genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,750 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "LLM08",
|
|
3
|
+
"name": "Vector and Embedding Weaknesses",
|
|
4
|
+
"source_list": "LLM-Top10-2025",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Medium",
|
|
7
|
+
"aivss_score": null,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"developer",
|
|
12
|
+
"ml-engineer",
|
|
13
|
+
"ot-engineer",
|
|
14
|
+
"ciso",
|
|
15
|
+
"compliance",
|
|
16
|
+
"auditor"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0063",
|
|
22
|
+
"control_name": "Embedding Manipulation",
|
|
23
|
+
"tier": "Hardening",
|
|
24
|
+
"scope": "Build",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0063",
|
|
26
|
+
"notes": "Crafting inputs whose embeddings manipulate similarity search results"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0025",
|
|
31
|
+
"control_name": "Resource Exhaustion via Embedding",
|
|
32
|
+
"tier": "Hardening",
|
|
33
|
+
"scope": "Build",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0025",
|
|
35
|
+
"notes": "Flooding vector stores with adversarial embeddings to degrade retrieval quality"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "NIST AI RMF 1.0",
|
|
39
|
+
"control_id": "MS-2.5",
|
|
40
|
+
"control_name": "Testing — adversarial",
|
|
41
|
+
"tier": "Hardening",
|
|
42
|
+
"scope": "Build",
|
|
43
|
+
"notes": "Vector store and embedding adversarial testing included in evaluation programme"
|
|
44
|
+
},
|
|
45
|
+
{
|
|
46
|
+
"framework": "NIST AI RMF 1.0",
|
|
47
|
+
"control_id": "MS-3.3",
|
|
48
|
+
"control_name": "Data quality",
|
|
49
|
+
"tier": "Hardening",
|
|
50
|
+
"scope": "Build",
|
|
51
|
+
"notes": "Data quality controls applied to embedding generation and vector store ingestion"
|
|
52
|
+
},
|
|
53
|
+
{
|
|
54
|
+
"framework": "NIST AI RMF 1.0",
|
|
55
|
+
"control_id": "MG-2.2",
|
|
56
|
+
"control_name": "Risk response",
|
|
57
|
+
"tier": "Hardening",
|
|
58
|
+
"scope": "Build",
|
|
59
|
+
"notes": "Response procedures for detected vector store compromise or manipulation"
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
"framework": "NIST AI RMF 1.0",
|
|
63
|
+
"control_id": "MP-2.3",
|
|
64
|
+
"control_name": "Risk categorisation",
|
|
65
|
+
"tier": "Hardening",
|
|
66
|
+
"scope": "Build",
|
|
67
|
+
"notes": "Embedding and vector store risks mapped in AI system risk register"
|
|
68
|
+
},
|
|
69
|
+
{
|
|
70
|
+
"framework": "EU AI Act",
|
|
71
|
+
"control_id": "Embedding and retrieval risks identified and mitigated",
|
|
72
|
+
"control_name": "Art. 9 — Risk management",
|
|
73
|
+
"tier": "Hardening",
|
|
74
|
+
"scope": "Both",
|
|
75
|
+
"notes": "Vector store attack scenarios included in risk management system"
|
|
76
|
+
},
|
|
77
|
+
{
|
|
78
|
+
"framework": "EU AI Act",
|
|
79
|
+
"control_id": "Data quality controls applied to all data in scope — including RAG corpora",
|
|
80
|
+
"control_name": "Art. 10 — Data and data governance",
|
|
81
|
+
"tier": "Hardening",
|
|
82
|
+
"scope": "Both",
|
|
83
|
+
"notes": "Quality controls on embedding generation and vector store ingestion required"
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
"framework": "EU AI Act",
|
|
87
|
+
"control_id": "Technical robustness against adversarial manipulation",
|
|
88
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
89
|
+
"tier": "Hardening",
|
|
90
|
+
"scope": "Both",
|
|
91
|
+
"notes": "Embedding manipulation resistance is an Art. 15 technical requirement"
|
|
92
|
+
},
|
|
93
|
+
{
|
|
94
|
+
"framework": "ISO/IEC 27001:2022",
|
|
95
|
+
"control_id": "A.8.3",
|
|
96
|
+
"control_name": "Information access restriction",
|
|
97
|
+
"tier": "Hardening",
|
|
98
|
+
"scope": "Build",
|
|
99
|
+
"notes": "RBAC on all vector store collections — no unauthenticated access to any collection"
|
|
100
|
+
},
|
|
101
|
+
{
|
|
102
|
+
"framework": "ISO/IEC 27001:2022",
|
|
103
|
+
"control_id": "A.8.24",
|
|
104
|
+
"control_name": "Use of cryptography",
|
|
105
|
+
"tier": "Hardening",
|
|
106
|
+
"scope": "Build",
|
|
107
|
+
"notes": "Encryption of all vector store data at rest and in transit"
|
|
108
|
+
},
|
|
109
|
+
{
|
|
110
|
+
"framework": "ISO/IEC 27001:2022",
|
|
111
|
+
"control_id": "A.8.16",
|
|
112
|
+
"control_name": "Monitoring activities",
|
|
113
|
+
"tier": "Hardening",
|
|
114
|
+
"scope": "Build",
|
|
115
|
+
"notes": "Anomaly detection on vector store query patterns — bulk extraction and poisoning indicators"
|
|
116
|
+
},
|
|
117
|
+
{
|
|
118
|
+
"framework": "ISO/IEC 27001:2022",
|
|
119
|
+
"control_id": "A.8.11",
|
|
120
|
+
"control_name": "Data masking",
|
|
121
|
+
"tier": "Hardening",
|
|
122
|
+
"scope": "Build",
|
|
123
|
+
"notes": "Differential privacy in embedding generation for sensitive corpora"
|
|
124
|
+
},
|
|
125
|
+
{
|
|
126
|
+
"framework": "ISO/IEC 42001:2023",
|
|
127
|
+
"control_id": "A.7.2",
|
|
128
|
+
"control_name": "Data quality",
|
|
129
|
+
"tier": "Hardening",
|
|
130
|
+
"scope": "Both",
|
|
131
|
+
"notes": "Vector store content quality requirements — RBAC, encryption, source validation as data quality controls"
|
|
132
|
+
},
|
|
133
|
+
{
|
|
134
|
+
"framework": "ISO/IEC 42001:2023",
|
|
135
|
+
"control_id": "A.7.3",
|
|
136
|
+
"control_name": "Data provenance and characteristics",
|
|
137
|
+
"tier": "Hardening",
|
|
138
|
+
"scope": "Both",
|
|
139
|
+
"notes": "Embedding provenance documented — source document, classification, access controls tracked"
|
|
140
|
+
},
|
|
141
|
+
{
|
|
142
|
+
"framework": "ISO/IEC 42001:2023",
|
|
143
|
+
"control_id": "A.6.2.6",
|
|
144
|
+
"control_name": "Testing of AI systems",
|
|
145
|
+
"tier": "Hardening",
|
|
146
|
+
"scope": "Both",
|
|
147
|
+
"notes": "Vector store attacks in AIMS testing — RBAC bypass, embedding inversion, bulk extraction tested"
|
|
148
|
+
},
|
|
149
|
+
{
|
|
150
|
+
"framework": "ISO/IEC 42001:2023",
|
|
151
|
+
"control_id": "A.10.1",
|
|
152
|
+
"control_name": "Third-party AI system acquisition",
|
|
153
|
+
"tier": "Hardening",
|
|
154
|
+
"scope": "Both",
|
|
155
|
+
"notes": "Vector database providers assessed as third-party AI system components"
|
|
156
|
+
},
|
|
157
|
+
{
|
|
158
|
+
"framework": "CIS Controls v8.1",
|
|
159
|
+
"control_id": "3.11 Encrypt sensitive data at rest",
|
|
160
|
+
"control_name": "CIS 3 — Data Protection",
|
|
161
|
+
"tier": "Hardening",
|
|
162
|
+
"scope": "Both",
|
|
163
|
+
"notes": "All vector store content encrypted at rest"
|
|
164
|
+
},
|
|
165
|
+
{
|
|
166
|
+
"framework": "CIS Controls v8.1",
|
|
167
|
+
"control_id": "7.1 Establish vulnerability management",
|
|
168
|
+
"control_name": "CIS 7 — Vulnerability Management",
|
|
169
|
+
"tier": "Hardening",
|
|
170
|
+
"scope": "Both",
|
|
171
|
+
"notes": "Vector database CVEs in vulnerability management process — CVE-2024-3584 and equivalents"
|
|
172
|
+
},
|
|
173
|
+
{
|
|
174
|
+
"framework": "CIS Controls v8.1",
|
|
175
|
+
"control_id": "16.1 Establish secure development standards",
|
|
176
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
177
|
+
"tier": "Hardening",
|
|
178
|
+
"scope": "Both",
|
|
179
|
+
"notes": "Secure coding requirements for vector store integration — RBAC, encryption, input validation"
|
|
180
|
+
},
|
|
181
|
+
{
|
|
182
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
183
|
+
"control_id": "V4.1.3",
|
|
184
|
+
"control_name": "Verify least privilege access control on data",
|
|
185
|
+
"tier": "Hardening",
|
|
186
|
+
"scope": "Both",
|
|
187
|
+
"notes": "RBAC on all vector store collections — no unauthenticated access"
|
|
188
|
+
},
|
|
189
|
+
{
|
|
190
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
191
|
+
"control_id": "V6.1.1",
|
|
192
|
+
"control_name": "Verify all sensitive data encrypted at rest",
|
|
193
|
+
"tier": "Hardening",
|
|
194
|
+
"scope": "Both",
|
|
195
|
+
"notes": "All vector store content encrypted at rest"
|
|
196
|
+
},
|
|
197
|
+
{
|
|
198
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
199
|
+
"control_id": "V12.1.1",
|
|
200
|
+
"control_name": "Verify file upload malware scanning",
|
|
201
|
+
"tier": "Hardening",
|
|
202
|
+
"scope": "Both",
|
|
203
|
+
"notes": "Content validation on all vector store ingestion — adversarial content detected"
|
|
204
|
+
},
|
|
205
|
+
{
|
|
206
|
+
"framework": "ISA/IEC 62443",
|
|
207
|
+
"control_id": "SR 3.7",
|
|
208
|
+
"control_name": "Software and information integrity (monitoring)",
|
|
209
|
+
"tier": "Hardening",
|
|
210
|
+
"scope": "Both",
|
|
211
|
+
"notes": "Vector store content integrity monitored — alert on anomalous retrieval patterns"
|
|
212
|
+
},
|
|
213
|
+
{
|
|
214
|
+
"framework": "ISA/IEC 62443",
|
|
215
|
+
"control_id": "SR 4.3",
|
|
216
|
+
"control_name": "Data confidentiality",
|
|
217
|
+
"tier": "Hardening",
|
|
218
|
+
"scope": "Both",
|
|
219
|
+
"notes": "Embeddings of sensitive OT documentation encrypted — inversion attack protection"
|
|
220
|
+
},
|
|
221
|
+
{
|
|
222
|
+
"framework": "ISA/IEC 62443",
|
|
223
|
+
"control_id": "SR 3.3",
|
|
224
|
+
"control_name": "Software and information integrity",
|
|
225
|
+
"tier": "Hardening",
|
|
226
|
+
"scope": "Both",
|
|
227
|
+
"notes": "Vector store ingestion validated — only authorised OT documentation enters the corpus"
|
|
228
|
+
},
|
|
229
|
+
{
|
|
230
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
231
|
+
"control_id": "Attacks targeting the integrity of OT decision-support data",
|
|
232
|
+
"control_name": "Section 5.3 — Integrity threats",
|
|
233
|
+
"tier": "Hardening",
|
|
234
|
+
"scope": "Both",
|
|
235
|
+
"notes": "Vector store poisoning as an integrity attack on LLM knowledge sources"
|
|
236
|
+
},
|
|
237
|
+
{
|
|
238
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
239
|
+
"control_id": "Assess integrity risks for all OT-connected systems",
|
|
240
|
+
"control_name": "Section 6.2 — Risk assessment",
|
|
241
|
+
"tier": "Hardening",
|
|
242
|
+
"scope": "Both",
|
|
243
|
+
"notes": "Vector store integrity included in OT LLM risk assessment"
|
|
244
|
+
},
|
|
245
|
+
{
|
|
246
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
247
|
+
"control_id": "Title",
|
|
248
|
+
"control_name": "Control",
|
|
249
|
+
"tier": "Hardening",
|
|
250
|
+
"scope": "Both",
|
|
251
|
+
"notes": "Application"
|
|
252
|
+
},
|
|
253
|
+
{
|
|
254
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
255
|
+
"control_id": "Software, Firmware, and Information Integrity",
|
|
256
|
+
"control_name": "SI-7",
|
|
257
|
+
"tier": "Hardening",
|
|
258
|
+
"scope": "Both",
|
|
259
|
+
"notes": "Vector store integrity monitoring — alert on anomalous content or unexpected modifications"
|
|
260
|
+
},
|
|
261
|
+
{
|
|
262
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
263
|
+
"control_id": "Protection of Information at Rest",
|
|
264
|
+
"control_name": "SC-28",
|
|
265
|
+
"tier": "Hardening",
|
|
266
|
+
"scope": "Both",
|
|
267
|
+
"notes": "OT vector store content encrypted at rest"
|
|
268
|
+
},
|
|
269
|
+
{
|
|
270
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
271
|
+
"control_id": "Access Enforcement",
|
|
272
|
+
"control_name": "AC-3",
|
|
273
|
+
"tier": "Hardening",
|
|
274
|
+
"scope": "Both",
|
|
275
|
+
"notes": "Access controls on OT vector stores — RBAC enforced at collection level"
|
|
276
|
+
},
|
|
277
|
+
{
|
|
278
|
+
"framework": "NIST CSF 2.0",
|
|
279
|
+
"control_id": "PR.DS-01",
|
|
280
|
+
"control_name": "Data Security",
|
|
281
|
+
"tier": "Hardening",
|
|
282
|
+
"scope": "Both",
|
|
283
|
+
"notes": "Vector store content encrypted at rest — embeddings treated as sensitive derived data"
|
|
284
|
+
},
|
|
285
|
+
{
|
|
286
|
+
"framework": "NIST CSF 2.0",
|
|
287
|
+
"control_id": "PR.DS-02",
|
|
288
|
+
"control_name": "Data Security",
|
|
289
|
+
"tier": "Hardening",
|
|
290
|
+
"scope": "Both",
|
|
291
|
+
"notes": "Data in transit protected — vector store queries and results encrypted"
|
|
292
|
+
},
|
|
293
|
+
{
|
|
294
|
+
"framework": "NIST CSF 2.0",
|
|
295
|
+
"control_id": "ID.AM-08",
|
|
296
|
+
"control_name": "Asset Management",
|
|
297
|
+
"tier": "Hardening",
|
|
298
|
+
"scope": "Both",
|
|
299
|
+
"notes": "Vector stores inventoried as AI data assets — RBAC status, encryption status, CVE patching status"
|
|
300
|
+
},
|
|
301
|
+
{
|
|
302
|
+
"framework": "NIST CSF 2.0",
|
|
303
|
+
"control_id": "DE.CM-09",
|
|
304
|
+
"control_name": "Continuous Monitoring",
|
|
305
|
+
"tier": "Hardening",
|
|
306
|
+
"scope": "Both",
|
|
307
|
+
"notes": "Monitoring for unauthorised software and anomalous access — vector store query anomalies detected"
|
|
308
|
+
},
|
|
309
|
+
{
|
|
310
|
+
"framework": "SOC 2",
|
|
311
|
+
"control_id": "Embeddings of confidential information protected — encrypted at rest, access-controlled, inversion-resistant",
|
|
312
|
+
"control_name": "C2.1 — Confidential information protection",
|
|
313
|
+
"tier": "Hardening",
|
|
314
|
+
"scope": "Both"
|
|
315
|
+
},
|
|
316
|
+
{
|
|
317
|
+
"framework": "SOC 2",
|
|
318
|
+
"control_id": "RBAC on all vector store collections — no unauthenticated access in any environment",
|
|
319
|
+
"control_name": "CC6.1 — Logical access",
|
|
320
|
+
"tier": "Hardening",
|
|
321
|
+
"scope": "Both"
|
|
322
|
+
},
|
|
323
|
+
{
|
|
324
|
+
"framework": "SOC 2",
|
|
325
|
+
"control_id": "Anomaly detection on vector store query patterns — bulk extraction and unusual retrieval volumes detected",
|
|
326
|
+
"control_name": "CC7.2 — Anomaly detection",
|
|
327
|
+
"tier": "Hardening",
|
|
328
|
+
"scope": "Both"
|
|
329
|
+
},
|
|
330
|
+
{
|
|
331
|
+
"framework": "SOC 2",
|
|
332
|
+
"control_id": "Embeddings of personal data used only for authorised purposes — privacy commitments apply to derived forms",
|
|
333
|
+
"control_name": "P5.1 — Personal information use",
|
|
334
|
+
"tier": "Hardening",
|
|
335
|
+
"scope": "Both"
|
|
336
|
+
},
|
|
337
|
+
{
|
|
338
|
+
"framework": "PCI DSS v4.0",
|
|
339
|
+
"control_id": "Req 3.4.1",
|
|
340
|
+
"control_name": "Protect stored account data",
|
|
341
|
+
"tier": "Hardening",
|
|
342
|
+
"scope": "Both",
|
|
343
|
+
"notes": "Embeddings derived from CHD-containing documents encrypted — PAN cannot be reconstructed from cleartext embeddings"
|
|
344
|
+
},
|
|
345
|
+
{
|
|
346
|
+
"framework": "PCI DSS v4.0",
|
|
347
|
+
"control_id": "Req 3.5.1",
|
|
348
|
+
"control_name": "Protect stored account data — SAD",
|
|
349
|
+
"tier": "Hardening",
|
|
350
|
+
"scope": "Both",
|
|
351
|
+
"notes": "Vector stores in CDE scope encrypted with strong cryptography"
|
|
352
|
+
},
|
|
353
|
+
{
|
|
354
|
+
"framework": "PCI DSS v4.0",
|
|
355
|
+
"control_id": "Req 7.2.1",
|
|
356
|
+
"control_name": "Restrict access",
|
|
357
|
+
"tier": "Hardening",
|
|
358
|
+
"scope": "Both",
|
|
359
|
+
"notes": "RBAC on all vector stores in CDE scope — no unauthenticated access"
|
|
360
|
+
},
|
|
361
|
+
{
|
|
362
|
+
"framework": "PCI DSS v4.0",
|
|
363
|
+
"control_id": "Req 11.3.1",
|
|
364
|
+
"control_name": "Penetration testing",
|
|
365
|
+
"tier": "Hardening",
|
|
366
|
+
"scope": "Both",
|
|
367
|
+
"notes": "Vector store attacks in CDE penetration testing — RBAC bypass, bulk extraction, embedding inversion"
|
|
368
|
+
},
|
|
369
|
+
{
|
|
370
|
+
"framework": "ENISA Multilayer Framework",
|
|
371
|
+
"control_id": "L2",
|
|
372
|
+
"control_name": "Data and Model Security (DMS)",
|
|
373
|
+
"tier": "Hardening",
|
|
374
|
+
"scope": "Both",
|
|
375
|
+
"notes": "Vector stores classified as AI data assets — RBAC, encryption, provenance tracking as DMS practices"
|
|
376
|
+
},
|
|
377
|
+
{
|
|
378
|
+
"framework": "ENISA Multilayer Framework",
|
|
379
|
+
"control_id": "L2",
|
|
380
|
+
"control_name": "AI System Integrity (ASI)",
|
|
381
|
+
"tier": "Hardening",
|
|
382
|
+
"scope": "Both",
|
|
383
|
+
"notes": "Vector store attacks in ENISA adversarial testing — RBAC bypass, embedding inversion, bulk extraction"
|
|
384
|
+
},
|
|
385
|
+
{
|
|
386
|
+
"framework": "ENISA Multilayer Framework",
|
|
387
|
+
"control_id": "L2",
|
|
388
|
+
"control_name": "Monitoring and Detection (MON)",
|
|
389
|
+
"tier": "Hardening",
|
|
390
|
+
"scope": "Both",
|
|
391
|
+
"notes": "Vector store query patterns monitored — bulk extraction and unusual diversity detected"
|
|
392
|
+
},
|
|
393
|
+
{
|
|
394
|
+
"framework": "ENISA Multilayer Framework",
|
|
395
|
+
"control_id": "SCS",
|
|
396
|
+
"control_name": "Supply Chain Security",
|
|
397
|
+
"tier": "Hardening",
|
|
398
|
+
"scope": "Both",
|
|
399
|
+
"notes": "Vector database CVEs in vulnerability management — CVE-2024-3584 class urgent"
|
|
400
|
+
},
|
|
401
|
+
{
|
|
402
|
+
"framework": "OWASP SAMM v2.0",
|
|
403
|
+
"control_id": "D-TA",
|
|
404
|
+
"control_name": "Threat Assessment",
|
|
405
|
+
"tier": "Hardening",
|
|
406
|
+
"scope": "Both",
|
|
407
|
+
"notes": "Vector store attack surface threat-modelled — RBAC bypass, embedding inversion, bulk extraction documented"
|
|
408
|
+
},
|
|
409
|
+
{
|
|
410
|
+
"framework": "OWASP SAMM v2.0",
|
|
411
|
+
"control_id": "I-SB",
|
|
412
|
+
"control_name": "Secure Build",
|
|
413
|
+
"tier": "Hardening",
|
|
414
|
+
"scope": "Both",
|
|
415
|
+
"notes": "RBAC and encryption implemented for all vector stores — security requirements enforced in code"
|
|
416
|
+
},
|
|
417
|
+
{
|
|
418
|
+
"framework": "OWASP SAMM v2.0",
|
|
419
|
+
"control_id": "V-ST",
|
|
420
|
+
"control_name": "Security Testing",
|
|
421
|
+
"tier": "Hardening",
|
|
422
|
+
"scope": "Both",
|
|
423
|
+
"notes": "Vector store attacks in penetration testing — RBAC bypass, CVE-2024-3584 class, embedding inversion tested"
|
|
424
|
+
},
|
|
425
|
+
{
|
|
426
|
+
"framework": "STRIDE",
|
|
427
|
+
"control_id": "T",
|
|
428
|
+
"control_name": "Embedding Store Tampering",
|
|
429
|
+
"tier": "Hardening",
|
|
430
|
+
"scope": "Build"
|
|
431
|
+
},
|
|
432
|
+
{
|
|
433
|
+
"framework": "STRIDE",
|
|
434
|
+
"control_id": "I",
|
|
435
|
+
"control_name": "Embedding Inversion Disclosure",
|
|
436
|
+
"tier": "Hardening",
|
|
437
|
+
"scope": "Build"
|
|
438
|
+
},
|
|
439
|
+
{
|
|
440
|
+
"framework": "CWE/CVE",
|
|
441
|
+
"control_id": "CWE-327",
|
|
442
|
+
"control_name": "CWE-327",
|
|
443
|
+
"tier": "Hardening",
|
|
444
|
+
"scope": "Build",
|
|
445
|
+
"url": "https://cwe.mitre.org/data/definitions/327.html"
|
|
446
|
+
},
|
|
447
|
+
{
|
|
448
|
+
"framework": "CWE/CVE",
|
|
449
|
+
"control_id": "CWE-330",
|
|
450
|
+
"control_name": "CWE-330",
|
|
451
|
+
"tier": "Hardening",
|
|
452
|
+
"scope": "Build",
|
|
453
|
+
"url": "https://cwe.mitre.org/data/definitions/330.html"
|
|
454
|
+
},
|
|
455
|
+
{
|
|
456
|
+
"framework": "CWE/CVE",
|
|
457
|
+
"control_id": "CWE-345",
|
|
458
|
+
"control_name": "CWE-345",
|
|
459
|
+
"tier": "Hardening",
|
|
460
|
+
"scope": "Build",
|
|
461
|
+
"url": "https://cwe.mitre.org/data/definitions/345.html"
|
|
462
|
+
},
|
|
463
|
+
{
|
|
464
|
+
"framework": "OWASP AI Testing Guide",
|
|
465
|
+
"control_id": "Embedding inversion and data reconstruction",
|
|
466
|
+
"control_name": "DPT — Data Protection",
|
|
467
|
+
"tier": "Hardening",
|
|
468
|
+
"scope": "Both",
|
|
469
|
+
"notes": "Test whether embedding vectors can be inverted to reconstruct training data; verify embedding stores do not leak source content through metadata"
|
|
470
|
+
},
|
|
471
|
+
{
|
|
472
|
+
"framework": "OWASP AI Testing Guide",
|
|
473
|
+
"control_id": "Vector database security configuration",
|
|
474
|
+
"control_name": "SCT — Supply Chain",
|
|
475
|
+
"tier": "Hardening",
|
|
476
|
+
"scope": "Both",
|
|
477
|
+
"notes": "Verify vector database is correctly configured — authentication, encryption, namespace isolation, API key protection"
|
|
478
|
+
},
|
|
479
|
+
{
|
|
480
|
+
"framework": "OWASP AI Testing Guide",
|
|
481
|
+
"control_id": "Retrieval authorisation enforcement",
|
|
482
|
+
"control_name": "ACT — Access Control",
|
|
483
|
+
"tier": "Hardening",
|
|
484
|
+
"scope": "Both",
|
|
485
|
+
"notes": "Verify RAG queries cannot retrieve documents above the authenticated user's permission level"
|
|
486
|
+
},
|
|
487
|
+
{
|
|
488
|
+
"framework": "MAESTRO",
|
|
489
|
+
"control_id": "L2",
|
|
490
|
+
"control_name": "Data Operations",
|
|
491
|
+
"tier": "Hardening",
|
|
492
|
+
"scope": "Both"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "MAESTRO",
|
|
496
|
+
"control_id": "L4",
|
|
497
|
+
"control_name": "Deployment & Infrastructure",
|
|
498
|
+
"tier": "Hardening",
|
|
499
|
+
"scope": "Both"
|
|
500
|
+
},
|
|
501
|
+
{
|
|
502
|
+
"framework": "MAESTRO",
|
|
503
|
+
"control_id": "L6",
|
|
504
|
+
"control_name": "Security & Compliance",
|
|
505
|
+
"tier": "Hardening",
|
|
506
|
+
"scope": "Both"
|
|
507
|
+
},
|
|
508
|
+
{
|
|
509
|
+
"framework": "AIUC-1",
|
|
510
|
+
"control_id": "A",
|
|
511
|
+
"control_name": "Data & Privacy domain",
|
|
512
|
+
"tier": "Hardening",
|
|
513
|
+
"scope": "Both",
|
|
514
|
+
"notes": "Foundational"
|
|
515
|
+
},
|
|
516
|
+
{
|
|
517
|
+
"framework": "AIUC-1",
|
|
518
|
+
"control_id": "B001",
|
|
519
|
+
"control_name": "Third-party adversarial robustness testing",
|
|
520
|
+
"tier": "Hardening",
|
|
521
|
+
"scope": "Both",
|
|
522
|
+
"notes": "Foundational"
|
|
523
|
+
},
|
|
524
|
+
{
|
|
525
|
+
"framework": "AIUC-1",
|
|
526
|
+
"control_id": "B002",
|
|
527
|
+
"control_name": "Detect adversarial input",
|
|
528
|
+
"tier": "Hardening",
|
|
529
|
+
"scope": "Both",
|
|
530
|
+
"notes": "Hardening"
|
|
531
|
+
},
|
|
532
|
+
{
|
|
533
|
+
"framework": "AIUC-1",
|
|
534
|
+
"control_id": "B005",
|
|
535
|
+
"control_name": "Implement real-time input filtering",
|
|
536
|
+
"tier": "Hardening",
|
|
537
|
+
"scope": "Both",
|
|
538
|
+
"notes": "Foundational"
|
|
539
|
+
},
|
|
540
|
+
{
|
|
541
|
+
"framework": "OWASP NHI Top 10",
|
|
542
|
+
"control_id": "Embedding store service account with cross-tenant read access",
|
|
543
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
544
|
+
"tier": "Hardening",
|
|
545
|
+
"scope": "Both",
|
|
546
|
+
"notes": "Per-tenant credentials or least-privilege scope restrictions"
|
|
547
|
+
},
|
|
548
|
+
{
|
|
549
|
+
"framework": "OWASP NHI Top 10",
|
|
550
|
+
"control_id": "Unauthenticated embedding store access",
|
|
551
|
+
"control_name": "NHI-4 Insecure Authentication",
|
|
552
|
+
"tier": "Hardening",
|
|
553
|
+
"scope": "Both",
|
|
554
|
+
"notes": "Require authentication for all vector database connections"
|
|
555
|
+
},
|
|
556
|
+
{
|
|
557
|
+
"framework": "NIST SP 800-218A",
|
|
558
|
+
"control_id": "PS.1.1-PS",
|
|
559
|
+
"control_name": "Protect all code from unauthorised access — embedding store protection",
|
|
560
|
+
"tier": "Foundational",
|
|
561
|
+
"scope": "Build",
|
|
562
|
+
"notes": "Classify embedding stores and vector databases as sensitive AI artefacts; apply access controls, encryption at rest/in transit, and audit logging"
|
|
563
|
+
},
|
|
564
|
+
{
|
|
565
|
+
"framework": "NIST SP 800-218A",
|
|
566
|
+
"control_id": "PW.8.2-PS",
|
|
567
|
+
"control_name": "Test for security vulnerabilities — embedding adversarial testing",
|
|
568
|
+
"tier": "Foundational",
|
|
569
|
+
"scope": "Build",
|
|
570
|
+
"notes": "Conduct adversarial testing of retrieval pipelines including embedding inversion, retrieval poisoning, and semantic search manipulation scenarios"
|
|
571
|
+
},
|
|
572
|
+
{
|
|
573
|
+
"framework": "NIST SP 800-218A",
|
|
574
|
+
"control_id": "RV.3.1-PS",
|
|
575
|
+
"control_name": "Analyse root causes — embedding incident forensics",
|
|
576
|
+
"tier": "Foundational",
|
|
577
|
+
"scope": "Build",
|
|
578
|
+
"notes": "When an embedding or retrieval security incident occurs, conduct forensic analysis of the vector store, ingestion pipeline, and query patterns"
|
|
579
|
+
},
|
|
580
|
+
{
|
|
581
|
+
"framework": "NIST SP 800-218A",
|
|
582
|
+
"control_id": "PW.4.1-PS",
|
|
583
|
+
"control_name": "Reuse existing well-secured software — vector store vetting",
|
|
584
|
+
"tier": "Foundational",
|
|
585
|
+
"scope": "Build",
|
|
586
|
+
"notes": "Vet vector database platforms and embedding model providers for security posture before adoption; review access control capabilities"
|
|
587
|
+
},
|
|
588
|
+
{
|
|
589
|
+
"framework": "FedRAMP",
|
|
590
|
+
"control_id": "SC-28",
|
|
591
|
+
"control_name": "Protection of Information at Rest — embedding store protection",
|
|
592
|
+
"tier": "Foundational",
|
|
593
|
+
"scope": "Build",
|
|
594
|
+
"notes": "Encrypt vector databases and embedding stores at rest; enforce access controls and audit logging on all embedding read and write operations"
|
|
595
|
+
},
|
|
596
|
+
{
|
|
597
|
+
"framework": "FedRAMP",
|
|
598
|
+
"control_id": "SI-3",
|
|
599
|
+
"control_name": "Malicious Code Protection — adversarial embedding detection",
|
|
600
|
+
"tier": "Foundational",
|
|
601
|
+
"scope": "Build",
|
|
602
|
+
"notes": "Extend malicious code protection to detect adversarial manipulation of embeddings — poisoned vectors, out-of-distribution injections, and embedding inversion attacks"
|
|
603
|
+
},
|
|
604
|
+
{
|
|
605
|
+
"framework": "FedRAMP",
|
|
606
|
+
"control_id": "RA-5",
|
|
607
|
+
"control_name": "Vulnerability Scanning — embedding infrastructure",
|
|
608
|
+
"tier": "Foundational",
|
|
609
|
+
"scope": "Build",
|
|
610
|
+
"notes": "Include vector databases, embedding pipelines, and retrieval infrastructure in vulnerability scanning; test for injection, access control bypass, and data extraction"
|
|
611
|
+
},
|
|
612
|
+
{
|
|
613
|
+
"framework": "FedRAMP",
|
|
614
|
+
"control_id": "AC-3",
|
|
615
|
+
"control_name": "Access Enforcement — embedding store access",
|
|
616
|
+
"tier": "Foundational",
|
|
617
|
+
"scope": "Build",
|
|
618
|
+
"notes": "Enforce role-based access control on vector database operations; restrict who can read, write, and delete embeddings"
|
|
619
|
+
},
|
|
620
|
+
{
|
|
621
|
+
"framework": "DORA",
|
|
622
|
+
"control_id": "Art. 9",
|
|
623
|
+
"control_name": "Protection and Prevention — embedding store protection",
|
|
624
|
+
"tier": "Foundational",
|
|
625
|
+
"scope": "Build",
|
|
626
|
+
"notes": "Implement security controls for vector databases and embedding stores — encryption at rest, access controls, and integrity monitoring for financial data embeddings"
|
|
627
|
+
},
|
|
628
|
+
{
|
|
629
|
+
"framework": "DORA",
|
|
630
|
+
"control_id": "Art. 24–27",
|
|
631
|
+
"control_name": "Resilience Testing — embedding security testing",
|
|
632
|
+
"tier": "Foundational",
|
|
633
|
+
"scope": "Build",
|
|
634
|
+
"notes": "Include vector database and embedding pipeline security in resilience testing; test for injection, access control bypass, and data extraction from embeddings"
|
|
635
|
+
},
|
|
636
|
+
{
|
|
637
|
+
"framework": "DORA",
|
|
638
|
+
"control_id": "Art. 8",
|
|
639
|
+
"control_name": "Identification — embedding infrastructure assets",
|
|
640
|
+
"tier": "Foundational",
|
|
641
|
+
"scope": "Build",
|
|
642
|
+
"notes": "Register vector databases, embedding models, and retrieval infrastructure in the ICT asset inventory with classification per data sensitivity"
|
|
643
|
+
},
|
|
644
|
+
{
|
|
645
|
+
"framework": "DORA",
|
|
646
|
+
"control_id": "Art. 10",
|
|
647
|
+
"control_name": "Detection — embedding tampering detection",
|
|
648
|
+
"tier": "Foundational",
|
|
649
|
+
"scope": "Build",
|
|
650
|
+
"notes": "Monitor embedding stores for unauthorised modifications, anomalous writes, and bulk access patterns indicative of extraction or poisoning"
|
|
651
|
+
}
|
|
652
|
+
],
|
|
653
|
+
"tools": [
|
|
654
|
+
{
|
|
655
|
+
"name": "Weaviate (with RBAC)",
|
|
656
|
+
"type": "open-source",
|
|
657
|
+
"url": "https://weaviate.io"
|
|
658
|
+
},
|
|
659
|
+
{
|
|
660
|
+
"name": "Qdrant",
|
|
661
|
+
"type": "open-source",
|
|
662
|
+
"url": "https://qdrant.tech"
|
|
663
|
+
},
|
|
664
|
+
{
|
|
665
|
+
"name": "Pinecone Canopy",
|
|
666
|
+
"type": "open-source",
|
|
667
|
+
"url": "https://github.com/pinecone-io/canopy"
|
|
668
|
+
},
|
|
669
|
+
{
|
|
670
|
+
"name": "RAGAS",
|
|
671
|
+
"type": "open-source",
|
|
672
|
+
"url": "https://github.com/explodinggradients/ragas"
|
|
673
|
+
},
|
|
674
|
+
{
|
|
675
|
+
"name": "Weaviate",
|
|
676
|
+
"type": "open-source",
|
|
677
|
+
"url": "https://weaviate.io"
|
|
678
|
+
},
|
|
679
|
+
{
|
|
680
|
+
"name": "ML Privacy Meter",
|
|
681
|
+
"type": "open-source",
|
|
682
|
+
"url": "https://github.com/privacytrustlab/ml_privacy_meter"
|
|
683
|
+
},
|
|
684
|
+
{
|
|
685
|
+
"name": "LanceDB",
|
|
686
|
+
"type": "open-source",
|
|
687
|
+
"url": "https://lancedb.com"
|
|
688
|
+
},
|
|
689
|
+
{
|
|
690
|
+
"name": "Milvus",
|
|
691
|
+
"type": "open-source",
|
|
692
|
+
"url": "https://milvus.io"
|
|
693
|
+
},
|
|
694
|
+
{
|
|
695
|
+
"name": "LLM Guard",
|
|
696
|
+
"type": "open-source",
|
|
697
|
+
"url": "https://github.com/protectai/llm-guard"
|
|
698
|
+
},
|
|
699
|
+
{
|
|
700
|
+
"name": "OWASP ZAP",
|
|
701
|
+
"type": "open-source",
|
|
702
|
+
"url": "https://www.zaproxy.org"
|
|
703
|
+
},
|
|
704
|
+
{
|
|
705
|
+
"name": "Foolbox",
|
|
706
|
+
"url": "https://github.com/bethgelab/foolbox",
|
|
707
|
+
"type": "open-source"
|
|
708
|
+
},
|
|
709
|
+
{
|
|
710
|
+
"name": "TextAttack",
|
|
711
|
+
"url": "https://github.com/QData/TextAttack",
|
|
712
|
+
"type": "open-source"
|
|
713
|
+
}
|
|
714
|
+
],
|
|
715
|
+
"incidents": [
|
|
716
|
+
{
|
|
717
|
+
"name": "Azure OpenAI content filter bypass via structured output mode",
|
|
718
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
719
|
+
"year": 2025,
|
|
720
|
+
"incident_id": "INC-037"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"name": "Adversarial embedding attacks on production RAG systems",
|
|
724
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
725
|
+
"year": 2024,
|
|
726
|
+
"incident_id": "INC-046"
|
|
727
|
+
}
|
|
728
|
+
],
|
|
729
|
+
"crossrefs": {
|
|
730
|
+
"agentic_top10": [
|
|
731
|
+
"ASI06"
|
|
732
|
+
],
|
|
733
|
+
"dsgai_2026": [
|
|
734
|
+
"DSGAI13",
|
|
735
|
+
"DSGAI18",
|
|
736
|
+
"DSGAI08",
|
|
737
|
+
"DSGAI09",
|
|
738
|
+
"DSGAI04",
|
|
739
|
+
"DSGAI05"
|
|
740
|
+
]
|
|
741
|
+
},
|
|
742
|
+
"changelog": [
|
|
743
|
+
{
|
|
744
|
+
"date": "2026-03-27",
|
|
745
|
+
"version": "1.0.0",
|
|
746
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
747
|
+
"author": "emmanuelgjr"
|
|
748
|
+
}
|
|
749
|
+
]
|
|
750
|
+
}
|