OWASP - User contributions [en]

OWASP Serverless Top 10 Project

2019-09-15T21:45:29Z

Tal Mel: presentation

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
[https://www.owasp.org/images/1/1e/OWASP_DC_SLS_Top10.pdf Download]

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: PureSec joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leaders ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Translation Efforts =

* <b>Chinese:</b> <u>[https://www.owasp.org/images/2/23/OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf OWASP Top 10 - Serverless Interpretation 中文版（PDF)]</u><br/>
项目牵头人：肖文棣、王颉（wangj@owasp.org.cn）<br/>
项目组成员：刘晓辉、李宇全、明敏、王斌（排名不分先后，按姓氏拼音排列）

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

File:OWASP DC SLS Top10.pdf

2019-09-15T21:44:49Z

Tal Mel: Tal Mel uploaded a new version of File:OWASP DC SLS Top10.pdf

OWASP DC SLS Top10

File:OWASP DC SLS Top10.pdf

2019-09-15T21:43:40Z

Tal Mel:

OWASP DC SLS Top10

OWASP Serverless Top 10 Project

2019-05-17T13:57:36Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: PureSec joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leaders ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Translation Efforts =

* <b>Chinese:</b> <u>[https://www.owasp.org/images/2/23/OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf OWASP Top 10 - Serverless Interpretation 中文版（PDF)]</u><br/>
项目牵头人：肖文棣、王颉（wangj@owasp.org.cn）<br/>
项目组成员：刘晓辉、李宇全、明敏、王斌（排名不分先后，按姓氏拼音排列）

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2019-05-17T13:56:05Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: PureSec joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leaders ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Translation Efforts =

* <b>Chinese:</b> <u>[https://www.owasp.org/images/2/23/OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf|OWASP Top 10 - Serverless Interpretation 中文版（PDF)]</u><br/>
项目牵头人：肖文棣、王颉（wangj@owasp.org.cn）<br/>
项目组成员：刘晓辉、李宇全、明敏、王斌（排名不分先后，按姓氏拼音排列）

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2019-05-17T13:55:34Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf|OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: PureSec joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leaders ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Translation Efforts =

* <b>Chinese:</b> <u>[https://www.owasp.org/images/2/23/OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf|OWASP Top 10 - Serverless Interpretation 中文版（PDF)]</u><br/>
项目牵头人：肖文棣、王颉（wangj@owasp.org.cn）<br/>
项目组成员：刘晓辉、李宇全、明敏、王斌（排名不分先后，按姓氏拼音排列）

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2019-05-17T13:55:08Z

Tal Mel: Chinese translation

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: PureSec joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leaders ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Translation Efforts =

* <b>Chinese:</b> <u>[https://www.owasp.org/images/2/23/OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf|OWASP Top 10 - Serverless Interpretation 中文版（PDF)]</u><br/>
项目牵头人：肖文棣、王颉（wangj@owasp.org.cn）<br/>
项目组成员：刘晓辉、李宇全、明敏、王斌（排名不分先后，按姓氏拼音排列）

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

File:OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf

2019-05-17T13:52:14Z

Tal Mel:

Chinese translation for the OWASP Top 10 - Serverless Interpretation

Log review and management

2019-05-14T16:18:49Z

Tal Mel: /* Log Standard */ fix type

==Overview==

Purpose:

* How to detect suspicious activities as soon as possible to reduce the impact of incidence or make prevention if possible.
* How to unify the log format and elements as well as the functions?

Role:

* Who typically does this?

Security Administrator or independent party who has no access rights/accounts in the reviewed systems. You can't be an user administrator. At the same time, you review your activity everyday. However, if there is a resource limitation, you need another supervisor to authorize your log review.

Frequency:

It depends on the criticality (i.e. payment system, customer information, business secret, etc.) of the system labelled by the organization, logs could be reviewed ranging from minute, every day, weekly, monthly or even 3 months. In fact, log review is a kind of detective control and the preventive control is lacking. Log review will be the Goal Keeper and frequency is critical.

However, user account and authority list should be reviewed at least 3 to 6 months and never take a check ONLY when the audit cycle is coming

== Log Review Tips ==

Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to?

1. Consecutive login failure especially in non-office hour.

2. Login in non-office hour.

3. Authority change, addition and removal. Check them against with authorized application.

4. Any system administrator's activities

5. Any unknown workstation/server are plugged into the network?

6. Logs removal/log overwritten/log size is full

7. Pay more attention to the log reports after week-end and holiday

8. Any account unlocked/password reset by system administrators without authorized forms?

== Log Standard ==

In fact, we are suffering various log format and standard from various systems even we are working in-house or act as a consultant. Why don't we produce a standard/guidelines to developer before they design the user administrative and audit trail functions to fulfill security control.

Functions:-
* Search - By date and time, by event type, by criticality, by account/user ID, by department

* Sorting - By date and time, by event type, by criticality, by account/user ID, by department

* Paging (Optional)

* Critical event is marked by "*"

* Log archive and export

* Log code and description table

* Highlighting system and user adminisitrator activities

Mandatory Fields:-
* User ID and Name (Sometimes, event may involve the action from administrator)

* Activity Date/Timestamp

* Activity Code, Type and Description

* Terminal IP address and Location

User Account List:-
* User Info - Name, Department, Role

* Last Accessed Time

* Account Creation Date/Time

* Current Authority and Role

* Account authority and information change history

* Show expired and inactive accounts (for example: 90 days)

== Logging Tools ==

'''Resources from Syslog.org'''

* Event Notification
<u>http://www.syslog.org/wiki/Main/EventNotification</u>
* Syslog Clients
<u>http://www.syslog.org/wiki/Main/SyslogClients</u>
* Syslogd Replacements
<u>http://www.syslog.org/wiki/Main/SyslogdReplacements</u>
* Event Viewers
<u>http://www.syslog.org/wiki/Main/EventViewers</u>
* Log Analyzers
<u>http://www.syslog.org/wiki/Main/LogAnalyzers</u>
* Event Correlation
<u>http://www.syslog.org/wiki/Main/EventCorrelation</u>
* Windows
<u>http://www.syslog.org/wiki/Main/Windows</u>
* Misc Log Tools
<u>http://www.syslog.org/wiki/Main/MiscLogTools</u>

'''Best Practice and Tips from Syslog'''
* Syslog Security Tip
<u>http://www.syslog.org/wiki/Main/SyslogSecurityTip</u>
* Central Syslog Tip
<u>http://www.syslog.org/wiki/Main/CentralSyslogTip</u>
* Logging Windows To Syslog Server
<u>http://www.syslog.org/wiki/Main/LoggingWindowsToSyslogServer</u>
*Logging Troubleshoot
<u>http://www.syslog.org/wiki/Main/TroubleshootingSyslogForwarding</u>
* Syslog Best Practices
<u>http://www.syslog.org/wiki/Main/SyslogBestPractices</u>
* Logging, Log File Rotation, and Syslog Tutorial
<u>http://www.hccfl.edu/pollock/AUnix2/Logging.htm</u>

[[Category:Activity]]
[[Category:Logging]]
[[Category:OWASP Logging Project]]

User:Tal Mel

2019-04-11T04:15:55Z

Tal Mel:

[[File:Tal melamed owasp.jpg|thumb]]
<span style="color:#FFFFFF">Tal Melamed</span><br>
'''Tal Melamed''' <br>
== Contact ==
Tal.Melamed@owasp.org <br>
<br>

== Projects ==
[[OWASP_DVSA|'''OWASP DVSA''']] <br>
[[OWASP_Serverless_Top_10_Project|'''OWASP Serverless Top 10''']] <br>
[[OWASP_Path_Traverser|'''OWASP Path Traverser''']] <br>
[[OWASP_Rainbow_Maker_Project|'''OWASP Rainbow Maker''']]<br>
[https://github.com/nu11p0inter/kingpin/ Kingpin - TCP/SSL Proxy] <br>
[https://github.com/nu11p0inter/virustotal/ VirusTotal python API] <br>
<br>

== Conferences ==
(OWASP Conferences)<br>
[https://telaviv.appsecglobal.org/ OWASP Global AppSec Tel Aviv] - Serverless Top 10 <br>
[https://www.owasp.org/index.php/AppSec_Israel_2016_Presentations '''OWASP AppSec Israel 2016'''] - Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing [https://www.owasp.org/index.php/AppSec_Israel_2016_Presentations#Java_Hurdling:_Obstacles_and_Techniques_in_Java_Client_Penetration-testing Download] [https://www.youtube.com/watch?v=oq4phacH9WY YouTube]<br>
[https://www.owasp.org/index.php/OWASP_Israel_January_2017 '''OWASP Israel 2017'''] - [https://www.owasp.org/index.php/OWASP_Israel_January_2017#RUaBLE_BLE_Application_Hacking R U aBLE? BLE Application Hacking]<br>
Full list of speaking engagements: https://appsec.it/talks
<br><br>

== Pages ==
[http://www.linkedin.com/in/talmelamed LinkedIn] <br>
[http://serverless.fail DVSA] <br>
[https://appsec.it AppSec.it] <br>
[https://github.com/nu11p0inter/ GitHub] <br>
[https://twitter.com/@_nu11p0inter/ Twitter] <br>
<br>

== Experience ==
[2019-Present]   '''Adjunct Faculty''' @ [https://www.qu.edu/schools/engineering/programs/ms-cyber-security.html Quinnipiac University]<br>
[2018-Present]   '''Head of Security Research''' @ [https://www.protego.io/ Protego Labs]<br>
[2017-Present]   Security Researcher @ [https://www.synack.com/red-team/ Synack]<br>
[2017-2018]       Cyber Security Advisor @ [https://fbk.eu FBK]<br>
[2013-2018]       Tech Leader @ [https://appsec-labs.com AppSec Labs]<br>
[2011-2013]       Information Security Analyst @ [http://amdocs.com Amdocs]<br>
[2009-2011]       Security Researcher @ [http://www.checkpoint.com/products/dlp-software-blade/ CheckPoint Software Technologies] <br>
[2006-2008]       Intelligence Analyst @ [http://www.emc.com/security/rsa-identity-protection-and-verification/rsa-fraudaction.htm RSA, The Security Division of EMC] <br>
[2004-2005]       Security Team @ [http://www.iai.co.il/ Israel Aerospace Industries (IAI)] <br>
[2001-2004]       Platoon Sergeant @ [http://www.idf.il/english/ Israel Defense Forces (IDF)] <br>
<br>

User:Tal Mel

2019-04-11T04:14:15Z

Tal Mel:

[[File:Tal melamed owasp.jpg|thumb]]
<span style="color:#FFFFFF">Tal Melamed</span><br>
'''Tal Melamed''' <br>
== Contact ==
Tal.Melamed@owasp.org <br>
<br>

== Projects ==
[[OWASP_DVSA|'''OWASP DVSA''']] <br>
[[OWASP_Serverless_Top_10_Project|'''OWASP Serverless Top 10''']] <br>
[[OWASP_Path_Traverser|'''OWASP Path Traverser''']] <br>
[[OWASP_Rainbow_Maker_Project|'''OWASP Rainbow Maker''']]<br>
[https://github.com/nu11p0inter/kingpin/ Kingpin - TCP/SSL Proxy] <br>
[https://github.com/nu11p0inter/virustotal/ VirusTotal python API] <br>
<br>

== Conferences ==
(OWASP Conferences)<br>
[https://telaviv.appsecglobal.org/ OWASP Global AppSec Tel Aviv] - Serverless Top 10 <br>
[https://www.owasp.org/index.php/AppSec_Israel_2016_Presentations '''OWASP AppSec Israel 2016'''] - Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing [https://www.owasp.org/index.php/AppSec_Israel_2016_Presentations#Java_Hurdling:_Obstacles_and_Techniques_in_Java_Client_Penetration-testing Download] [https://www.youtube.com/watch?v=oq4phacH9WY YouTube]<br>
[https://www.owasp.org/index.php/OWASP_Israel_January_2017 '''OWASP Israel 2017'''] - [https://www.owasp.org/index.php/OWASP_Israel_January_2017#RUaBLE_BLE_Application_Hacking R U aBLE? BLE Application Hacking]<br>
Full list of speaking engagements: https://appsec.it/talks
<br><br>

== Pages ==
[http://www.linkedin.com/in/talmelamed LinkedIn] <br>
[http://serverless.fail DVSA] <br>
[https://appsec.it AppSec.it] <br>
[https://github.com/nu11p0inter/ GitHub] <br>
[https://twitter.com/@_nu11p0inter/ Twitter] <br>
<br>

== Experience ==
[2018-Present]   '''Head of Security Research''' @ [https://www.protego.io/ Protego Labs]<br>
[2017-Present]   Security Researcher @ [https://www.synack.com/red-team/ Synack]<br>
[2017-2018]       Cyber Security Advisor @ [https://fbk.eu FBK]<br>
[2013-2018]       Tech Leader @ [https://appsec-labs.com AppSec Labs]<br>
[2011-2013]       Information Security Analyst @ [http://amdocs.com Amdocs]<br>
[2009-2011]       Security Researcher @ [http://www.checkpoint.com/products/dlp-software-blade/ CheckPoint Software Technologies] <br>
[2006-2008]       Intelligence Analyst @ [http://www.emc.com/security/rsa-identity-protection-and-verification/rsa-fraudaction.htm RSA, The Security Division of EMC] <br>
[2004-2005]       Security Team @ [http://www.iai.co.il/ Israel Aerospace Industries (IAI)] <br>
[2001-2004]       Platoon Sergeant @ [http://www.idf.il/english/ Israel Defense Forces (IDF)] <br>
<br>

OWASP DVSA

2019-01-24T20:47:33Z

Tal Mel:

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==DVSA==
=== a Damn Vulnerable Serverless Application ===

Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.

The aim of DVSA is to practice some of the most common serverless vulnerabilities, with a simple straightforward interface.

Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

== Disclaimer ==
We do not take responsibility for the way in which any one uses this application (DVSA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVSA on to production accounts.

==License==

Damn Vulnerable Serverless Application (DVSA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Damn Vulnerable Serverless Application (DVSA) is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Damn Vulnerable Serverless Application (DVSA). If not, see http://www.gnu.org/licenses/.

== Deployment ==

=== Application Repository ===
Deploy DVSA from the AWS [https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:889485553959:applications~DVSAServerless Applicaiton Repository]

After deployment is complete. Click on 'View CloudFormation Stack'

Under 'Outputs' you will find the URL for the application (DVSA Website URL)

=== Serverless Framework ===

clone project from github

<code>npm install</code>
==== Deploy Backend ====
<code>sls deploy</code>
==== Build Client ====
<code>npm run-script client:build</code>
==== Deploy Client ====
<code>sls client deploy</code>

== Cheat Sheet ==
Lessons can be found '''[https://github.com/OWASP/DVSA/blob/master/AWS/LESSONS.md here]'''

== Roadmap ==
* '''25 DEC 2018''': http://serverless.fail (official website) was launched.
* '''08 JAN 2019''': v1.0 beta release [https://github.com/owasp/dvsa GitHub])
* '''01 FEB 2019''': v1.0 official version.

== Project Sponsors ==
The project was initially developed by Protego Labs:

[[File:Protego logo black.png|frameless|link=https://protego.io/]]

==Getting Involved==
You do not have to be a security expert or a programmer to contribute.

Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==
[https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:889485553959:applications~DVSA AWS Application Repository]

[http://serverless.fail Online version]

[https://github.com/OWASP/DVSA GitHub Repo]

[https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack '''#project-sls-top-10''']

== Project Leader ==
[[User:Tal_Mel|Tal Melamed]]

== Presentation ==
Soon!

== News & Events ==
* [25 Dec 2018]: http://serverless.fail - Launched
* [01 Jan 2019]: Project was donated by [https://protego.io Protego Labs]
* [03 Jan 2019]: [https://www.theregister.co.uk/2019/01/03/damn_vulnerable_serverless_application/ The Register]
* [04 Jan 2019]: [https://sdtimes.com/cloud/sd-times-news-digest-protegos-dvsa-quicklogic-acquires-ai-company-and-iot-interoperability/ SDTimes]
* [07 Jan 2019]: [http://www.eweek.com/security/protego-labs-boosts-serverless-security-with-open-source-project eWEEK]
* [08 Jan 2019]: [https://www.computerweekly.com/news/252455429/Protego-Labs-launches-serverless-app-security-tool Computer Weekly]
* [08 Jan 2019]: [https://technical.ly/baltimore/2019/01/08/protego-has-a-new-open-source-tool-to-provide-serverless-security-training/ Technical.ly]
* [09 Jan 2019]: [https://github.com/owasp/dvsa Beta release!]

==Classifications==

{| width="400" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}
|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP DVSA

2019-01-24T20:45:15Z

Tal Mel:

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==DVSA==
=== a Damn Vulnerable Serverless Application ===

Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.

The aim of DVSA is to practice some of the most common serverless vulnerabilities, with a simple straightforward interface.

Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

== Disclaimer ==
We do not take responsibility for the way in which any one uses this application (DVSA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVSA on to production accounts.

==License==

Damn Vulnerable Serverless Application (DVSA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Damn Vulnerable Serverless Application (DVSA) is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Damn Vulnerable Serverless Application (DVSA). If not, see http://www.gnu.org/licenses/.

== Deployment ==
clone project from github

<code>npm install</code>
==== Deploy Backend ====
<code>sls deploy</code>
==== Build Client ====
<code>npm run-script client:build</code>
==== Deploy Client ====
<code>sls client deploy</code>

== Cheat Sheet ==
Lessons can be found '''[https://github.com/OWASP/DVSA/blob/master/AWS/LESSONS.md here]'''

== Roadmap ==
* '''25 DEC 2018''': http://serverless.fail (official website) was launched.
* '''08 JAN 2019''': v1.0 beta release [https://github.com/owasp/dvsa GitHub])
* '''01 FEB 2019''': v1.0 official version.

== Project Sponsors ==
The project was initially developed by Protego Labs:

[[File:Protego logo black.png|frameless|link=https://protego.io/]]

==Getting Involved==
You do not have to be a security expert or a programmer to contribute.

Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==
[https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:889485553959:applications~DVSA AWS Application Repository]

[http://serverless.fail Online version]

[https://github.com/OWASP/DVSA GitHub Repo]

[https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack '''#project-sls-top-10''']

== Project Leader ==
[[User:Tal_Mel|Tal Melamed]]

== Presentation ==
Soon!

== News & Events ==
* [25 Dec 2018]: http://serverless.fail - Launched
* [01 Jan 2019]: Project was donated by [https://protego.io Protego Labs]
* [03 Jan 2019]: [https://www.theregister.co.uk/2019/01/03/damn_vulnerable_serverless_application/ The Register]
* [04 Jan 2019]: [https://sdtimes.com/cloud/sd-times-news-digest-protegos-dvsa-quicklogic-acquires-ai-company-and-iot-interoperability/ SDTimes]
* [07 Jan 2019]: [http://www.eweek.com/security/protego-labs-boosts-serverless-security-with-open-source-project eWEEK]
* [08 Jan 2019]: [https://www.computerweekly.com/news/252455429/Protego-Labs-launches-serverless-app-security-tool Computer Weekly]
* [08 Jan 2019]: [https://technical.ly/baltimore/2019/01/08/protego-has-a-new-open-source-tool-to-provide-serverless-security-training/ Technical.ly]
* [09 Jan 2019]: [https://github.com/owasp/dvsa Beta release!]

==Classifications==

{| width="400" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}
|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP DVSA

2019-01-08T22:24:35Z

Tal Mel:

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==DVSA==
=== a Damn Vulnerable Serverless Application ===

Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.

The aim of DVSA is to practice some of the most common serverless vulnerabilities, with a simple straightforward interface.

Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

== Disclaimer ==
We do not take responsibility for the way in which any one uses this application (DVSA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVSA on to production accounts.

==License==

Damn Vulnerable Serverless Application (DVSA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Damn Vulnerable Serverless Application (DVSA) is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Damn Vulnerable Serverless Application (DVSA). If not, see http://www.gnu.org/licenses/.

== Deployment ==
clone project from github

<code>npm install</code>
==== Deploy Backend ====
<code>sls deploy</code>
==== Build Client ====
<code>npm run-script client:build</code>
==== Deploy Client ====
<code>sls client deploy</code>

== Cheat Sheet ==
Lessons can be found '''[https://github.com/OWASP/DVSA/blob/master/AWS/LESSONS.md here]'''

== Roadmap ==
* '''25 DEC 2018''': http://serverless.fail (official website) was launched.
* '''08 JAN 2019''': v1.0 beta release [https://github.com/owasp/dvsa GitHub])
* '''01 FEB 2019''': v1.0 official version.

== Project Sponsors ==
The project was initially developed by Protego Labs:

[[File:Protego logo black.png|frameless|link=https://protego.io/]]

==Getting Involved==
You do not have to be a security expert or a programmer to contribute.

Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==
[http://serverless.fail Online version]

[https://github.com/OWASP/DVSA GitHub Repo]

[https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack '''#project-sls-top-10''']

== Project Leader ==
[[User:Tal_Mel|Tal Melamed]]

== Presentation ==
Soon!

== News & Events ==
* [25 Dec 2018]: http://serverless.fail - Launched
* [01 Jan 2019]: Project was donated by [https://protego.io Protego Labs]
* [03 Jan 2019]: [https://www.theregister.co.uk/2019/01/03/damn_vulnerable_serverless_application/ The Register]
* [04 Jan 2019]: [https://sdtimes.com/cloud/sd-times-news-digest-protegos-dvsa-quicklogic-acquires-ai-company-and-iot-interoperability/ SDTimes]
* [07 Jan 2019]: [http://www.eweek.com/security/protego-labs-boosts-serverless-security-with-open-source-project eWEEK]
* [08 Jan 2019]: [https://www.computerweekly.com/news/252455429/Protego-Labs-launches-serverless-app-security-tool Computer Weekly]
* [08 Jan 2019]: [https://technical.ly/baltimore/2019/01/08/protego-has-a-new-open-source-tool-to-provide-serverless-security-training/ Technical.ly]
* [09 Jan 2019]: [https://github.com/owasp/dvsa Beta release!]

==Classifications==

{| width="400" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}
|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP DVSA

2019-01-08T14:36:46Z

Tal Mel:

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==DVSA==
=== a Damn Vulnerable Serverless Application ===

Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.

The aim of DVSA is to practice some of the most common serverless vulnerabilities, with a simple straightforward interface.

Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

== Disclaimer ==
We do not take responsibility for the way in which any one uses this application (DVSA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVSA on to production accounts.

==License==

Damn Vulnerable Serverless Application (DVSA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Damn Vulnerable Serverless Application (DVSA) is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Damn Vulnerable Serverless Application (DVSA). If not, see http://www.gnu.org/licenses/.

== Deployment ==
clone project from github

<code>npm install</code>
==== Deploy Backend ====
<code>sls deploy</code>
==== Build Client ====
<code>npm run-script client:build</code>
==== Deploy Client ====
<code>sls client deploy</code>

== Cheat Sheet ==
Lessons can be found '''[https://github.com/OWASP/DVSA/blob/master/AWS/LESSONS.md here]'''

== Roadmap ==
* '''25 DEC 2018''': http://serverless.fail (official website) was launched.
* '''08 JAN 2019''': v1.0 beta release [https://github.com/owasp/dvsa GitHub])
* '''01 FEB 2019''': v1.0 official version.

== Project Sponsors ==
The project was initially developed by Protego Labs:

[[File:Protego logo black.png|frameless|link=https://protego.io/]]

==Getting Involved==
You do not have to be a security expert or a programmer to contribute.

Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==
[http://serverless.fail Online version]

[https://github.com/OWASP/DVSA GitHub Repo]

[https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack '''#project-sls-top-10''']

== Project Leader ==
[[User:Tal_Mel|Tal Melamed]]

== Presentation ==
Soon!

== News & Events ==
* [25 Dec 2018]: http://serverless.fail - Launched
* [01 Jan 2019]: Project was donated by [https://protego.io Protego Labs]
* [03 Jan 2019]: [https://www.theregister.co.uk/2019/01/03/damn_vulnerable_serverless_application/ The Register]
* [04 Jan 2019]: [https://sdtimes.com/cloud/sd-times-news-digest-protegos-dvsa-quicklogic-acquires-ai-company-and-iot-interoperability/ SDTimes]
* [07 Jan 2019]: [http://www.eweek.com/security/protego-labs-boosts-serverless-security-with-open-source-project eWEEK]
* [08 Jan 2019]: [https://www.computerweekly.com/news/252455429/Protego-Labs-launches-serverless-app-security-tool Computer Weekly]
* [09 Jan 2019]: [https://github.com/owasp/dvsa Beta release!]

==Classifications==

{| width="400" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}
|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP DVSA

2019-01-07T21:12:06Z

Tal Mel:

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==DVSA==
=== a Damn Vulnerable Serverless Application ===

Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.

The aim of DVSA is to practice some of the most common serverless vulnerabilities, with a simple straightforward interface.

Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

== Disclaimer ==
We do not take responsibility for the way in which any one uses this application (DVSA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVSA on to production accounts.

==License==

Damn Vulnerable Serverless Application (DVSA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Damn Vulnerable Serverless Application (DVSA) is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Damn Vulnerable Serverless Application (DVSA). If not, see http://www.gnu.org/licenses/.

== Deployment ==
clone project from github

<code>npm install</code>
==== Deploy Backend ====
<code>sls deploy</code>
==== Build Client ====
<code>npm run-script client:build</code>
==== Deploy Client ====
<code>sls client deploy</code>

== Cheat Sheet ==
Lessons can be found '''[https://github.com/OWASP/DVSA/blob/master/AWS/LESSONS.md here]'''

== Roadmap ==
* '''25 DEC 2018''': http://serverless.fail (official website) was launched.
* '''08 JAN 2019''': v1.0 beta release [https://github.com/owasp/dvsa GitHub])
* '''01 FEB 2019''': v1.0 official version.

== Project Sponsors ==
The project was initially developed by Protego Labs:

[[File:Protego logo black.png|frameless|link=https://protego.io/]]

==Getting Involved==
You do not have to be a security expert or a programmer to contribute.

Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==
[http://serverless.fail Online version]

[https://github.com/OWASP/DVSA GitHub Repo]

[https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack '''#project-sls-top-10''']

== Project Leader ==
[[User:Tal_Mel|Tal Melamed]]

== Presentation ==
Soon!

== News & Events ==
* [25 Dec 2018]: http://serverless.fail - Launched
* [01 Jan 2019]: Project was donated by [https://protego.io Protego Labs]
* [03 Jan 2019]: [https://www.theregister.co.uk/2019/01/03/damn_vulnerable_serverless_application/ The Register]
* [04 Jan 2019]: [https://sdtimes.com/cloud/sd-times-news-digest-protegos-dvsa-quicklogic-acquires-ai-company-and-iot-interoperability/ SDTimes]
* [07 Jan 2019]: [http://www.eweek.com/security/protego-labs-boosts-serverless-security-with-open-source-project eWEEK]
* [08 Jan 2019]: [https://github.com/owasp/dvsa Beta release!]

==Classifications==

{| width="400" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}
|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

User:Tal Mel

2019-01-07T21:02:32Z

Tal Mel:

[[File:Tal melamed owasp.jpg|thumb]]
<span style="color:#FFFFFF">Tal Melamed</span><br>
'''Tal Melamed''' <br>
== Contact ==
Tal.Melamed@owasp.org <br>
<br>

== Projects ==
[[OWASP_DVSA|'''OWASP DVSA''']] <br>
[[OWASP_Serverless_Top_10_Project|'''OWASP Serverless Top 10''']] <br>
[[OWASP_Path_Traverser|'''OWASP Path Traverser''']] <br>
[[OWASP_Rainbow_Maker_Project|'''OWASP Rainbow Maker''']]<br>
[https://github.com/nu11p0inter/kingpin/ Kingpin - TCP/SSL Proxy] <br>
[https://github.com/nu11p0inter/virustotal/ VirusTotal python API] <br>
<br>

== Conferences ==
(OWASP Conferences)<br>
[https://www.owasp.org/index.php/AppSec_Israel_2016_Presentations '''OWASP AppSec Israel 2016'''] - Java Hurdling: Obstacles and Techniques in Java Client Penetration-testing [https://www.owasp.org/index.php/AppSec_Israel_2016_Presentations#Java_Hurdling:_Obstacles_and_Techniques_in_Java_Client_Penetration-testing Download] [https://www.youtube.com/watch?v=oq4phacH9WY YouTube]<br>
[https://www.owasp.org/index.php/OWASP_Israel_January_2017 '''OWASP Israel 2017'''] - [https://www.owasp.org/index.php/OWASP_Israel_January_2017#RUaBLE_BLE_Application_Hacking R U aBLE? BLE Application Hacking]<br>
Full list of talking engagements: https://appsec.it/talks
<br><br>

== Pages ==
[http://www.linkedin.com/in/talmelamed LinkedIn] <br>
[http://serverless.fail DVSA] <br>
[https://appsec.it AppSec.it] <br>
[https://github.com/nu11p0inter/ GitHub] <br>
[https://twitter.com/@_nu11p0inter/ Twitter] <br>
<br>

== Experience ==
[2018-Present]   '''Head of Security Research''' @ [https://www.protego.io/ Protego Labs]<br>
[2017-Present]   Security Researcher @ [https://www.synack.com/red-team/ Synack]<br>
[2017-2018]       Cyber Security Advisor @ [https://fbk.eu FBK]<br>
[2013-2018]       Tech Leader @ [https://appsec-labs.com AppSec Labs]<br>
[2011-2013]       Information Security Analyst @ [http://amdocs.com Amdocs]<br>
[2009-2011]       Security Researcher @ [http://www.checkpoint.com/products/dlp-software-blade/ CheckPoint Software Technologies] <br>
[2006-2008]       Intelligence Analyst @ [http://www.emc.com/security/rsa-identity-protection-and-verification/rsa-fraudaction.htm RSA, The Security Division of EMC] <br>
[2004-2005]       Security Team @ [http://www.iai.co.il/ Israel Aerospace Industries (IAI)] <br>
[2001-2004]       Platoon Sergeant @ [http://www.idf.il/english/ Israel Defense Forces (IDF)] <br>
<br>

OWASP DVSA

2018-12-27T19:02:54Z

Tal Mel:

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==DVSA==
=== a Damn Vulnerable Serverless Application ===

Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable application aiming to be an aid for security professionals to test their skills and tools in a legal environment, help developers better understand the processes of securing serverless applications and to aid both students & teachers to learn about serverless application security in a controlled class room environment.

The aim of DVSA is to practice some of the most common serverless vulnerabilities, with a simple straightforward interface.

Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

== Disclaimer ==
We do not take responsibility for the way in which any one uses this application (DVSA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVSA on to production accounts.

==License==

Damn Vulnerable Serverless Application (DVSA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Damn Vulnerable Serverless Application (DVSA) is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Damn Vulnerable Serverless Application (DVSA). If not, see http://www.gnu.org/licenses/.

== Deployment ==
clone project from github

<code>npm install</code>
==== Deploy Backend ====
<code>sls deploy</code>
==== Build Client ====
<code>npm run-script client:build</code>
==== Deploy Client ====
<code>sls client deploy</code>

== Cheat Sheet ==
Lessons can be found '''[https://github.com/OWASP/DVSA/blob/master/AWS/LESSONS.md here]'''

== Roadmap ==
* '''25 DEC 2018''': http://serverless.fail (official website) was launched.
* '''01 JAN 2019''': Beta version released ([https://github.com/owasp/dvsa GitHub])
* '''12 JAN 2019''': v1.0 official version.

== Project Sponsors ==
The project was initially developed by Protego Labs:

[[File:Protego logo black.png|frameless|link=https://protego.io/]]

==Getting Involved==
You do not have to be a security expert or a programmer to contribute.

Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==
[http://serverless.fail Online version]

[https://github.com/OWASP/DVSA GitHub Repo]

[https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack '''#project-sls-top-10''']

== Project Leader ==
[[User:Tal_Mel|Tal Melamed]]

== Project Mailing List ==
TBD

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}
|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Tool]]

OWASP Serverless Top 10 Project

2018-12-23T04:39:41Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: PureSec joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leaders ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T17:09:28Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: [https://puresec.io PureSec] joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leaders ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T17:09:12Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: [https://puresec.io PureSec] joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[User:MarcinHoppe|Marcin Hoppe]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T16:11:43Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [01 Sep 2018]: Hello World! Project was donated by [https://protego.io Protego Labs]
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [30 Oct 2018]: [https://puresec.io PureSec] joined as sponsor
* [02 Nov 2018]: OWASP [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]
* [13 Dec 2018]: WhiteSource joined as sponsor

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[mailto:marcin.hoppe@owasp.org Marcin Hoppe]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T16:05:00Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[mailto:marcin.hoppe@owasp.org Marcin Hoppe]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T15:57:04Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== ===
{| role="presentation" class="mw-collapsible"
|-
| '''<big>Sponsors </big>'''
|-
|
|-
| [[File:Protego logo black.png|frameless|link=https://protego.io/]]
|-
|
|-
| [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
|-
|
|-
| [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]
|}

{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T15:47:44Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]]                
[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]                
[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
=== ===
{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T15:42:57Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

[[File:Protego logo black.png|frameless|link=https://protego.io/]] {{pad}} [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]] {{pad}} [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
=== ===
{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T15:33:35Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}} [[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]] [[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
=== ===
{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T15:32:40Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
=== ===
{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-12-13T15:32:19Z

Tal Mel: whitesource

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

[[File:Whitesource logo rgb-02.png|frameless|link=https://www.whitesourcesoftware.com/]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
=== ===
{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

File:Whitesource logo rgb-02.png

2018-12-13T15:31:15Z

Tal Mel:

WhiteSource logo

OWASP Serverless Top 10 Project

2018-11-19T15:25:03Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
=== ===
{| role="presentation" class="mw-collapsible mw-collapsed"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:24:08Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

{| role="presentation" class="mw-collapsible"
|-
| '''<big>Report Reviewers </big>'''
|-
|Assaf Hefetz, Snyk
|-
|Erez Metula, AppSec Labs
|-
|Erez Yalon, Checkmarx
|-
|Frank M. Catucci, OWASP
|-
|Guy Bernhart-Magen, Intel
|-
|Hemed Gur Ary, OWASP
|-
|Jeff Williams, Contrast Security
|-
|Jim DelGrosso, Synopsys
|-
|Jochanan Sommerfeld, RDuck
|-
|Kobi Lechner, INFINIDAT
|-
|Limor Sylvie Kessem, IBM
|-
|Marcin Hoppe, Auth0
|-
|Mark Johnston, Google
|-
|Martin Knobloch, OWASP
|-
|Matthew Henderson, Microsoft
|-
|Matteo Meucci, Minded Security
|-
|Owen Pendlebury, OWASP
|-
|Paco Hope, AWS
|-
|Patrick Laverty, Rapid7
|-
|Rupack Ganguly, Serverless Inc.
|-
|Tanya Janca, Microsoft
|-
|Tash Norris, Capital One
|-
|Tom Brennan, IOActive
|-
|Yan Cui, DAZN
|-
|Youssef Elmalty, AWS
|}

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:10:04Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== Report Reviewers ===
<small>Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS</small>

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:09:54Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== Report Reviewers ===
<details>
<summary>Your header here! (Click to expand)</summary>
Your content here...</br>
(markup only where supported)</br>
more content here...</br>
</details>

<small>Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS</small>

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:08:19Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

=== Report Reviewers ===
<small>Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS</small>

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:07:34Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

<details><summary>CLICK ME</summary>
<p>

#### yes, even hidden code blocks!

```python
print("hello world!")
```

</p>
</details>
<small>Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS</small>

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:04:37Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

===First Report Reviewers===
<small>Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS</small>

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:03:20Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

==First Report Reviewers==
Assaf Hefetz, Snyk
Erez Metula, AppSec Labs
Erez Yalon, Checkmarx
Frank M. Catucci, OWASP
Guy Bernhart-Magen, Intel
Hemed Gur Ary, OWASP
Jeff Williams, Contrast Security
Jim DelGrosso, Synopsys
Jochanan Sommerfeld, RDuck
Kobi Lechner, INFINIDAT
Limor Sylvie Kessem, IBM
Marcin Hoppe, Auth0
Mark Johnston, Google
Martin Knobloch, OWASP
Matthew Henderson, Microsoft
Matteo Meucci, Minded Security
Owen Pendlebury, OWASP
Paco Hope, AWS
Patrick Laverty, Rapid7
Rupack Ganguly, Serverless Inc.
Tanya Janca, Microsoft
Tash Norris, Capital One
Tom Brennan, IOActive
Yan Cui, DAZN
Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:02:58Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

==First Report Reviewers==
Assaf Hefetz, Snyk
Erez Metula, AppSec Labs
Erez Yalon, Checkmarx
Frank M. Catucci, OWASP
Guy Bernhart-Magen, Intel
Hemed Gur Ary, OWASP
Jeff Williams, Contrast Security
Jim DelGrosso, Synopsys
Jochanan Sommerfeld, RDuck
Kobi Lechner, INFINIDAT
Limor Sylvie Kessem, IBM
Marcin Hoppe, Auth0
Mark Johnston, Google
Martin Knobloch, OWASP
Matthew Henderson, Microsoft
Matteo Meucci, Minded Security
Owen Pendlebury, OWASP
Paco Hope, AWS
Patrick Laverty, Rapid7
Rupack Ganguly, Serverless Inc.
Tanya Janca, Microsoft
Tash Norris, Capital One
Tom Brennan, IOActive
Yan Cui, DAZN
Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-19T15:02:17Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]

==First Report Reviewers==
Assaf Hefetz, Snyk
Erez Metula, AppSec Labs
Erez Yalon, Checkmarx
Frank M. Catucci, OWASP
Guy Bernhart-Magen, Intel
Hemed Gur Ary, OWASP
Jeff Williams, Contrast Security
Jim DelGrosso, Synopsys
Jochanan Sommerfeld, RDuck
Kobi Lechner, INFINIDAT
Limor Sylvie Kessem, IBM
Marcin Hoppe, Auth0
Mark Johnston, Google
Martin Knobloch, OWASP
Matthew Henderson, Microsoft
Matteo Meucci, Minded Security
Owen Pendlebury, OWASP
Paco Hope, AWS
Patrick Laverty, Rapid7
Rupack Ganguly, Serverless Inc.
Tanya Janca, Microsoft
Tash Norris, Capital One
Tom Brennan, IOActive
Yan Cui, DAZN
Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

File:Tal Melamed.jpg

2018-11-19T14:32:33Z

Tal Mel:

Tal Melamed

OWASP Serverless Top 10 Project

2018-11-18T16:51:34Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']
* [2 Nov 2018]: [https://owasp.blogspot.com/2018/11/serverless-top-10-added-to-project.html Official Announcement]

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-09T18:26:14Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY '''#project-sls-top-10''']

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-09T18:25:21Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite] '''#project-sls-top-10'''

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-11-09T18:23:31Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel] '''#project-sls-top-10'''.
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our [https://lists.owasp.org/mailman/listinfo/owasp-serverless-top-10-project mailing list]

Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite]

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-10-31T14:21:32Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel].
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our [https://lists.owasp.org/mailman/listinfo/owasp-serverless-top-10-project mailing list]

Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite]

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-10-31T14:21:20Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel].
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our [https://lists.owasp.org/mailman/listinfo/owasp-serverless-top-10-project mailing list]

Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite]

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-10-31T14:21:10Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel].
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our [https://lists.owasp.org/mailman/listinfo/owasp-serverless-top-10-project mailing list]

Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite]

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-10-31T14:20:44Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel].
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our [https://lists.owasp.org/mailman/listinfo/owasp-serverless-top-10-project mailing list]

Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite]

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]

OWASP Serverless Top 10 Project

2018-10-31T14:20:26Z

Tal Mel:

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/index.php/File:OWASP-Top-10-Serverless-Interpretation-en.pdf OWASP Top 10: Serverless Interpretation] is now available.

== Introduction ==

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as [https://aws.amazon.com/serverless/ AWS], [https://azure.microsoft.com/en-us/services/functions/ Azure] and [https://cloud.google.com/functions/ Google Cloud]. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The first report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.

==Purpose==

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.

== Licensing ==

The OWASP Serverless Top 10 is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license] (CC BY-SA 4.0).

==Project Sponsors==
The OWASP Serverless Top 10 project is sponsored by

{{MemberLinks|link=https://www.protego.io|logo=Protego logo 300x75.png}}

and

[[File:PureSec-Logo.png|frameless|link=https://www.puresec.io/]]
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Quick Downloads ==
[https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf OWASP Top 10: Serverless Interpretation]

== Presentation ==
Soon!

== News & Events ==
* [1 Sep 2018]: Hello World!
* [18 Sep 2018]: Join our [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY Slack-channel].
* [22 Sep 2018]: Follow our [https://github.com/OWASP/Serverless-Top-10-Project/ Git Repo].
* [25 Oct 2018]: [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf '''First Release!''']

== Project Leader ==
[[User:Tal Mel|Tal Melamed]]

[[Coming soon!]]

[[Coming soon!]]

== Related Projects ==
[[:Category:OWASP Top Ten Project|OWASP Top 10 Project]]

==Classifications==

{| width="300" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Acknowledgments =
Assaf Hefetz, Snyk

Erez Metula, AppSec Labs

Erez Yalon, Checkmarx

Frank M. Catucci, OWASP

Guy Bernhart-Magen, Intel

Hemed Gur Ary, OWASP

Jeff Williams, Contrast Security

Jim DelGrosso, Synopsys

Jochanan Sommerfeld, RDuck

Kobi Lechner, INFINIDAT

Limor Sylvie Kessem, IBM

Marcin Hoppe, Auth0

Mark Johnston, Google

Martin Knobloch, OWASP

Matthew Henderson, Microsoft

Matteo Meucci, Minded Security

Owen Pendlebury, OWASP

Paco Hope, AWS

Patrick Laverty, Rapid7

Rupack Ganguly, Serverless Inc.

Tanya Janca, Microsoft

Tash Norris, Capital One

Tom Brennan, IOActive

Yan Cui, DAZN

Youssef Elmalty, AWS

= Project Resources =
== OWASP Serverless Top 10 - First Released ==
The [https://www.owasp.org/images/7/79/OWASP-Top-10-Serverless-Interpretation_%28en%29.pdf OWASP Top 10: Serverless Interpretation] is now available.

[https://github.com/OWASP/Serverless-Top-10-Project/ GitHub repository]

= Roadmap =
{{:Projects/OWASP_Serverless_Top_10_Project/Roadmap}}

= Get involved =

Get involved in <strong> OWASP Serverless Top 10</strong>!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:
* We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
* Translation efforts (later stages)
* Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our [https://lists.owasp.org/mailman/listinfo/owasp-serverless-top-10-project mailing list]

Slack Channel [https://join.slack.com/t/owasp/shared_invite/enQtNDI5MzgxMDQ2MTAwLTEyNzIzYWQ2NDZiMGIwNmJhYzYxZDJiNTM0ZmZiZmJlY2EwZmMwYjAyNmJjNzQxNzMyMWY4OTk3ZTQ0MzFhMDY invite]

GitHub [https://github.com/OWASP/Serverless-Top-10-Project/ project page]

=About=
<span style="color:#ff0000">
{{:OWASP_Serverless_Top_10_Project_About}}

__NOTOC__
<headertabs />

<br/>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]