What is OWASP LLM03 supply chain risk and how do I secure third-party models, LoRA adapters, and datasets?

OWASP LLM03 Supply Chain risk involves vulnerable or compromised components such as base models, fine-tunes, datasets, adapters, plugins, and third-party packages of unknown provenance. Securing these components requires a multi-faceted approach focusing on provenance, vetting, and integrity.

To secure third-party models, LoRA adapters, and datasets, implement the following controls:

• Model/Dataset Provenance & Licensing Records: Maintain detailed records of the origin and licensing of all models and datasets used. This aligns with NIST-GOVERN-6.1, which emphasizes tracking provenance and licensing for third-party components.
• Signed Artifacts: Utilize signed artifacts for models, datasets, and other components to ensure their integrity and authenticity. This helps mitigate risks like golden dataset poisoning.
• Software Bill of Materials (SBOM) for the AI Stack: Generate and maintain an SBOM for the entire AI stack to identify all components and their dependencies. This provides transparency into the supply chain.
• Vetting of Plugins/Model Context Protocol (MCP) Tools: Thoroughly vet all plugins and MCP tools before integration. Treat any third-party MCP server as high-risk without scrutiny, as they expand the attack surface. DefenseClaw, for example, scans and evaluates skills, MCP servers, and plugins before they run.
• Pinned Versions: Use pinned versions for all dependencies to prevent unexpected changes or vulnerabilities from being introduced.
• Third-party Risk Policy: Establish and enforce policies that address risks from third-party models, datasets, and tools, including tracking provenance, licensing, and model-update risks. This is a direct control for NIST-GOVERN-6.1.
• Data-Source Vetting & Integrity Checks: For datasets, vet data sources and perform integrity checks to prevent data poisoning. This is a control for OWASP LLM04 Data and Model Poisoning.