· ·
Securing Your LLM Applications with the OWASP Top 10
The OWASP Top 10 for LLM Applications is the security checklist most teams skip before deploying GenAI. Here's what's in the 2025 edition, what's changed, and why it matters, with real-world incidents that prove these aren't hypothetical risks.
I keep seeing the same pattern. An org ships a chatbot, code assistant, or internal knowledge tool, and nobody on the team has read the OWASP Top 10 for LLM Applications. Not security. Not the builders. Sometimes not the vendor.
Then something breaks in public.
Web apps got an OWASP Top 10 in 2003 and still took years to treat it as baseline. We do not get years this time. LLM input can change what the application does, not only what data it returns.
The 2025 edition (late 2024) is a real rework: two new categories, five renamed/expanded entries, reorder by what is being exploited. If you build with LLMs and have not read it, go read it. Below is what I think matters most.
Prompt injection is still #1
LLM01 stays on top. An attacker crafts input that makes the model ignore developer instructions - SQL injection for natural language. The model cannot reliably separate "instructions from us" and "instructions in the user's text." That is a property of the architecture, not a patch ticket.
Real examples keep landing. Chris Bakke talked a Chevrolet dealership chatbot into agreeing to sell a Tahoe for $1 by telling it to agree with anything the customer said. Funny. Less funny: PromptArmor showed Slack AI exfiltrating data from private channels via indirect injection planted in a public message.
If your LLM can read data and take actions, prompt injection is an access-control bypass wearing a chat UI.
What changed in 2025
System Prompt Leakage (LLM07) is its own category. "Repeat your instructions" still works too often. Prompts hold API keys, business rules, internal logic.
Vector and Embedding Weaknesses (LLM08) hits RAG directly. Poisoned embeddings mean poisoned answers. Most teams do not monitor vector stores like databases.
Sensitive Information Disclosure jumped to #2. Samsung engineers pasted source and meeting notes into ChatGPT; Samsung banned it and capped uploads. Three incidents in under a month.
Excessive Agency (LLM06) expanded into too much functionality, too much permission, too much autonomy. Air Canada's chatbot promised a bereavement fare that was not policy; a tribunal held the airline liable. "Separate legal entity" did not fly.
What to do
- Read the full OWASP document - scenarios and mitigations, not a summary card.
- Treat LLM output as untrusted before it hits another system.
- Assume system prompts will leak; do not put secrets in them.
- Human confirmation for consequential actions (refunds, record changes) - outside the LLM path.
- Know who writes your vector store and how embeddings are validated.
Founders: ask which of the ten apply to your product. If the room cannot answer, that is the finding.
Related
- Securing AI Initiatives for mapping AI-specific risks to established security discipline
- Autonomy Is the Threat Model for why the LLM Top 10 was not enough for agents
- The Flat Namespace Problem for why your RAG pipeline cannot keep secrets
- Adding AI to your SaaS for third-party AI risk beyond the Top 10