When adopting a serverless architecture, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider, which can usually be trusted.
However, even if these applications are running without a provisioning server, they still execute code. If this code is written in an insecure manner, the application can be vulnerable to traditional application-level attacks, like Cross-Site Scripting (XSS), Command/SQL Injection, Denial of Service (DoS), broken authentication and authorization and many more.
The OWASP Top 10 is the de-facto guide for security practitioners to understand the most common application attacks and risks and are selected and prioritized according to this data, in combination with consensus estimates of exploitability, detectability, and impact into providing The Ten Most Critical Web Application Security Risks. The OWASP Serverless Top 10 project aims at giving the same insight into the top 10 security risks in Serverless Application.
The first report is first glance to the serverless security world and will serve as a baseline to the official OWASP Top 10 in Serverless project. The report examines the differences in attack vectors, security weaknesses, and business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack prevention is different from the traditional application world. Additional risks, which are not part of the original OWASP Top 10, but might be relevant for the final version, are listed on the Other Risks to Consider page.
- Release notes
- Intro: Welcome to Serverless Security
- A1:2017 Injection
- A2:2017 Broken Authentication
- A3:2017 Sensitive Data Exposure
- A4:2017 XML External Entities (XXE)
- A5:2017 Broken Access Control
- A6:2017 Security Misconfiguration
- A7:2017 Cross-Site Scripting (XSS)
- A8:2017 Insecure Deserialization
- A9:2017 Using Components with Known Vulnerabilities
- A10:2017 Insufficient Logging and Monitoring
- Other Risks to Consider
- Future Work
- We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
- Translation efforts
- Assisting in the development of related tools (e.g. DVSA)