OWASP Serverless Top 10 Project

 = Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Serverless Top 10 - First Released
The OWASP Top 10: Serverless Interpretation is now available.

Introduction
When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as AWS, Azure and Google Cloud. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

Purpose
OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

Licensing
The OWASP Serverless Top 10 is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license (CC BY-SA 4.0).


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Quick Downloads
OWASP Top 10: Serverless Interpretation

Presentation
Soon!

News & Events

 * [1 Sep 2018]: Hello World!
 * [18 Sep 2018]: Join our Slack-channel #project-sls-top-10.
 * [22 Sep 2018]: Follow our Git Repo.
 * [25 Oct 2018]: First Release!
 * [2 Nov 2018]: Official Announcement

Project Leader
Tal Melamed

Coming soon!

Coming soon!

Related Projects
OWASP Top 10 Project

Classifications

 * }

= Acknowledgments =

Project Sponsors
The OWASP Serverless Top 10 project is sponsored by

and



First Report Reviewers
Assaf Hefetz, Snyk Erez Metula, AppSec Labs Erez Yalon, Checkmarx Frank M. Catucci, OWASP Guy Bernhart-Magen, Intel Hemed Gur Ary, OWASP Jeff Williams, Contrast Security Jim DelGrosso, Synopsys Jochanan Sommerfeld, RDuck Kobi Lechner, INFINIDAT Limor Sylvie Kessem, IBM Marcin Hoppe, Auth0 Mark Johnston, Google Martin Knobloch, OWASP Matthew Henderson, Microsoft Matteo Meucci, Minded Security Owen Pendlebury, OWASP Paco Hope, AWS Patrick Laverty, Rapid7 Rupack Ganguly, Serverless Inc. Tanya Janca, Microsoft Tash Norris, Capital One Tom Brennan, IOActive Yan Cui, DAZN Youssef Elmalty, AWS

= Project Resources =

OWASP Serverless Top 10 - First Released
The OWASP Top 10: Serverless Interpretation is now available.

GitHub repository

= Roadmap =

= Get involved =

Get involved in OWASP Serverless Top 10 !

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
 * We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
 * Translation efforts (later stages)
 * Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel #project-sls-top-10

GitHub project page

=About=