Josh Grossman

I think there are two questions: - Masking sensitive data on entry - Not returning sensitive data in it's complete form from the server @ImanSharaf do you think that requirements...

Doh, I was sure I had responded to this. There are a few mechanisms here which I feel are getting confused. 1) Masking data as it is being entered into...

Ping @ImanSharaf :)

Ok @ImanSharaf so something like: > Verify that the application only returns sensitive data such as credit card numbers to the application front end in a masked form and does...

I think that is a valid question @ImanSharaf, how do we distinguish this?

@elarlang @jmanico so maybe something like: > Verify that the application only returns the minimum required sensitive data for the application's functionality. For example, only returning some of the digits...

@elarlang I think the requirement would be hard to understand without the explanation text and it doesn't make the requirement too long

My initial thought is do we want a specific LLM section in the [V5 Validation, Sanitization and Encoding](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v5-validation-sanitization-and-encoding) chapter? Or do LLMs need their own *SVS? I bet @danielcuthbert has...

Yeah I think that especially based on what @GangGreenTemperTatum said, I am not convinced that a full section on LLMs is warranted for ASVS. On the other hand, maybe we...

Okay so we now have a place to put appendix content with an intro that I based on what @ImanSharaf wrote so who wants to add content :) https://github.com/OWASP/ASVS/blob/master/5.0/en/0x98-Appendix-W_LLM_Security.md