This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Serverless Top 10 Project"

From OWASP
Jump to: navigation, search
m (acks)
m
Line 72: Line 72:
  
 
= Acknowledgments =
 
= Acknowledgments =
Mark Johnston, Google
+
Mark Johnston, Google</br>
Tash Norris, CapitalOne
+
Tash Norris, CapitalOne</br>
Martin Knobloch, OWASP
+
Martin Knobloch, OWASP</br>
Rupack Ganguly, Serverless Inc.
+
Rupack Ganguly, Serverless Inc.</br>
Youssef Elmalty, AWS
+
Youssef Elmalty, AWS</br>
Paco Hope, AWS
+
Paco Hope, AWS</br>
Assaf Hefetz, Snyk
+
Assaf Hefetz, Snyk</br>
Erez Yalon, Checkmarx
+
Erez Yalon, Checkmarx</br>
Owen Pendlebury, OWASP
+
Owen Pendlebury, OWASP</br>
Frank M. Catucci, OWASP
+
Frank M. Catucci, OWASP</br>
Jeff Williams, Contrast Security
+
Jeff Williams, Contrast Security</br>
Hemed Gur Ary, OWASP
+
Hemed Gur Ary, OWASP</br>
Jochanan Sommerfeld, Comsec
+
Jochanan Sommerfeld, Comsec</br>
Kobi Lechner, INFIDAT
+
Kobi Lechner, INFIDAT</br>
Guy Bernhart-Magen, Intel
+
Guy Bernhart-Magen, Intel</br>
Matteo Meucci, Minded Security
+
Matteo Meucci, Minded Security</br>
Patric Laverty, Rapid7
+
Patric Laverty, Rapid7</br>
Tanya Janca, Microsoft
+
Tanya Janca, Microsoft</br>
  
  

Revision as of 22:13, 26 September 2018

OWASP Project Header.jpg

Introduction

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as AWS, Azure and Google Cloud. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The OWASP Serverless Top 10 report will examine the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.


Purpose

OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.


Licensing

The OWASP Serverless Top 10 is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license (CC BY-SA 4.0).


Project Sponsors

The OWASP Serverless Top 10 project is sponsored by

Protego_logo_300x75.png       

Quick Downloads

Nothing yet.


Presentation

Soon!


News & Events

  • [1 Sep 2018]: Hello World!
  • [] Stay tuned.


Project Leader

Tal Melamed


Related Projects

OWASP Top 10 Project


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg


Mark Johnston, Google</br> Tash Norris, CapitalOne</br> Martin Knobloch, OWASP</br> Rupack Ganguly, Serverless Inc.</br> Youssef Elmalty, AWS</br> Paco Hope, AWS</br> Assaf Hefetz, Snyk</br> Erez Yalon, Checkmarx</br> Owen Pendlebury, OWASP</br> Frank M. Catucci, OWASP</br> Jeff Williams, Contrast Security</br> Hemed Gur Ary, OWASP</br> Jochanan Sommerfeld, Comsec</br> Kobi Lechner, INFIDAT</br> Guy Bernhart-Magen, Intel</br> Matteo Meucci, Minded Security</br> Patric Laverty, Rapid7</br> Tanya Janca, Microsoft</br>



TBD.



  • 30-SEP-2018: First draft is sent to reviewers
  • 25-OCT-2018: Initial report released
  • 01-APR-2019: Call for data opened
  • 31-JUL-2019: Processing data collected
  • 01-SEP-2019: Release Candidate is sent for review
  • 01-OCT-2019: Official release

We will need help along the way. Please contact Project Leaders to get involved.




Get involved in OWASP Serverless Top 10!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:

  • We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
  • Translation efforts (later stages)
  • Assisting in the development of related tools (e.g. DVSA)

Individuals and organizations that will contribute to the project will listed on the acknowledgments page.

Also, join our mailing list





PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Serverless Top 10
Purpose: OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.
License: CC BY-SA 4.0
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases




Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Serverless_Top_10_Project&oldid=243752"