Security Testing for AI Applications
AI applications introduce an entirely new attack surface that traditional security testing does not address. Prompt injection, data leakage, retrieval poisoning, and jailbreaks are not covered by OWASP's classic Top 10 or by conventional SAST/DAST tools. A QA architect building AI-powered products must understand both the traditional web security landscape and the emerging AI-specific threats, and must be able to design testing strategies that cover both.
Chapter Contents
1. OWASP LLM Top 10 — 01-owasp-llm-top-10/
- Prompt Injection — Direct and indirect injection attacks with testing strategies
- Output Handling and DoS — Insecure output handling, model denial of service
- Supply Chain and Overreliance — ML supply chain vulnerabilities, model theft, overreliance
2. AI-Specific Attacks — 02-ai-specific-attacks/
- Jailbreak Testing — Automated jailbreak test framework with categorized payloads
- Data Leakage Detection — PII scanning, system prompt extraction, cross-session leaks
- RAG System Security — Retrieval poisoning, citation fabrication, context overflow
3. Traditional Security — 03-traditional-security/
- OWASP Top 10 Meets AI — How AI features amplify traditional vulnerabilities
- SAST DAST SCA Pipeline — CI security pipeline with AI-specific Semgrep rules
4. Security Program — 04-security-program/
- Threat Modeling with STRIDE — STRIDE extended for AI features
- AI Regulation Compliance — EU AI Act, NIST AI RMF, compliance testing
- Security Metrics — Building a layered AI security testing program with measurable outcomes
Why This Matters
AI security testing requires a dual focus. First, the classic web security fundamentals -- OWASP Top 10, SAST, DAST, SCA in CI -- because an AI app is still a web app. Second, the AI-specific attack surface: prompt injection, jailbreaks, data leakage, and RAG poisoning. New jailbreak techniques emerge weekly, so the test suite must evolve as fast as the attack surface.
Core principle: Security testing for AI is not a one-time activity. It is a continuous practice.