MLASVS — MLSec Application Security Verification Standard¶
Version 0.1 (Draft)
The MLASVS defines what to verify in machine learning systems. It is the requirements layer of the MLASTG framework, analogous to the OWASP MASVS for mobile applications.
1. What Is the MLASVS?¶
The MLSec Application Security Verification Standard (MLASVS) is a comprehensive set of security requirements (controls) for machine learning systems. It covers:
- Traditional ML models — Classifiers, regressors, clustering models
- Deep neural networks — CNNs, RNNs, transformers, GANs
- Large language models (LLMs) — GPT-style models, chatbots, RAG systems
- ML infrastructure — Pipelines, feature stores, model registries, serving infrastructure
Each control is: - Testable — Can be verified through defined procedures - Actionable — Provides clear implementation guidance - Mappable — Linked to MITRE ATLAS tactics, OWASP LLM Top 10, and NIST AI RMF - Scalable — Offered at two security levels (L1 and L2)
2. Control Categories¶
| ID | Category | Focus Area | Control Count |
|---|---|---|---|
| MLASVS-DATA | Data Security & Privacy | Data provenance, sanitization, differential privacy (standard + federated), access control | 18 L1 / 12 L2 |
| MLASVS-MODEL | Model Security | Adversarial robustness, extraction prevention, inversion, backdoors | 15 L1 / 15 L2 |
| MLASVS-LLM | LLM Security | Prompt injection, output handling, agency control, context isolation | 14 L1 / 10 L2 |
| MLASVS-SUPPLY | Supply Chain Security | ML-SBOM, base model vetting, dependency security | 12 L1 / 10 L2 |
| MLASVS-PIPELINE | Pipeline & MLOps | CI/CD, model registry, artifact integrity, feature stores | 10 L1 / 10 L2 |
| MLASVS-INFRA | Runtime & Infrastructure | Model serving, API security, monitoring, incident response | 12 L1 / 10 L2 |
| MLASVS-GOV | Governance & Compliance | Risk governance, bias/fairness, audit, regulatory compliance | 10 L1 / 10 L2 |
Total: 91 L1 controls + 77 L2 controls = 168 verifiable controls
3. Security Levels¶
L1 — Standard Security¶
Applies to all ML systems in production. Covers fundamental controls: - Data access control and basic provenance - Input validation and sanitization - Basic adversarial robustness testing - Standard supply chain verification - Essential logging and monitoring - Model registry and version control
L2 — Defense-in-Depth¶
Applies to high-risk, enterprise, defense, and regulated environments. Adds: - Full data provenance with cryptographic verification - Differential privacy guarantees - Rigorous adversarial robustness certification (certified adversarial defenses) - Comprehensive ML-SBOM with continuous scanning - Runtime model monitoring with automated incident response - Full red teaming with adversarial attack simulation - Regulatory compliance verification (EU AI Act, etc.)
4. Control Format¶
Each MLASVS control follows this template:
MLASVS-{CATEGORY}-{NUMBER}:
Description: One-line description of the control
Category: MLASVS-{CATEGORY}
Level: L1 | L2
MITRE ATLAS: AML.T#### — Technique name
OWASP LLM: LLM0X (if applicable)
NIST AI RMF: Map, Measure, Manage, or Govern
Assessment: [x] Pass / [ ] Fail / [ ] N/A
Weakness Ref: MLASWE-XXXX
Test Reference: MLASTG-TEST-XXXX
5. Relationship to Other Frameworks¶
MITRE ATLAS ─── Tactics & Techniques (adversary perspective)
│
▼
MLASVS ─── Security Controls (defender perspective)
│
├── Mapped to ───► NIST AI RMF (Govern, Map, Measure, Manage)
├── Mapped to ───► OWASP AI Exchange (threat/control matrices)
├── Covers ───► OWASP LLM Top 10 (all 10 risks)
└── Covers ───► OWASP ML Top 10 (all 10 vulnerabilities)
│
▼
MLASTG ─── Test Cases (verification perspective)
│
▼
MLASWE ─── Weaknesses (vulnerability classification)
6. Applying the MLASVS¶
For Development Teams¶
- Determine the target security level (L1 or L2) for your ML system
- Review applicable controls from all 7 categories
- Implement controls during model development and deployment
- Use the MLASTG Checklist to track compliance
For Security Teams¶
- Reference the MLASVS when defining security requirements for ML projects
- Use the MLASTG test cases to verify each control
- Classify findings using MLASWE identifiers
- Report compliance status using the control framework
For Auditors¶
- Use MLASVS as the audit criteria for ML system reviews
- Verify controls at the declared security level (L1 or L2)
- Cross-reference findings to MLASWE weakness categories
- Document residual risk for unaddressed controls
7. Control Inventory Summary¶
| Control ID | Title | Level | MITRE ATLAS Ref | Test Ref |
|---|---|---|---|---|
| DATA-001 | Data provenance tracking | L1 | AML.TA0009 | TEST-DATA-001 |
| DATA-002 | Cryptographic data integrity | L1 | AML.TA0010 | TEST-DATA-001 |
| DATA-003 | Data access control enforcement | L1 | AML.TA0002 | TEST-DATA-004 |
| DATA-004 | Input validation and sanitization | L1 | AML.TA0005 | TEST-DATA-002 |
| DATA-005 | PII/PHI detection in training data | L1 | AML.TA0010 | TEST-DATA-002 |
| DATA-006 | Data lineage documentation | L1 | AML.TA0009 | TEST-DATA-001 |
| ... | ... | ... | ... | ... |
(Full control inventory in each category section)
8. Versioning¶
| Version | Date | Notes |
|---|---|---|
| 0.1 (Draft) | 2026-Q2 | Initial framework structure, control definitions, test cases, ATLAS mapping |