RSAC Fireside Chat: How the open-source community hustled to identify LLM vulnerabilities

By Byron V. Acohido

SAN FRANCISCO — It took some five years to get to 100 million users of the World Wide Web and it took just one year to get to 100 million Facebook users.

Related: LLM risk mitigation strategies

Then along came GenAI and Large Language Models (LLM) and it took just a couple of weeks to get to 100 million ChatGPT users.

LLM is a game changer in the same vein as the Gutenberg Press and the Edison light bulb. It gives any literate human the ability to extract value from data.

Companies in all sectors are in a mad scramble to reap its benefits, even as cyber criminals feast on a new tier of exposures. As RSAC 2024 gets under way next week in San Francisco, the encouraging news is that the cybersecurity industry is racing to protect business networks, as well.

Case in point, the open-source community has coalesced to produce the OWASP Top Ten for Large Language Model Applications. Amazingly, just a little over a year ago this was a mere notion dreamt up by Exabeam CPO Steve Wilson.

“I spent some time on a weekend drawing up a scratch version of a Top Ten list, partly by having a discussion with ChatGPT about it,” Wilson told me. “The first thing I asked was, ‘Do you know what an OWASP Top Ten list is?’ And it said, ‘Yes.’  And I said, ‘Build me one for LLM.’ It did, but it wasn’t very good . . . I then spent a lot of time feeding it data about things and coaching it and cajoling it and having a discussion.”

By the end of an afternoon of prompting, Wilson had a list he thought was “pretty interesting,” which he socialized in his professional communities. That was a little over a year ago. What happened next is unprecedented. For a full drill down, please give the accompanying podcast a listen.

The pace of change is accelerating. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone