owasp-serverless-top-10
SKILL.md
OWASP Serverless Top 10
This skill encodes the OWASP Top 10 Serverless Interpretation for secure serverless design and review. References are loaded per risk. Based on OWASP Top 10 Serverless Interpretation 2018. See the official PDF for the exact 10 categories.
When to Read Which Reference
| Risk | Read |
|---|---|
| SL1 Injection (Serverless) | references/sl01-injection.md |
| SL2 Broken Authentication (Serverless) | references/sl02-broken-auth.md |
| SL3 Sensitive Data Exposure (Serverless) | references/sl03-sensitive-data-exposure.md |
| SL4 XML External Entities (Serverless) | references/sl04-xxe.md |
| SL5 Broken Access Control (Serverless) | references/sl05-broken-access-control.md |
| SL6 Security Misconfiguration (Serverless) | references/sl06-misconfiguration.md |
| SL7 XSS (Serverless) | references/sl07-xss.md |
| SL8 Insecure Deserialization (Serverless) | references/sl08-insecure-deserialization.md |
| SL9 Using Components with Known Vulnerabilities (Serverless) | references/sl09-vulnerable-components.md |
| SL10 Insufficient Logging and Monitoring (Serverless) | references/sl10-logging-monitoring.md |
Quick Patterns
- Validate and sanitize event input (injection); use least privilege for function IAM; avoid hardcoded secrets; secure config and dependencies; enable logging and monitoring.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Prevent event injection | Validate/sanitize all event data (API Gateway, S3, SNS). See SL1. |
| Least privilege IAM | Scope function roles to exact resources needed. See SL5. |
| Manage secrets | Use Secrets Manager/Parameter Store, not env vars. See SL3. |
| Secure dependencies | Pin versions, scan for vulnerabilities. See SL9. |
| Enable logging | CloudWatch/X-Ray for all functions. See SL10. |
Safe - input validation in Lambda:
import json
def handler(event, context):
body = json.loads(event.get("body", "{}"))
user_id = body.get("user_id", "")
if not user_id.isalnum() or len(user_id) > 36:
return {"statusCode": 400, "body": "Invalid user_id"}
# Proceed with validated input
Safe - least privilege IAM policy:
# serverless.yml
provider:
iam:
role:
statements:
- Effect: Allow
Action: dynamodb:GetItem
Resource: arn:aws:dynamodb:*:*:table/users
Unsafe - overly permissive IAM:
# NEVER do this
statements:
- Effect: Allow
Action: "*"
Resource: "*"
Workflow
Load the reference for the risk you are addressing. Confirm exact risk names from the official OWASP Serverless Top 10 PDF.
Weekly Installs
5
Repository
yariv1025/skillsGitHub Stars
1
First Seen
Feb 15, 2026
Security Audits
Installed on
cursor5
gemini-cli3
github-copilot3
codex3
kimi-cli3
opencode3