Category:OWASP Cloud ‐ 10 Project

Revision as of 12:14, 28 July 2009 by Martin G. Nystrom (talk | contribs) (Project Leaders)

Jump to: navigation, search



Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.


Audience for the project will be organizations planning on leveraging external cloud environment to host their applications or rent application in a SaaS model (Software as a Service). Aim of the "OWASP Cloud-10" list is to help balance security risks with the cost advantage that the Cloud and SaaS model provides. We expect the Cloud and SaaS providers to be indirect audience for "OWASP Cloud-10", when they try to showcase their security controls to potential customers against this list.

Managing OWASP Cloud-10 List (Pre-Alpha)

“OWASP Cloud-10” list will be maintained by input from, community, security experts and security incidences at cloud/SaaS providers.

Each of the identified risk in "OWASP Cloud-10" will provide details on:

  • Various Risk Scenarios
  • Real World Examples
  • Possible Mitigations and Security Controls
  • Reference to any related Incident

OWASP Cloud-10 List

Initial pre-alpha list of OWASP Cloud-10 Security Risks

C1 - Privacy of Users [Placeholder] - User's private and PII data gets stored in the cloud
C2 - Enterprise Data Hosted Outside in Cloud
C3 - Accountability and Ownership of Data Security
C4 - Federating User Identity
C5 - Secondary Usage of Data
C6 - Demonstrating Regulatory Compliance
C7 - SLA - Building Right Level of insurance and accountability
C8 - Vendor Lock-In
C9 - Data Backup and Disaster Recovery
C10 - Direct Exposure to Development and Production Environments

Table 1: Top 10 Cloud - Security Risks

Other OWASP Cloud-10 Candidates

  • Service Availability Risk
  • Multi-Tenancy
  • Integration between cloud and internally hosted services
  • Patching and Vulnerability Management

This needs to be debated and for each of these we may need to add a separate page-holder with the following details.

  • Various Risk Scenarios
  • Real World Examples
  • Possible Mitigation and Security Controls
  • Reference to any related Incident

Roadmap (Status)

Alpha State

  1. Identify and publish a first draft of potential "OWASP Cloud-10" candidates (July 2009)
  2. Ask contributors to collect more data and details on each of the risk item. (till Aug 2009)
  3. Get initial community feedback by discussing it in various blogs, discussion forums etc. (till Aug-Sept 2009)

Beta State

  1. Publish the first (beta) list of "OWASP Cloud-10" (Oct 2009)
  2. Identify additional candidates
  3. ……. (repeat steps as in Alpha)


Related Efforts

  1. Cloud Security Alliance -
  2. IDC Aug 2008 Survey (Security #1) Challenge for Cloud/On-Demand Models -

Related OWASP Projects

  1. OWASP Top Ten Project
  2. OWASP Legal Project


Project Leaders

Vinay Bansal
Shankar Babu Chebrolu
Martin G. Nystrom
Jim Born


[your name here if you are willing to spend time and contribute to this effort]

  1. Subscribe or read the Cloud-10 mail archives

Project Identification

Project Information

Category:OWASP Cloud‐10 Project - Project Information Page

Subscribe or read the archives