Skip to content

New Cheat Sheet: RAG Security#2131

Merged
mackowski merged 3 commits intoOWASP:masterfrom
razashariff:rag-security-cheat-sheet
May 6, 2026
Merged

New Cheat Sheet: RAG Security#2131
mackowski merged 3 commits intoOWASP:masterfrom
razashariff:rag-security-cheat-sheet

Conversation

@razashariff
Copy link
Copy Markdown
Contributor

@razashariff razashariff commented Apr 27, 2026

Addresses #2126.

Thanks @mackowski for approving and assigning this one — here it is.

RAG is now standard architecture for enterprise AI but introduces a unique attack surface distinct from both traditional web vulnerabilities and standalone LLM risks. This covers the topic practically with a first-approach focus that I hope will help our community immensely.

14 sections covering the complete pipeline from document ingestion through to output validation:

  1. Document Poisoning and Integrity
  2. Embedding Security
  3. Context Window Protection
  4. Access Control Inheritance
  5. Source Attribution and Verification
  6. Chunk Isolation and Multi-Tenancy
  7. Vector Index Integrity
  8. Query Security
  9. Output Validation
  10. Tool and Agent Integration Safety
  11. Response Caching Security
  12. Pipeline Observability
  13. Supply Chain and Connector Security
  14. Fail-Closed Design

Each section has practical Do/Don't guidance. Happy to iterate on feedback.

I have also built DVRAG (Damn Vulnerable RAG Pipeline) as a companion training tool — a deliberately insecure RAG system with 25 vulnerabilities mapped to each section of this cheat sheet. Practitioners can use it to understand and test each attack vector hands-on. Happy to share details if useful for the community.

Thanks again — Raza Sharif :)

@razashariff
Copy link
Copy Markdown
Contributor Author

razashariff commented Apr 30, 2026

Hi @mackowski -- just checking if this is ready for review or if there's anything you'd like changed before looking at it. Happy to adjust. Thanks

@mackowski
Copy link
Copy Markdown
Collaborator

mackowski commented Apr 30, 2026

@razashariff it is ready for review but we need some time to review it ;)

@razashariff
Copy link
Copy Markdown
Contributor Author

razashariff commented Apr 30, 2026

Thanks @mackowski. Just wanted to make sure nothing was blocking on my side. The Secure Coding with AI one (#2132) was also revised based on Jim's feedback. Cheers, Raza

@mackowski mackowski requested a review from jmanico May 5, 2026 14:42
mackowski
mackowski reviewed May 5, 2026
View reviewed changes
Comment thread cheatsheets/RAG_Security_Cheat_Sheet.md Outdated
- Silently degrade functionality. Users and operators must know when the system is not operating with full security controls.
- Treat pipeline failures as performance issues. In a security context, a failed retrieval or a failed access control check is a security event.

## Section 15: Do's and Don'ts Summary
Copy link
Copy Markdown
Collaborator

@mackowski mackowski May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmanico what do you think about this? This restates bullets verbatim from Sections 1–14 ans it does not add any new information.

@jmanico
Copy link
Copy Markdown
Member

jmanico commented May 5, 2026

Agree with @mackowski on Section 15 : the "Do's and Don'ts Summary" duplicates the per-section Do/Don't lists verbatim and pads the doc by ~40 lines without adding new content. The "Implementation Priority" block at the top already gives readers a quick-reference. Recommend dropping Section 15 entirely, or replacing it with a one-line-per-control checklist (no prose) so it serves as a true at-a-glance reference rather than a restatement.

Minor (optional):

  • Length: ~426 lines is on the long side for a cheat sheet. If Section 15 is dropped and the per-section attack-vector prose is tightened, it'll feel more like a reference than a guide.
  • Section 2 "calibrated noise to embeddings" / differential privacy is research-grade. Good that it's flagged "Advanced" in the priority list; consider citing a reference (e.g., Song & Raghunathan's embedding-inversion work) so readers know where to dig.
  • Reference to "OWASP Top 10 for Agentic Applications for 2026" please verify the URL is stable; the GenAI project site has reorganized before.
  • Author uses British English consistently (organisations, behaviour, sanitisation) : please move these to US English.

Otherwise solid : the access-control inheritance, fail-closed, and tool-invocation sections are particularly well done. LGTM after Section 15 cleanup.

@razashariff
Copy link
Copy Markdown
Contributor Author

razashariff commented May 5, 2026

Hey @jmanico @mackowski -- thanks for the thorough review, really appreciated.

All feedback addressed:

  • Section 15 removed -- agreed it was redundant with the per-section Do/Don't lists. Implementation Priority at the top already serves as the quick-reference.
  • US English throughout -- all British spellings updated (organizations, behavior, sanitization, authorization, etc.)
  • Song & Raghunathan citation added for the differential privacy / embedding inversion point in Section 2, plus added to References.
  • OWASP Agentic URL -- pointed to the stable genai.owasp.org root to avoid breakage if the project site reorganizes.
  • Line count reduced from 424 to 384.

Let me know if anything else needs tightening. Thanks again, cheers Raza :)

@mackowski
Copy link
Copy Markdown
Collaborator

mackowski commented May 6, 2026

Thanks @razashariff

@mackowski mackowski merged commit 41f6729 into OWASP:master May 6, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmanico jmanico jmanico approved these changes

@mackowski mackowski mackowski approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@razashariff @mackowski @jmanico