Skip to content
Branch: master
Clone or download
MarcinHoppe Merge pull request #14 from OWASP/survey
Add scaffolding for data call documentation
Latest commit 27d4431 Feb 4, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
datacall Fix terminology Feb 4, 2019 Create Nov 2, 2018
OWASP-Top-10-Serverless-Interpretation-en.pdf Merge pull request #9 from MarcinHoppe/sls-arch-ref Dec 14, 2018


OWASP Serverless Top 10


When adopting a serverless architecture, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider, which can usually be trusted.

However, even if these applications are running without a provisioning server, they still execute code. If this code is written in an insecure manner, the application can be vulnerable to traditional application-level attacks, like Cross-Site Scripting (XSS), Command/SQL Injection, Denial of Service (DoS), broken authentication and authorization and many more.

The OWASP Top 10 is the de-facto guide for security practitioners to understand the most common application attacks and risks and are selected and prioritized according to this data, in combination with consensus estimates of exploitability, detectability, and impact into providing The Ten Most Critical Web Application Security Risks. The OWASP Serverless Top 10 project aims at giving the same insight into the top 10 security risks in Serverless Application.

First Report

The first report is first glance to the serverless security world and will serve as a baseline to the official OWASP Top 10 in Serverless project. The report examines the differences in attack vectors, security weaknesses, and business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack prevention is different from the traditional application world. Additional risks, which are not part of the original OWASP Top 10, but might be relevant for the final version, are listed on the Other Risks to Consider page.


Open Call

  • We are actively looking for organizations and individuals that will provide vulnerability prevalence data.

Get Involed!

  • Translation efforts
  • Assisting in the development of related tools (e.g. DVSA)

Slack: #project-sls-top10 channel (invitation link)

Official page

You can’t perform that action at this time.