment.

Unified Vulnerability Management

An comprehensive approach to cybersecurity, bringing together all the information about possible security gaps in an organization's network, software and systems.

Vulnerability Assessment

Systematically identifying, evaluating, and prioritizing security weaknesses in an organization's IT infrastructure, including networks, applications, and systems, to mitigate potential risks.

Vulnerability Detection

The process of identifying weaknesses and security flaws in an organization's systems, applications, and networks.

Large Language Models (LLMs) like GPT-4 have revolutionized the way businesses operate, bringing advanced AI capabilities to industries ranging from healthcare to finance. However, the increasing reliance on LLMs has introduced unique security challenges that organizations cannot afford to ignore. Recognizing these emerging risks, the Open Web Application Security Project (OWASP) developed the Top 10 vulnerabilities for LLMs, a guide to help organizations secure these powerful systems.

To address these challenges, AppSOC provides integrated support for OWASP’s framework. By leveraging AppSOC’s tools, organizations can identify, track, and mitigate the vulnerabilities outlined in the OWASP Top 10 for LLM Applications, ensuring safe, compliant, and effective AI deployment.

Following summary of each of these risks and the recommended mitigation steps to ensure the security and integrity of LLMs. These have been updated for the 2025 version released in November, 2024.

LLM01: Prompt Injection

  • Definition: Malicious actors manipulate an LLM’s input to alter its behavior, potentially leading to unauthorized actions or leakage of sensitive information.
  • Explanation: Prompt injection remains a critical issue, now divided into direct and indirect forms. Attackers exploit weaknesses in input validation to bypass security controls, gain unauthorized access, or override system instructions.
  • Recommendations: Use robust prompt filtering, input validation, and context-aware prompt handling to detect and neutralize injection attempts​.

LLM02: Sensitive Information Disclosure

  • Definition: LLMs unintentionally expose sensitive data such as personally identifiable information (PII), financial records, or security credentials.
  • Explanation: Improper handling of training data and response generation can cause LLMs to leak sensitive information. Models trained on improperly sanitized data may inadvertently regurgitate confidential information.
  • Recommendations: Implement strong access controls, encrypt sensitive data, use differential privacy techniques, and deploy robust content filtering​.

LLM03: Supply Chain Vulnerabilities

  • Definition: Third-party components, including pre-trained models and datasets, introduce security risks if compromised or manipulated.
  • Explanation: Dependency on open-source or third-party LLM models increases risks of poisoning attacks, biased outputs, and system failures due to unverified data sources.
  • Recommendations: Vet external components thoroughly, ensure cryptographic integrity of datasets, and establish a robust monitoring pipeline​.

LLM04: Data and Model Poisoning

  • Definition: Attackers introduce malicious data into training sets or fine-tuned models to influence LLM behavior.
  • Explanation: Poisoned datasets can introduce biases, degrade model performance, or create backdoors that can be exploited post-deployment.
  • Recommendations: Use anomaly detection for data integrity, apply secure training pipelines, and monitor for model drifts​.

LLM05: Improper Output Handling

  • Definition: LLM-generated content is not properly validated before being used by downstream applications.
  • Explanation: Failing to sanitize LLM outputs can lead to security exploits like code execution vulnerabilities, misinformation spread, and phishing attacks.
  • Recommendations: Implement strict validation mechanisms, filter generated outputs, and prevent direct execution of LLM-generated code​.

LLM06: Excessive Agency

  • Definition: Granting LLMs too much decision-making power can lead to security risks and unintended actions.
  • Explanation: Overly autonomous LLMs executing actions without human verification may lead to unauthorized transactions, data manipulation, or system compromise.
  • Recommendations: Apply the principle of least privilege, require human-in-the-loop approval, and restrict high-risk functionalities​.

LLM07: System Prompt Leakage

  • Definition: Unauthorized exposure of system-level prompts or instructions that guide LLM behavior.
  • Explanation: Attackers can exploit weaknesses to extract hidden system instructions, revealing operational logic, security controls, or proprietary configurations.
  • Recommendations: Conceal system prompts, limit model verbosity in error messages, and implement strong access control policies​.

LLM08: Vector and Embedding Weaknesses

  • Definition: Security vulnerabilities in vector databases and embedding models can lead to manipulation and unauthorized data access.
  • Explanation: Weaknesses in how vectors and embeddings are stored and retrieved in Retrieval-Augmented Generation (RAG) systems may enable attackers to inject harmful data, retrieve sensitive information, or manipulate model outputs.
  • Recommendations: Implement fine-grained access controls, validate external data sources, and monitor embedding-based queries for anomalies​.

LLM09: Misinformation and Hallucinations

  • Definition: LLMs generate incorrect or misleading information, leading to reputational, legal, and security risks.
  • Explanation: Hallucinations in LLM outputs can spread misinformation, impact decision-making, and introduce vulnerabilities when users rely on incorrect data.
  • Recommendations: Use truthfulness scoring models, reinforce fact-checking mechanisms, and provide disclaimers on generated content​.

LLM10: Unbounded Consumption

  • Definition: Resource-intensive LLM queries lead to service disruptions, excessive costs, or denial-of-service (DoS) attacks.
  • Explanation: Attackers can craft inputs that trigger computationally expensive operations, leading to Denial of Wallet (DoW) attacks where cloud costs spiral out of control.
  • Recommendations: Implement rate limiting, enforce cost-aware execution policies, and utilize adaptive load management techniques​.

Conclusion

Understanding and mitigating these OWASP Top 10 risks for Large Language Models is crucial for maintaining the security, fairness, and reliability of AI systems. By implementing the recommended mitigation steps, organizations can protect their LLMs from a wide range of threats, ensuring they are used safely and ethically.

References:

OWASP: Top 10 for Large Language Model Applications

Watch Blog Video

Follow us on LikedIn

Our Newsletter

Subscribe

Ready to get started?

Our expert team can assess your needs, show you a live demo, and recommend a solution that will save you time and money.

Schedule A Demo