DanaEpp
commented
1 year ago Appreciate you pointing to my blog post. But I don’t think the LLM Top 10 should be mapping to CAPEC directly. Instead, you should be mapping to the appropriate CWE entries. The CWE will already be properly mapping to appropriate CAPEC entries.
I don’t envy the work needed to map the LLM Top 10 to appropriate CWEs. But by identifying the common weaknesses and mapping them to each of the 10 entries you will automatically then allow both the offense and defense teams to analyze the risks appropriately.
Good luck!!
GangGreenTemperTatum
IMO, we should look to provide a glossary or
CAPECapproach to the OWASP LLM Application vulnerabilities - Similar to the way it is done with The OWASP Web Application standards framework, see "OWASP Related Patterns"A typical CAPEC entry includes a detailed Execution Flow. This consists of 3 sections:
WASC Threat Classification 2.0 – A comprehensive framework from The Web Application Security Consortium that categorizes and organizes key security threats to web applications to facilitate standardizing threat reporting and response. ATT&CK Related Patterns – A curated set of adversary behavior descriptors collected by MITRE, providing invaluable insights into the techniques used by threat actors to compromise and maneuver within systems. OWASP Related Patterns – A set of techniques that attackers use to exploit the vulnerabilities in applications.
Kudos to SilverStr for the awesome blog post which triggered my inspiration for us to adopt this