DEV Community

Cover image for Does the AI do the threat modeling of your software?
OWASP® Foundation profile image johan sydseter
johan sydseter for OWASP® Foundation

Posted on • Edited on • Originally published at cornucopia.owasp.org

Does the AI do the threat modeling of your software?

#ai #threatmodeling #appsec #openai

Are you letting the AI do the threat modeling for you? There is no need to let the machines take over the world! Threat model using Elevation of MLSec on copi.owasp.org instead. Our survival depends on it! At copi.owasp.org you can now play Elevation of MLSec to threat model your AI models.

How to get started with Elevation of MLSec

Elevation of MLsec is an unofficial Machine Learning Security (MLsec) extension of Microsoft's Elevation of Privilege threat modeling card game. These playing cards portray risks associated with machine learning (ML) that have been identified by research groups. It is suitable to play this game with or without the original Elevation of Privilege deck depending on the nature of what you're threat modeling. The intention of these cards is primarily to improve the security of ML systems themselves, as opposed to using ML for security.

The work is based mainly on Berryville Institute for Machine Learnings (BIML)’s architectural risk analysis for machine learning systems (BIML-78) and their LLM analysis (BIML-LLM24), found on berryvilleiml.com. The game also adds a few somewhat supplementary LLM specific threats from OWASP’s TOP 10 list for Large Language Model Applications found on owasp.org.

The game was created by Elias Brattli Sørensen and designed by Jorun Kristin Bremseth while working at Kantega. You can download the design files from their repository if you would like to print a physical version of the game.

A game of Elevation of MLSec

Version 2.3 of OWASP Cornucopia brings with it "Elevation of MLSec" as an option when you select a new game at copi.owasp.org. If you like, it's also possible to install Copi yourself. Read more about that here: https://cornucopia.owasp.org/copi

Personally, I am very happy about their game and have used it myself to threat model our new AI features that we are delivering at Admincontrol, and you should do it too. Don't leave the threat modeling up to the AI or it may take over the world!

Learn how to play OWASP Cornucopia or Elevation of Privilege:

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.

Top comments (0)