Website content fixes

.github/workflows/pr_deploy.yml

@@ -20,10 +20,12 @@ jobs:
         run: |
          cd content/ai_exchange
          hugo mod get github.com/imfing/hextra
-         hugo --minify --config hugo.yaml --destination public/ --cleanDestinationDir --contentDir ai_exchange --layoutDir layouts
+         hugo --gc --minify
       - uses: FirebaseExtended/action-hosting-deploy@v0
         with:
           repoToken: "${{ secrets.GITHUB_TOKEN }}"
           firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT }}"
           expires: 3d
           projectId: project-integration-standards
+          target: owasp-ai-exchange
+          entryPoint: content/ai_exchange

content/ai_exchange/content/docs/security/1_general_controls.md

@@ -19,9 +19,8 @@ title: 1. General controls
   Links to standards:
 
   - ISO/IEC 42001 AI management system (under development). Gap: covers this control fully.
-
-    42001 is about extending your risk management system - it focuses on governance. 5338 is about extending your software lifecycle practices - it focuses on engineering and everything around it. The 42001 can be seen as a management system for the governance of responsible AI in an organization, similar to how 27001 is a management system for information security. The 42001 doesn’t go deep into the lifecycle processes. It for example does not discuss versioning of AI models, project planning issues, and how and when exactly sensitive data is used.
 
+    42001 is about extending your risk management system - it focuses on governance. 5338 is about extending your software lifecycle practices - it focuses on engineering and everything around it. The 42001 can be seen as a management system for the governance of responsible AI in an organization, similar to how 27001 is a management system for information security. The 42001 doesn’t go deep into the lifecycle processes. It for example does not discuss versioning of AI models, project planning issues, and how and when exactly sensitive data is used.
 
 - **#SECPROGRAM** (management). Having a security program. Include the whole AI lifecycle and AI particularities in the organization's security program (also referred to as _information security management system_).
 
@@ -63,8 +62,8 @@ title: 1. General controls
     - This document contains AI security threats and controls to facilitate risk analysis
     - See also [MITRE ATLAS framework for AI threats](https://atlas.mitre.org/)
     - ISO/IEC 27005 - as mentioned above. Gap: covers this control fully, with said particularity (as 27005 doesn't mention AI-specific threats)
-    - ISO/IEC 27563 (AI use cases security & privacy) Discusses the impact of security and privacy in AI use cases and may serve as useful input to AI security risk analysis. 
-    - ISO/IEC 23894 (AI Risk management). Gap: covers this control fully - yet it refers to ISO/IEC 24028 (AI trustworthiness) for AI security threats, which is incomplete compared to for example the AI exchange (this document). The scope is broader than security which is not an issue. 
+    - ISO/IEC 27563 (AI use cases security & privacy) Discusses the impact of security and privacy in AI use cases and may serve as useful input to AI security risk analysis.
+    - ISO/IEC 23894 (AI Risk management). Gap: covers this control fully - yet it refers to ISO/IEC 24028 (AI trustworthiness) for AI security threats, which is incomplete compared to for example the AI exchange (this document). The scope is broader than security which is not an issue.
     - ISO/IEC 5338 (AI lifecycle) covers the AI risk management process. Gap: same as 23894 above.
     - [ETSI Method and pro forma for Threat, Vulnerability, Risk Analysis](https://www.etsi.org/deliver/etsi_ts/102100_102199/10216501/05.02.03_60/ts_10216501v050203p.pdf)
     - [NIST AI Risk Management Framework](https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf)
@@ -85,7 +84,7 @@ title: 1. General controls
   Links to standards:
 
   - 27002 control 8.25 Secure development lifecycle. Gap: covers this control fully, with said particularity, but lack of detail - the 8.25 Control description in 27002(2022) is one page, whereas secure software development is a large and complex topic - see below for further references
-  - ISO/IEC 27115 (Cybersecurity evaluation of complex systems) 
+  - ISO/IEC 27115 (Cybersecurity evaluation of complex systems)
   - See [OpenCRE on secure software development processes](https://www.opencre.org/cre/616-305) with notable links to NIST SSDF and OWASP SAMM. Gap: covers this control fully, with said particularity
 
 - **#DEVPROGRAM** (management). Having a development program for AI. Apply general (not just security-oriented) software engineering best practices to AI development.
@@ -130,7 +129,7 @@ title: 1. General controls
 
   Links to standards:
 
-  - Not covered yet in ISO/IEC standards. 
+  - Not covered yet in ISO/IEC standards.
 
 - **#ALLOWEDDATA** (development-time and runtime). Ensure allowed data, meaning the data used (e.g., training set) is permitted for the intended purpose. This is particularly important if consent was not given and the data contains personal information collected for a different purpose.
   Links to standards:
@@ -143,7 +142,7 @@ title: 1. General controls
 
   Links to standards:
 
-  - Not covered yet in ISO/IEC standards. 
+  - Not covered yet in ISO/IEC standards.
 
 - **#OBFUSCATETRAININGDATA** (development-time datascience). Obfuscate training data: attain a degree of obfuscation of sensitive data where possible. When this is done for personal data, it is referred to as _differential privacy_.
 
@@ -168,7 +167,7 @@ title: 1. General controls
 
     Masking encompasses the intentional concealment or modification of sensitive information within training datasets to enhance privacy during the development of machine learning models. This is achieved by introducing 
     a level of obfuscation through techniques like data masking or feature masking, where certain elements are replaced, encrypted, or obscured, preventing unauthorized access to specific details. This approach strikes 
-    a balance between extracting valuable data insights and safeguarding individual privacy, contributing to a more secure and privacy-preserving data science process. 
+    a balance between extracting valuable data insights and safeguarding individual privacy, contributing to a more secure and privacy-preserving data science process.
 
   - Encryption
 
@@ -215,7 +214,7 @@ title: 1. General controls
 
   Links to standards:
 
-  - Not covered yet in ISO/IEC standards. 
+  - Not covered yet in ISO/IEC standards.
 
 - **#DISCRETE** (management, development-time and runtime). Minimize access to technical details that could help attackers.
 
@@ -273,7 +272,7 @@ Example: LLMs (GenAI), just like most AI models, induce their results based on t
   Links to standards:
 
   - ISO/IEC 42001 B.9.3 defines controls for human oversight and decisions regarding autonomy. Gap: covers this control partly (human oversight only, not business logic)
-  - Not covered further in ISO/IEC standards. 
+  - Not covered further in ISO/IEC standards.
 
 - **#LEASTMODELPRIVILEGE** (runtime infosec). Least model privilege: Minimize privileges; avoid connecting a model to an email facility to prevent it from sending incorrect information to others.
 
@@ -288,7 +287,7 @@ Example: LLMs (GenAI), just like most AI models, induce their results based on t
   Links to standards:
 
   - ISO/IEC 42001 B.7.2 describes data management to support transparency. Gap: covers this control minimally, as it only covers the data mnanagement part.
-  - Not covered further in ISO/IEC standards. 
+  - Not covered further in ISO/IEC standards.
 
 - **#CONTINUOUSVALIDATION** (datascience). Continuous validation: by frequently testing the behaviour of the model against an appropriate test set, sudden changes caused by a permanent attack (e.g. data poisoning, model poisoning) can be detected.
 

content/ai_exchange/content/docs/security/2_threats_through_use.md

@@ -221,7 +221,7 @@ about their effectiveness.
   Links to standards:
 
   - Not covered yet in ISO/IEC standards
- 
+
   References
 
   - Papernot, Nicolas, et al. "Distillation as a defense to adversarial
@@ -235,7 +235,7 @@ robust to adversarial examples." arXiv preprint arXiv:1607.04311 (2016).
 
 Input is manipulated in a way not based on observations of the model implementation (code, training set, parameters, architecture). The model is a 'closed box'. This often requires experimenting with how the model responds to input.
 
-<p align="center"><a href="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/inputblack3.png?raw=true" target="_blank" rel="noopener noreferrer"><img src="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/inputblack3.png?raw=true"/></a></p>
+[![Closed Box Evasion](/images/inputblack3.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/content/ai_exchange/static/images/inputblack3.png)
 
 Example 1: slightly changing traffic signs so that self-driving cars may be fooled.
 
@@ -245,24 +245,24 @@ Example 3: fooling a large language model (GenAI) by circumventing mechanisms to
 
 Example 4: an open-box box evasion attack (see below) can be done on a copy (a surrogate) of the closed-box model. This way, the attacker can use the normally hidden internals of the model to construct a succesful attack that 'hopefully' transfers to the original model - as the surrogate model is typically internally different from the original model. An open-box evasion attack offers more possibilities. A copy of the model can be achieved through _Model theft through use_ (see elsewhere in this document) [This article](https://arxiv.org/abs/1602.02697) describes that approach. The likelihood of a successful transfer is generally believed to be higher when the surrogate model closely resembles the target model in complexity and structure, but even attacks on simple surrogate models tend to transfer very well. To achieve the greatest similarity, one approach is to reverse-engineer a version of the target model, which is otherwise a closed-box system. This process aims to create a surrogate that mirrors the target as closely as possible, enhancing the effectiveness of the evasion attack
 
-  References:
+References:
 
-  - Papernot, Nicolas, Patrick McDaniel, and Ian Goodfellow.
+- Papernot, Nicolas, Patrick McDaniel, and Ian Goodfellow.
 "Transferability in machine learning: from phenomena to black-box
 attacks using adversarial samples." arXiv preprint arXiv:1605.07277 (2016).
 
-  - Demontis, Ambra, et al. "Why do adversarial attacks transfer?
+- Demontis, Ambra, et al. "Why do adversarial attacks transfer?
 explaining transferability of evasion and poisoning attacks." 28th
 USENIX security symposium (USENIX security 19). 2019.
 
-  - Andriushchenko, Maksym, et al. "Square attack: a query-efficient
+- Andriushchenko, Maksym, et al. "Square attack: a query-efficient
 black-box adversarial attack via random search." European conference on
 computer vision. Cham: Springer International Publishing, 2020.
 
-  - Guo, Chuan, et al. "Simple black-box adversarial attacks."
+- Guo, Chuan, et al. "Simple black-box adversarial attacks."
 International Conference on Machine Learning. PMLR, 2019.
 
-  - Bunzel, Niklas, and Lukas Graner. "A Concise Analysis of Pasting
+- Bunzel, Niklas, and Lukas Graner. "A Concise Analysis of Pasting
 Attacks and their Impact on Image Classification." 2023 53rd Annual
 IEEE/IFIP International Conference on Dependable Systems and Networks
 Workshops (DSN-W). IEEE, 2023.
@@ -277,8 +277,7 @@ Workshops (DSN-W). IEEE, 2023.
 
 When attackers have access to a models' implementation (code, training set, parameters, architecture), they can be enabled to craft input manipulations (often referred to as _adversarial examples_).
 
-<p align="center"><a href="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/inputwhite3.png?raw=true" target="_blank" rel="noopener noreferrer"><img src="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/inputwhite3.png?raw=true"/></a></p>
-    <br/>
+[![Open Box Evasion](/images/inputwhite3.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/content/ai_exchange/static/images/inputwhite3.png)
 
 **Controls:**
 
@@ -330,13 +329,11 @@ The disclosure is caused by an unintentional fault of including this data, and e
 
 Model inversion (or _data reconstruction_) occurs when an attacker reconstructs a part of the training set by intensive experimentation during which the input is optimized to maximize indications of confidence level in the output of the model.
 
-  <p align="center"><a href="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/inversion3.png?raw=true" target="_blank" rel="noopener noreferrer"><img src="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/inversion3.png?raw=true"/></a></p>
-  <br />
+[![Model inversion](/images/inversion3.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/content/ai_exchange/static/images/inversion3.png)
 
 Membership inference is presenting a model with input data that identifies something or somebody (e.g. a personal identity or a portrait picture), and using any indication of confidence in the output to infer the presence of that something or somebody in the training set.
 
-  <p align="center"><a href="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/membership3.png?raw=true" target="_blank" rel="noopener noreferrer"><img src="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/membership3.png?raw=true"/></a></p>
-  <br />
+[![Membership inference](/images/membership3.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/content/ai_exchange/static/images/membership3.png)
 
 References:
 
@@ -368,8 +365,7 @@ Impact: Confidentiality breach of model intellectual property.
 
 This attack is known as model stealing attack or model extraction attack. It occurs when an attacker collects inputs and outputs of an existing model and uses those combinations to train a new model, in order to replicate the original model.
 
-<p align="center"><a href="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/theft3.png?raw=true" target="_blank" rel="noopener noreferrer"><img src="https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/assets/images/theft3.png?raw=true"/></a></p>
-<br />
+[![Theft diagram](/images/theft3.png)](https://github.com/OWASP/www-project-ai-security-and-privacy-guide/blob/main/content/ai_exchange/static/images/theft3.png)
 
 **Controls:**
 

content/ai_exchange/content/docs/security/3_development_time_threats.md

@@ -129,7 +129,7 @@ References:
 The attacker manipulates (training) data to affect the algorithm's behavior. Also called _causative attacks_.
 
 Example 1: an attacker breaks into a training set database to add images of houses and labels them as 'fighter plane', to mislead the camera system of an autonomous missile. The missile is then manipulated to attack houses. With a good test set this unwanted behaviour may be detected. However, the attacker can make the poisoned data represent input that normally doesn't occur and therefore would not be in a testset. The attacker can then create that abnormal input in practice. In the previous exmaple this could be houses with white crosses on the door.  See [MITRE ATLAS - Poison traing data](https://atlas.mitre.org/techniques/AML.T0020)
-Example 2: a malicious supplier poisons data that is later obtained by another party to train a model. See [MITRE ATLAS - Publish poisoned datasets](https://atlas.mitre.org/techniques/AML.T0019) 
+Example 2: a malicious supplier poisons data that is later obtained by another party to train a model. See [MITRE ATLAS - Publish poisoned datasets](https://atlas.mitre.org/techniques/AML.T0019)
 Example 3: false information in documents on the internet causes a Large Language Model (GenAI) to output false results. That false information can be planted by an attacker, but of course also by accident. The latter case is a real GenAI risk, but technically comes down to the issue of having false data in a training set which falls outside of the security scope. ([OWASP for LLM 03](https://llmtop10.com/llm03/))
 
 **Controls for data poisoning:**
@@ -146,7 +146,7 @@ Example 3: false information in documents on the internet causes a Large Languag
 
   Particularity: standard quality control needs to take into account that data may have maliciously been changed.
 
-  A method to detect statistical deviation is to train models on random selections of the training dataset and then feed each training sample to those models and compare results. 
+  A method to detect statistical deviation is to train models on random selections of the training dataset and then feed each training sample to those models and compare results.
 
   Links to standards: