Difference between revisions of "OWASP Serverless Top 10 Project"

From OWASP
Jump to: navigation, search
m
 
(42 intermediate revisions by 2 users not shown)
Line 4: Line 4:
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
 +
== OWASP Serverless Top 10 - First Released ==
 +
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.
  
 
== Introduction ==
 
== Introduction ==
Line 25: Line 28:
  
 
The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).
 
The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).
 
  
  
Line 31: Line 33:
 
The OWASP Serverless Top 10 project is sponsored by
 
The OWASP Serverless Top 10 project is sponsored by
  
{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}
+
[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
 +
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                 
 +
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
 +
 
 +
 
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
 
== Quick Downloads ==
 
== Quick Downloads ==
[https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf| OWASP Top 10: Serverless Interpretation]
+
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]
  
 
== Presentation ==
 
== Presentation ==
Line 42: Line 48:
  
 
== News & Events ==
 
== News & Events ==
* [1 Sep 2018]: Hello World!
+
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel].
+
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
+
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* []: Stay tuned...
+
* [25 Oct 2018]:  [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
 +
* [30 Oct 2018]: PureSec joined as sponsor
 +
* [02 Nov 2018]:  OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
 +
* [13 Dec 2018]:  WhiteSource joined as sponsor
  
== Project Leader ==
+
== Project Leaders ==
 
[[User:Tal Mel|Tal Melamed]]
 
[[User:Tal Mel|Tal Melamed]]
  
[[Coming soon!]]
+
[[User:MarcinHoppe|Marcin Hoppe]]
  
 
[[Coming soon!]]
 
[[Coming soon!]]
Line 74: Line 83:
 
|}
 
|}
  
 +
= Translation Efforts =
 +
 +
* <b>Chinese:</b> <u>[https://www.owasp.org/images/2/23/OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf OWASP Top 10 - Serverless Interpretation 中文版(PDF)]</u><br/>
 +
项目牵头人:肖文棣、王颉(wangj@owasp.org.cn)<br/>
 +
项目组成员:刘晓辉、李宇全、明敏、王斌(排名不分先后,按姓氏拼音排列)
  
  
 
= Acknowledgments =
 
= Acknowledgments =
Assaf Hefetz, Snyk
 
 
Erez Metula, AppSec Labs
 
 
Erez Yalon, Checkmarx
 
 
Frank M. Catucci, OWASP
 
 
Guy Bernhart-Magen, Intel
 
 
Hemed Gur Ary, OWASP
 
 
Jeff Williams, Contrast Security
 
 
Jim DelGrosso, Synopsys
 
 
Jochanan Sommerfeld, RDuck
 
 
Kobi Lechner, INFINIDAT
 
 
Limor Sylvie Kessem, IBM
 
 
Marcin Hoppe, Auth0
 
 
Mark Johnston, Google
 
 
Martin Knobloch, OWASP
 
 
Matthew Henderson, Microsoft
 
 
Matteo Meucci, Minded Security
 
 
Owen Pendlebury, OWASP
 
 
Paco Hope, AWS
 
 
Patrick Laverty, Rapid7
 
 
Rupack Ganguly, Serverless Inc.
 
 
Tanya Janca, Microsoft
 
 
Tash Norris, Capital One
 
 
Tom Brennan, IOActive
 
 
Yan Cui, DAZN
 
 
Youssef Elmalty, AWS
 
  
 +
=== ===
 +
{| role="presentation" class="mw-collapsible"
 +
|-
 +
| '''<big>Sponsors      </big>'''
 +
|-
 +
|
 +
|-
 +
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
 +
|-
 +
|
 +
|-
 +
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
 +
|-
 +
|
 +
|-
 +
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
 +
|}
  
  
 +
{| role="presentation" class="mw-collapsible mw-collapsed"
 +
|-
 +
| '''<big>Report Reviewers  </big>'''
 +
|-
 +
|Assaf Hefetz, Snyk
 +
|-
 +
|Erez Metula, AppSec Labs
 +
|-
 +
|Erez Yalon, Checkmarx
 +
|-
 +
|Frank M. Catucci, OWASP
 +
|-
 +
|Guy Bernhart-Magen, Intel
 +
|-
 +
|Hemed Gur Ary, OWASP
 +
|-
 +
|Jeff Williams, Contrast Security
 +
|-
 +
|Jim DelGrosso, Synopsys
 +
|-
 +
|Jochanan Sommerfeld, RDuck
 +
|-
 +
|Kobi Lechner, INFINIDAT
 +
|-
 +
|Limor Sylvie Kessem, IBM
 +
|-
 +
|Marcin Hoppe, Auth0
 +
|-
 +
|Mark Johnston, Google
 +
|-
 +
|Martin Knobloch, OWASP
 +
|-
 +
|Matthew Henderson, Microsoft
 +
|-
 +
|Matteo Meucci, Minded Security
 +
|-
 +
|Owen Pendlebury, OWASP
 +
|-
 +
|Paco Hope, AWS
 +
|-
 +
|Patrick Laverty, Rapid7
 +
|-
 +
|Rupack Ganguly, Serverless Inc.
 +
|-
 +
|Tanya Janca, Microsoft
 +
|-
 +
|Tash Norris, Capital One
 +
|-
 +
|Tom Brennan, IOActive
 +
|-
 +
|Yan Cui, DAZN
 +
|-
 +
|Youssef Elmalty, AWS
 +
|}
  
 
= Project Resources =
 
= Project Resources =
== OWASP Top 10 - First Released ==
+
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf| OWASP Top 10: Serverless Interpretation] is now available.
+
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.
  
 
[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]
 
[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]
 
 
 
  
 
= Roadmap =
 
= Roadmap =
Line 161: Line 194:
 
Individuals and organizations that will contribute to the project will listed on the acknowledgments page.
 
Individuals and organizations that will contribute to the project will listed on the acknowledgments page.
  
Also, join our [https://lists.owasp.org/mailman/listinfo/owasp-serverless-top-10-project mailing list]
+
Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']
 
 
Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite]
 
  
 
GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]
 
GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

Latest revision as of 08:57, 17 May 2019

OWASP Project Header.jpg

OWASP Serverless Top 10 - First Released

The OWASP Top 10: Serverless Interpretation is now available.

Introduction

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as AWS, Azure and Google Cloud. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.


Purpose

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.


Licensing

The OWASP Serverless Top 10 is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license (CC BY-SA 4.0).


Project Sponsors

The OWASP Serverless Top 10 project is sponsored by

Protego logo black.png                 PureSec-Logo.png                 Whitesource logo rgb-02.png


Quick Downloads

OWASP Top 10: Serverless Interpretation

Presentation

Soon!


News & Events

Project Leaders

Tal Melamed

Marcin Hoppe

Coming soon!

Related Projects

OWASP Top 10 Project


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

项目牵头人:肖文棣、王颉(wangj@owasp.org.cn)
项目组成员:刘晓辉、李宇全、明敏、王斌(排名不分先后,按姓氏拼音排列)



OWASP Serverless Top 10 - First Released

The OWASP Top 10: Serverless Interpretation is now available.

GitHub repository

  • 30-SEP-2018: First draft is sent to reviewers
  • 25-OCT-2018: Initial report released
  • 01-APR-2019: Call for data opened
  • 31-JUL-2019: Processing data collected
  • 01-SEP-2019: Release Candidate is sent for review
  • 01-OCT-2019: Official release

We will need help along the way. Please contact Project Leaders to get involved.




Get involved in OWASP Serverless Top 10!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:

  • We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
  • Translation efforts (later stages)
  • Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel #project-sls-top-10

GitHub project page



PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Serverless Top 10
Purpose: OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.
License: CC BY-SA 4.0
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases