Version 2

OWASP · Jan 21, 2024 · 1c8f50c · 1c8f50c
1 parent 9813e6e
commit 1c8f50c
Show file tree

Hide file tree

Showing 10 changed files with 47 additions and 42 deletions.
diff --git a/content/ai_exchange/content/_index.md b/content/ai_exchange/content/_index.md
@@ -3,6 +3,8 @@
 
 {{< image-centered src="/images/aixlogosml.jpg" alt="OWASP AI Exchange Logo" >}}
 
+>All security risks for all of AI, by all professionals, for all professionals. Alignment and guidance for all.
+
 {{< spacer height="40" >}}
 
 {{< cards >}}
@@ -13,7 +15,15 @@
     {{< card link="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/raw/main/assets/images/owaspaioverviewpdfv3.pdf" title="Navigator" icon="document-download">}}
 {{< /cards >}}
 
-"All security risks for all of AI, by all professionals, for all professionals. Alignment and guidance for all."
+## Our Content
+
+{{< cards >}}
+    {{< card link="/docs/overview/" title="AI Security Overview">}}
+    {{< card link="/docs/1_general_controls/" title="1. General controls">}}
+    {{< card link="/docs/2_threats_through_use/" title="2. Threats through use">}}
+    {{< card link="/docs/3_development_time_threats/" title="3. Development-time threats">}}
+    {{< card link="/docs/4_runtime_application_security_threats/" title="4. Runtime application security threats">}}
+{{< /cards >}}
 
 ## Purpose
 
@@ -23,9 +33,10 @@ Our **mission** is to be the authoritative source for consensus, foster alignmen
 
 Maintained here at [owaspai.org](https://owaspai.org) it currently uses both a GitHub repository and a Word Document for contributions. It is is an **open-source living document** for the worldwide exchange of AI security expertise. It serves, for example, as input to security standardization for the EU AI Act. The site is maintained by OWASP as part of the [OWASP AI guide](https://owasp.org/www-project-ai-security-and-privacy-guide/) project. It will periodically publish content with credited contributions into the Guide.
 
-## About Project
+## Other OWASP AI Initiatives
 
-The OWASP AI Security & Privacy Guide has two parts:
-
-1. [How to deal with AI security](/docs/security)
-2. [How to deal with AI privacy](/docs/privacy)
+{{< cards >}}
+    {{< card link="https://owasp.org/www-project-ai-security-and-privacy-guide/" title="OWASP AI Privacy" icon="lock-closed" >}}
+    {{< card link="https://llmtop10.com/" title="OWASP LLM Top 10" icon="brain" >}}
+    {{< card link="https://mltop10.info/" title="OWASP ML Top 10" icon="machinelearning" >}}
+{{< /cards >}}
diff --git a/...ntent/docs/security/1_general_controls.md → ...change/content/docs/1_general_controls.md b/...ntent/docs/security/1_general_controls.md → ...change/content/docs/1_general_controls.md
@@ -1,5 +1,6 @@
 ---
 title: 1. General controls
+weight: 2
 ---
 
 ## 1.1 General governance controls

diff --git a/...nt/docs/security/2_threats_through_use.md → ...nge/content/docs/2_threats_through_use.md b/...nt/docs/security/2_threats_through_use.md → ...nge/content/docs/2_threats_through_use.md
@@ -1,5 +1,6 @@
 ---
 title: 2. Threats through use
+weight: 3
 ---
 
 Threats through use take place through normal interaction with an AI model: providing input and receiving output. Many of these threats require experimentation with the model, which is referred to in itself as an _Oracle attack_.

diff --git a/...cs/security/3_development_time_threats.md → ...ontent/docs/3_development_time_threats.md b/...cs/security/3_development_time_threats.md → ...ontent/docs/3_development_time_threats.md
@@ -1,5 +1,6 @@
 ---
 title: 3. Development-time threats
+weight: 4
 ---
 
 **Background:**

diff --git a/...4_runtime_application_security_threats.md → ...4_runtime_application_security_threats.md b/...4_runtime_application_security_threats.md → ...4_runtime_application_security_threats.md
@@ -1,5 +1,6 @@
 ---
 title: 4. Runtime application security threats
+weight: 5
 ---
 
 ## 4.1. Non AI-specific application security threats

diff --git a/content/ai_exchange/content/docs/_index.md b/content/ai_exchange/content/docs/_index.md
@@ -1,33 +1,11 @@
 ---
-title: AI Exchange
+title: Content
 ---
 
-<!-- TODO: Fix external and internal URLs -->
-
-## Purpose
-
-The OWASP AI Exchange is as an open source collaborative document to advance the development of global AI security standards and regulations. It provides a comprehensive overview of AI threats, vulnerabilities, and controls to foster alignment among different standardization initiatives. This includes the EU AI Act, ISO/IEC 27090 (AI security), the [OWASP ML top 10](https://mltop10.info/), the [OWASP LLM top 10](https://llmtop10.com/), and [OpenCRE](https://opencre.org) - which we want to use to provide the AI Exchange content through the security chatbot [OpenCRE-Chat](https://opencre.org/chatbot).
-
-Our **mission** is to be the authoritative source for consensus, foster alignment, and drive collaboration among initiatives - NOT to set a standard, but to drive standards. By doing so, it provides a safe, open, and independent place to find and share insights for everyone. See [AI Exchange LinkedIn page](https://www.linkedin.com/company/owasp-ai-exchange/).
-
-Maintained here at [owaspai.org](https://owaspai.org) it currently uses both a GitHub repository and a Word Document for contributions. It is is an **open-source living document** for the worldwide exchange of AI security expertise. It serves, for example, as input to security standardization for the EU AI Act towards mid-December (your help is urgently needed!). The document is maintained by OWASP as part of the [OWASP AI guide](https://owasp.org/www-project-ai-security-and-privacy-guide/) project. It will periodically publish content with credited contributions into the Guide.
-
-OWASP AI Exchange by The AI Security Community is marked with [CC0 1.0](http://creativecommons.org/publicdomain/zero/1.0?ref=chooser-v1) {{< icon "creative-commons" >}} {{< icon "zero" >}} meaning you can use any part freely, without attribution. If possible, it would be nice if the OWASP AI Exchange is credited and/or linked to, for readers to find more information.
-
-## Table of Contents
-
-- [Introduction](/docs/security/#introduction)
-- [Privacy](/docs/privacy/)
-- [Generative AI](/docs/security/#how-about-generative-ai-eg-llm)
-- [Summary](/docs/security/#summary)
-- [Mapping guidelines to controls](/docs/security/#mapping-guidelines-to-controls)
-- [1. General controls for all threats](/docs/security/1_general_controls/)
-- [2. Threats through use](/docs/security/2_threats_through_use/)
-- [3. Development-time threats](/docs/security/3_development_time_threats/)
-- [4. Runtime Application security threats](/docs/security/4_runtime_application_security_threats/)
-- [References](/docs/security/#references)
-- [Expanded Table of contents](/docs/security/#expanded-table-of-contents)
-
-The navigator diagram below shows all threats, controls and how they relate, including risks and the types of controls.  
-Click on the image to get a pdf with clickable links.
-[![AI Exchange Navigator](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/raw/main/assets/images/owaspaioverviewv2.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/raw/main/assets/images/owaspaioverviewpdfv3.pdf)
+{{< cards >}}
+    {{< card link="/docs/overview/" title="AI Security Overview">}}
+    {{< card link="/docs/1_general_controls/" title="1. General controls">}}
+    {{< card link="/docs/2_threats_through_use/" title="2. Threats through use">}}
+    {{< card link="/docs/3_development_time_threats/" title="3. Development-time threats">}}
+    {{< card link="/docs/4_runtime_application_security_threats/" title="4. Runtime application security threats">}}
+{{< /cards >}}
diff --git a/..._exchange/content/docs/security/_index.md → content/ai_exchange/content/docs/overview.md b/..._exchange/content/docs/security/_index.md → content/ai_exchange/content/docs/overview.md
@@ -1,10 +1,11 @@
 ---
-title: AI Security
+title: Overview
+weight: 1
 ---
 
 ## Introduction
 
-### Short summary: how to address AI Security
+### Short summary: How to address AI Security?
 
 While AI offers powerful perfomance boosts, it also increases the attack surface available to bad actors. It is therefore imperative to approach AI applications with a clear understanding of potential threats and which of those threats to prioritize for each use case. Standards and governance help guide this process for individual entities leveraging AI capabilities.
 
@@ -31,7 +32,18 @@ It serves as input to ongoing key initiatives such as the EU AI act, ISO/IEC 270
 - AI security experts who contributed to this as Open Source.
 - The insights of these experts were inspired by research work as mentioned in the references at the bottom of this document(ENISA, NIST, Microsoft, BIML, MITRE, etc.)
 
-### How we organize threats and controls
+#### Navigator
+The navigator diagram below shows all threats, controls and how they relate, including risks and the types of controls.  
+{{< callout type="info" >}}
+  Click on the image to get a PDF with clickable links.
+{{< /callout >}}
+[![](/images/owaspaioverviewv2.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/raw/main/assets/images/owaspaioverviewpdfv3.pdf)
+
+#### AI Security Matrix
+The AI security matrix below shows all threats and risks, ordered by attack surface and lifecycle.
+[![](/images/OwaspAIsecuritymatix.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/OwaspAIsecuritymatix.png)
+
+### How we organize threats and controls?
 
 The threats are organized by attack surface (how and where does the attack take place?), and not by impact. This means that for example model theft is mentioned in three different parts of the overview:
 
@@ -51,7 +63,7 @@ This document focuses on machine learning. Nevertheless, here is a quick summary
 - Knowledgebase, source code and configuration can be regarded as sensitive data when it is intellectual property, so it needs protection
 - Leak sensitive input data, for example when a heuristic system needs to diagnose a patient
 
-## How to select relevant threats and controls - risk analysis
+## How to select relevant threats and controls? risk analysis
 There are many threats and controls described in this document. Your situation determines which threats are relevant to you, and what controls are your responsibility. This selection process can be performed through risk analysis of the use case and architecture at hand:
 
 1. **Threat identification**: First select the threats that apply to your case by going through the list of threats and use the _Impact_ description to see if it is applicable. For example the impact of identifying individuals in your training data would not apply to your case if your training data has no individuals. The [Navigator](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/raw/main/assets/images/owaspaioverviewpdfv3.pdf) shows impact in purple.

diff --git a/content/ai_exchange/hugo.yaml b/content/ai_exchange/hugo.yaml
@@ -29,8 +29,8 @@ params:
 
 menu:
   main:
-    - name: AI Exchange
-      pageRef: /docs
+    - name: AI Security
+      pageRef: /docs/overview
       weight: 1
     - name: Media
       pageRef: /media

diff --git a/content/ai_exchange/static/images/OwaspAIsecuritymatix.png b/content/ai_exchange/static/images/OwaspAIsecuritymatix.png
diff --git a/content/ai_exchange/static/images/owaspaioverviewv2.png b/content/ai_exchange/static/images/owaspaioverviewv2.png