Switch branches/tags
Nothing to show
Clone or download
Latest commit 7daf184 Nov 20, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
2018/en Fix typo (capitals) Nov 20, 2018
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md Nov 2, 2018
CONTRIBUTING.md Some markdown formatting Nov 12, 2018
LICENSE Create LICENSE Oct 22, 2018
OWASP-Top-10-Serverless-Interpretation-en.pdf Add files via upload Oct 31, 2018
README.md Fix Slack link Nov 20, 2018



OWASP Serverless Top 10


When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider, which can usually be trusted.

However, even if these applications are running without a provisioning server, they still execute code. If this code is written in an insecure manner, the application can be vulnerable to traditional application-level attacks, like Cross-Site Scripting (XSS), Command/SQL Injection, Denial of Service (DoS), broken authentication and authorization and many more.

The OWASP Top 10 is the de-facto guide for security practitioners to understand the most common application attacks and risks and are selected and prioritized according to this data, in combination with consensus estimates of exploitability, detectability, and impact into providing The Ten Most Critical Web Application Security Risks. The OWASP Serverless Top 10 project aims at giving the same insight into the top 10 security risks in Serverless Application.

First Report

The first report is first glance to the serverless security world and will serve as a baseline to the official OWASP Top 10 in Serverless project. The report examines the differences in attack vectors, security weaknesses, and business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack prevention is different from the traditional application world. Additional risks, which are not part of the original OWASP Top 10, but might be relevant for the final version, are listed on the Other Risks to Consider page.


Open Call

  • We are actively looking for organizations and individuals that will provide vulnerability prevalence data.

Get Involed!

  • Translation efforts
  • Assisting in the development of related tools (e.g. DVSA)

Slack: #project-sls-top10 channel (invitation link)

Official page