Merge pull request #252 from rossja/main

added LLM Governance Checklist

llm-top-10-governance-doc/LLM_AI_Security_and_Governance_Checklist.tex

@@ -0,0 +1,77 @@
+%%% ================================================
+%%% OWASP Top 10 For LLM Applications Template
+%%% Version: 0.0.1
+%%% Date: 2023-11-28
+%%% Template Authors:
+%%%   - Jason Ross <[email protected]>
+%%% ================================================
+
+%%% ================================================
+%%% How to use this
+%%% ================================================
+%%% Update the variables below
+%%% If you want to change text color on the front
+%%% cover, the areas required are commented below.
+%%% If you want to modify text and border colors
+%%% for your chapter headers go into the file
+%%% `structure.tex` and replace the name of the
+%%% colour (set to ) with a new colour name
+%%% (find and replace ctrl+f will do this for you).
+%%% ================================================
+
+%%% ================================================
+%%%	VARIABLES
+%%% ================================================
+
+%%% Project Name
+\def\projectName{LLM AI Security \& Governance Checklist}
+\def\projectSubName{From the OWASP Top 10 \\ for LLM Applications Team}
+\def\docVersion{0.5}
+
+%%% Project Type
+\def\projectType{OWASP Project Document}
+
+%%% Report Date (defaults to Today's date)
+\def\date{\today}
+
+
+%%% ================================================
+%%%	DOCUMENT CONFIGURATION
+%%% ================================================
+
+\documentclass[
+        11pt,         % Default font size, select one of 10pt, 11pt or 12pt
+        fleqn,        % Left align equations
+        letterpaper,  % Paper size, use either 'a4paper' for A4 size or 'letterpaper' for US letter size
+        % landscape,    % Uncomment for for a landscape layout (useful for wide tables or figures)
+        oneside,      % Uncomment for oneside mode: this doesn't start new chapters and parts on odd pages (adding an empty page if required)
+                      % this mode is more suitable if the book is to be read on a screen instead of printed
+]{owasp-doc}
+
+
+%%% ================================================
+%%% DOCUMENT BEGINS HERE
+%%% ================================================
+% \tracingmacros=1 % turn on tracing
+\begin{document}
+
+\pagestyle{fancy}
+
+%%%	COVER PAGE
+\input{sections/coverpage}
+
+%%%	CHANGELOG & DISCLAIMER
+\input{sections/changelog-disclaimer}
+
+%%%	TABLE OF CONTENTS
+\input{sections/toc}
+
+%%% ALL OTHER CONTENT
+\input{sections/main}
+
+%%% APPENDICES
+\appendix
+\input{apx/team}
+
+\end{document}
+% \tracingmacros=0 % turn off tracing

llm-top-10-governance-doc/Makefile

@@ -0,0 +1,48 @@
+# simple Makefile to compile the latex
+
+PROJ=`cd ../; basename \`pwd\``
+DOC=LLM_AI_Security_and_Governance_Checklist
+FILES=$(DOC).tex
+
+# create a random password
+# requires pwgen
+PW!=pwgen -n1
+
+# create a PDF
+pdf: $(FILES) distclean
+
+# lualtex needs to run iteratively so it can process all references
+	pdflatex  $(DOC).tex
+	pdflatex  $(DOC).tex
+	pdflatex  $(DOC).tex
+
+# now clean up the intermediate steps
+	make clean
+
+# create an encrypted PDF
+# requires pdftk (apt-get install pdftk-java)
+crypt: pdf
+	pdftk $(DOC).pdf output $(DOC).encrypted.pdf user_pw $(PW) allow allfeatures
+	echo "Encryption password" is $(PW)
+
+# create an RTF file for folks that want "Word" versions
+rtf: $(FILES)
+	latex2rtf $(DOC)
+
+# clear out all the intermediate cruft from a build, but leave the PDFs
+clean:
+	rm -f *.tmp *.out *.aux *.idx *.log *.ilg *.xref *.lg \
+	*.toc *.ind *.4og *.4ct *.4tc *.idv *.lot *.lov *.lltr *.lstr \
+	*.ptc *.dvi *.tv *.vrb *.hv *.hst *.ver *.mv *.lv *.odt $(DOC).synctex.gz \
+	*.rtf *.cg *.cp *.cpc *.dd *.sc *.xml *.bcf *.loc *.tdo *.4o* $(DOC).txt tex4ht.env \
+	*.fdb_latexmk *.fls $(DOC).gz > /dev/null 2>&1
+	-find . -name "*.aux" -exec rm {} \;
+
+# clear out all the intermediate cruft and also any PDFs
+distclean:
+	-rm -f $(DOC).pdf $(DOC).encrypted.pdf *.tmp *.out *.aux *.idx *.log *.ilg *.xref *.lg \
+	*.toc *.ind *.4og *.4ct *.4tc *.idv *.lot *.lov *.lltr *.lstr \
+	*.ptc *.dvi *.tv *.vrb *.hv *.hst *.ver *.mv *.lv *.odt $(DOC).synctex.gz \
+	*.rtf *.cg *.cp *.cpc *.dd *.sc *.xml *.bcf *.loc *.tdo *.4o* $(DOC).txt tex4ht.env \
+	*.fdb_latexmk *.fls $(DOC).gz > /dev/null 2>&1
+	-find . -name "*.aux" -exec rm {} \;

llm-top-10-governance-doc/apx/team.tex

@@ -0,0 +1,45 @@
+% !TEX root = report.tex
+
+% ------------------------------------------------
+% TEAM
+% ------------------------------------------------
+
+\headerimage
+\chapter{Team}
+
+Thank you to the OWASP Top 10 for LLM Applications Cybersecurity and Governance
+Checklist Contributors.
+
+%%% TABLE FORMATTING
+\setlength\LTleft{0pt}
+\setlength\LTright{0pt}
+\begin{longtable}[c]{|p{0.33\textwidth}|p{0.33\textwidth}|p{0.33\textwidth}|}
+  %%% Header and footer information
+  \hline
+  \rowcolor{owasplightpurple}
+  \multicolumn{3}{|c|}{
+    \textbf{Checklist Contributors}
+  } \\
+  \hline
+  \endfirsthead
+  \hline
+  \multicolumn{3}{|c|}{
+    \textbf{Checklist Contributors}
+  } \\
+  \hline
+  \endhead
+  \endfoot
+  %%% TABLE DATA GOES HERE
+\hline
+  Sandy Dunn & Heather Linn & John Sotiropoulos   \\
+  \hline
+  Steve Wilson & Fabrizio Cilli & Aubrey King     \\
+  \hline
+  Bob Simonoff & David Rowe & Rob Vanderveer      \\
+  \hline
+  Emmanual Guilherme Junior & Andrea Succi & Jason Ross \\
+  \hline
+  %%% TABLE DATA ENDS HERE
+  \caption{OWASP LLM AI Security \& Governance Checklist v.0.5 Team}
+  \label{tab:team}
+\end{longtable}

llm-top-10-governance-doc/fragments/changelog.tex

@@ -0,0 +1,11 @@
+% !TEX root = owasp-doc.tex
+%%% Changelog
+\begin{figure}[t!]
+\fontsize{14}{14}
+\owaspbf{Revision History}
+\fontsize{11}{11}
+  \begin{versionhistory}
+  \vhEntry{0.1}{2023-11-01}{Sandy Dunn}{initial draft}
+  \vhEntry{0.5}{2023-12-06}{Sandy Dunn, OWASP LLM Apps Team}{public draft}
+\end{versionhistory}
+\end{figure}

llm-top-10-governance-doc/fragments/disclaimer.tex

@@ -0,0 +1,10 @@
+% !TEX root = owasp-doc.tex
+%%% Disclaimer
+\textit{The information provided in this document does not, and is not intended
+to, constitute legal advice. All information is for general informational
+purposes only.\\
+\\
+This document contains links to other third-party websites. Such links are only
+for convenience and OWASP does not recommend or endorse the contents of the
+third-party sites.
+}

llm-top-10-governance-doc/fragments/resources/__tpl_2col.tex

@@ -0,0 +1,29 @@
+% !TEX root = owasp-doc.tex
+\clearpage
+\section{TKTKSectionName}
+%%% TABLE FORMATTING
+\setlength\LTleft{0pt}
+\setlength\LTright{0pt}
+\begin{longtable}[c]{|p{0.45\textwidth}|p{0.55\textwidth}|}
+  %%% Header and footer information
+  \hline
+  \rowcolor{owasplightpurple}
+  \textbf{Name} &
+  \textbf{Description}\\
+  \hline
+  \endfirsthead
+  \hline
+  \rowcolor{owasplightpurple}
+  \textbf{Name} &
+  \textbf{Description} \\
+  \hline
+  \endhead
+  \endfoot
+  %%% TABLE DATA STARTS HERE
+  \href{TKTKlink}{TKTKtext} &
+  TKTKdescription
+  \hline
+  %%% TABLE DATA ENDS HERE
+  \caption{TKTKcaption}
+  \label{tab:TKTKlabel}
+\end{longtable}

llm-top-10-governance-doc/fragments/resources/__tpl_3col.tex

@@ -0,0 +1,32 @@
+% !TEX root = owasp-doc.tex
+\clearpage
+\section{TKTKSectionName}
+%%% TABLE FORMATTING
+\setlength\LTleft{0pt}
+\setlength\LTright{0pt}
+\begin{longtable}[c]{|p{0.25\textwidth}|p{0.25\textwidth}|p{0.35\textwidth}|}
+  %%% Header and footer information
+  \hline
+  \rowcolor{owasplightpurple}
+  \textbf{TKTKName Resource} &
+  \textbf{Description} &
+  \textbf{Why It Is Recommended \& Where To Use It} \\
+  \hline
+  \endfirsthead
+  \hline
+  \rowcolor{owasplightpurple}
+  \textbf{TKTKName Resource} &
+  \textbf{Description} &
+  \textbf{Why It Is Recommended \& Where To Use It} \\
+  \hline
+  \endhead
+  \endfoot
+  %%% TABLE DATA GOES HERE
+  \href{TKTKlink}{TKTKtext} &
+  TKTKDescription &
+  TKTKReason \\
+  \hline
+  %%% TABLE DATA ENDS HERE
+  \caption{TKTKCaption}
+  \label{tab:TKTKlabel}
+\end{longtable}

llm-top-10-governance-doc/fragments/resources/ai-procurement-guidance.tex

@@ -0,0 +1,35 @@
+% !TEX root = owasp-doc.tex
+\clearpage
+\textbf{AI Procurement Guidance}
+%%% TABLE FORMATTING
+\setlength\LTleft{0pt}
+\setlength\LTright{0pt}
+\begin{longtable}[c]{|p{0.45\textwidth}|p{0.55\textwidth}|}
+  %%% Header and footer information
+  \hline
+  \rowcolor{owasplightpurple}
+  \textbf{Name} &
+  \textbf{Description} \\
+  \hline
+  \endfirsthead
+  \hline
+  \rowcolor{owasplightpurple}
+  \textbf{Name} &
+  \textbf{Description} \\
+  \hline
+  \endhead
+  \endfoot
+  %%% TABLE DATA STARTS HERE
+  \href{https://www3.weforum.org/docs/WEF_Adopting_AI_Responsibly_Guidelines_for_Procurement_of_AI_Solutions_by_the_Private_Sector_2023.pdf}{World Economic Forum: Adopting AI Responsibly: Guidelines for Procurement of AI Solutions by the Private Sector: Insight Report June 2023} &
+  The standard benchmarks and assessment criteria for procuring Artificial
+  systems are in early development. The procurement guidelines provide
+  organizations with a baseline of considerations for the end-to-end
+  procurement process.
+
+  Use this guidance to augment an organization's existing Third Party Risk
+  Supplier and Vendor procurement process. \\
+  \hline
+  %%% TABLE DATA ENDS HERE
+  \caption{AI Procurement Guidance}
+  \label{tab:ai-procurement-guidance}
+\end{longtable}