owasp-cloud-native-top-10
OWASP Cloud-Native Application Security Top 10
This skill encodes the OWASP Cloud-Native Application Security Top 10 for secure cloud-native design and review. References are loaded per risk. Based on OWASP Cloud-Native Application Security Top 10 2022. The official list defines 6 risks (CNAS-1 to CNAS-6); the project is archived.
When to Read Which Reference
| Risk | Read |
|---|---|
| CNAS-1 Insecure cloud, container or orchestration configuration | references/cnas-1-insecure-configuration.md |
| CNAS-2 Injection flaws | references/cnas-2-injection-flaws.md |
| CNAS-3 Improper authentication and authorization | references/cnas-3-auth.md |
| CNAS-4 CI/CD pipeline and software supply chain flaws | references/cnas-4-cicd-supply-chain.md |
| CNAS-5 Insecure secrets storage | references/cnas-5-secrets-storage.md |
| CNAS-6 Over-permissive or insecure network policies | references/cnas-6-network-policies.md |
Quick Patterns
- Harden cloud and container config; validate input and avoid injection; enforce auth and least privilege; secure CI/CD and supply chain; protect secrets; apply network segmentation.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Harden containers | Non-root, minimal base images, read-only fs. See CNAS-1. |
| Prevent injection | Parameterized queries, validate cloud event data. See CNAS-2. |
| Secure auth | Use managed identity (IAM roles), short-lived tokens. See CNAS-3. |
| Protect CI/CD | Sign artifacts, verify dependencies, secure pipelines. See CNAS-4. |
| Manage secrets | Use cloud secrets manager, never in code/env. See CNAS-5. |
Safe - minimal Dockerfile:
FROM gcr.io/distroless/python3-debian12
COPY app.py /app/
USER nonroot
ENTRYPOINT ["python3", "/app/app.py"]
Unsafe - bloated image with root:
FROM ubuntu:latest
RUN apt-get update && apt-get install -y python3 curl vim # Attack surface
COPY app.py /app/
# Running as root by default
Secrets via AWS Secrets Manager:
import boto3
client = boto3.client("secretsmanager")
secret = client.get_secret_value(SecretId="prod/db/password")
db_password = secret["SecretString"]
Workflow
Load the reference for the risk you are addressing. See OWASP Cloud-Native Application Security Top 10 (archived).
More from yariv1025/skills
owasp-mobile-top-10
OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography.
16agent-dev-guardrails
Enforce disciplined agent development workflows with plan-first development, small-slice execution, specialized self-review roles, quality gates, and project setup. Use when starting a new project, setting up development conventions, wanting structured planning, or needing the agent to follow best practices for code quality, review, and validation.
8owasp-privacy-top-10
OWASP Top 10 Privacy Risks - prevention, detection, and remediation for privacy in web applications. Use when addressing app vulnerabilities, data leakage, breach response, consent, transparency, data deletion, data quality, session expiration, user access rights, excessive data collection.
6owasp-top-10
OWASP Top 10 web application security risks - prevention, detection, and remediation. Use when implementing or reviewing access control, authentication, crypto/sensitive data, input validation and injection, secure design, security configuration, dependency management, session/identity, deserialization or CI/CD integrity, logging and monitoring, or server-side requests (SSRF).
5owasp-kubernetes-top-10
OWASP Kubernetes Top 10 - prevention, detection, and remediation for Kubernetes security. Use when designing or reviewing K8s workloads and clusters - workload config, supply chain, RBAC, policy enforcement, logging, authentication, network segmentation, secrets, cluster components, vulnerable components.
5owasp-llm-top-10
OWASP Top 10 for LLM Applications - prevention, detection, and remediation for LLM and GenAI security. Use when building or reviewing LLM apps - prompt injection, information disclosure, training/supply chain, poisoning, output handling, excessive agency, system prompt leakage, vectors/embeddings, misinformation, unbounded consumption.
4