LLM Supply Chain Vulnerabilities
Description
Large Language Models (LLMs) are powerful tools that can be used to generate text, code, and other content. However, they can be vulnerable to supply chain attacks. The supply chain in LLMs can be vulnerable, impacting the integrity of training data, ML models, and deployment platforms. These vulnerabilities can lead to biased outcomes, security breaches, or even complete system failures.
Remediation
To prevent supply chain vulnerabilities, it is crucial to: - Carefully vet data sources and suppliers, including their privacy policies and security practices. - Use reputable plug-ins and ensure they have been tested for your application requirements. - Maintain an up-to-date inventory of components using a Software Bill of Materials (SBOM). - Apply MLOps best practices and use secure model repositories with data, model, and experiment tracking. - Implement anomaly detection and adversarial robustness tests on supplied models and data. - Conduct thorough security testing and regularly review and audit supplier security and access.
Configuration
Identifier:
injection/llm_supply_chain_vulnerabilities
Examples
Ignore this check
checks:
injection/llm_supply_chain_vulnerabilities:
skip: true
Score
- Escape Severity: HIGH
Compliance
- OWASP: API8:2023
- OWASP LLM: LLM05:2023
- pci: 6.5.1
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.12.2
- nist: SP800-53
- fedramp: SI-3
Classification
- CWE: 1195
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
- CVSS_SCORE: 5.0