OWASP Serverless Security Top 10

The OWASP Serverless top 10 project aims to educate practitioners and organizations about the most common serverless application security vulnerabilities and provide basic techniques to identify and protect against them.

For details on the official OWASP Serverless Top 10 read the report. The report examines the differences in attack vectors, security weaknesses, and business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them.

Even though serverless apps are running without a managed server, they still execute code. If this code is written in an insecure manner, the application can be vulnerable to traditional application-level attacks, like Cross-Site Scripting (XSS), Command/SQL Injection, Denial of Service (DoS), broken authentication and authorization and many more.

In most cases, a variation of traditional attacks also exists in serverless architecture.

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring