This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Cloud Security Project

Jump to: navigation, search
OWASP Project Header.jpg

The OWASP Cloud Security Project

We believe that cyber security has a fundamental role to play in protecting the digital future. We also believe that cyber security isn't just about the technology; it's about the people. The customer, the developer, the designer, the security engineer, even the attacker. Not only is cyber security a never-ending process, it's also a conversation.

This project was created to enable that conversation.

Given the challenge of protecting the digital future And a diverse group of awesomely talented people When we enable the conversation between people Then they can make a real difference to the security of their services

The rise of DevOps and cloud computing has given organisations unprecedented access to feature-rich and high-scalable elastic platforms that allow them to deliver products and services with a velocity and agility that has never been seen before.

But with new capabilities come new attack vectors. The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat and control BDD stories that pool together the expertise and experience of the development, operations and security communities.

Why BDD stories?

Behaviour Driven Development (BDD) adds a natural language layer on top of test-driven development by defining requirements in a machine parsable language that is also human readable. While adoption of BDD within development communities has been mixed (often because the developers end up having to duplicate effort as both producers and consumers of the BDD stories), BDD is actually an excellent fit for representing threats and control. For threats it provides a consistent and structured format for express threats and scenarios in a way that can be shared between all stakeholders, from engineers to management. For mitigating controls BDD is ideal because it expresses control requirements in a way that is also continuously testable. Rather than burying a control requirement in a policy document that nobody reads, it can be represented in a way that an auditor would be happy with at the same time as being implemented as automated detective or preventative tests.

By bringing together threat and control stories, provided by the community, the OWASP Cloud Security project helps organisations understand the risks they face on their journey into the cloud.

Threat modelling

Threat modelling addresses security issues at a fundamental, architectural level. Rather than trying to bolt on controls haphazardly, threat modelling results in more robust and secure systems by baking security into the design as well as identifying the gaps and weaknesses. Using threat stories allows the sharing of common threats in a way that can be tweaked and tuned by individual organisations. Improvements to the threats can then be fed back to the community for the benefit of everyone.


The OWASP Cloud Security project started life as a BDD for Cloud Security session held at the awesome OWASP Summit 2017. In this session approximately ten people spent an hour discussing whether it made sense to use BDD a way of capturing cloud control requirements in a way that fostered collaboration between development, operations, and security. The question then became - where do the requirements come from? PCI/DSS or some other standard? After spending the rest of the summit in various threat modelling sessions, it became clear to the project leader that it would be good to threat model the cloud services and then to write BDD stories for the mitigating controls from those threat models.

This project provides the following for an ever-expanding list of cloud providers and services:

  • Threats expressed as BDD (Gherkin) stories
  • Mitigating controls expressed as BDD (Gherkin) stories
  • Proof-of-concept attack scripts and tools


The OWASP Cloud Security project resources are all completely free to use!

Documentation and related resources are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Code is licensed under the MIT license.

What is OWASP Cloud Security Project?

The OWASP Cloud Security project aims to help people secure their products and services running in the cloud by providing a set of easy to use threat and control BDD stories that pool together the expertise and experience of the development, operations, and security communities.

Please contribute!


Project Leader

Related Projects


Source code and documentation

The home of the OWASP Cloud Security project is on is on GitHub. You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.

Please note that the project is still in its own organisation. This will be moved over to the OWASP organisation soon.

News and Events

The project has appeared in the follow posts:

In Print

This project is not currently available to purchase as a book.


New projects.png Owasp-builders-small.png
Project Type Files DOC.jpg

How can I participate in your project?

All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

To participate, please see the Getting involved section of the repository README.

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

For more information, visit the GitHub repository.


The OWASP Cloud Security project is developed by volunteers. A live update of project contributors is found here.

The first contributors to the project were:

  • Fraser Scott
  • Steven Wierckx
  • Adam Shostack
  • Manish S. Saindane
  • Paulo Gomes
  • Francois Raynaud
  • Paul Cutting

As of October 2017, the priorities are:

  • Threat models and BDD stories for top 10 AWS services
  • Threat models and BDD stories for top 10 Azure services
  • Threat models and BDD stories for top 10 Google Cloud Platform services
  • Provider-agnostic threat models and BDD stories
  • Threats models and BDD stories based on published standards (e.g. PCI/DSS) and best-practices (e.g. whitepapers)

To get involved, see the Github repository.