owasp-serverless-top-10

Original：🇺🇸 English

Translated

OWASP Serverless Top 10 - prevention, detection, and remediation for serverless (Lambda, Functions) security. Use when building or reviewing serverless apps - event injection, over-permissioned functions, insecure deps, secrets, config, and other serverless-specific interpretations of the Web Top 10.

1installs

Sourceyariv1025/skills

Added on2026-02-15

NPX Install

npx skill4agent add yariv1025/skills owasp-serverless-top-10

SKILL.md Content

View Translation Comparison →

OWASP Serverless Top 10

This skill encodes the OWASP Top 10 Serverless Interpretation for secure serverless design and review. References are loaded per risk. Based on OWASP Top 10 Serverless Interpretation 2018. See the official PDF for the exact 10 categories.

When to Read Which Reference

Risk	Read
SL1 Injection (Serverless)	references/sl01-injection.md
SL2 Broken Authentication (Serverless)	references/sl02-broken-auth.md
SL3 Sensitive Data Exposure (Serverless)	references/sl03-sensitive-data-exposure.md
SL4 XML External Entities (Serverless)	references/sl04-xxe.md
SL5 Broken Access Control (Serverless)	references/sl05-broken-access-control.md
SL6 Security Misconfiguration (Serverless)	references/sl06-misconfiguration.md
SL7 XSS (Serverless)	references/sl07-xss.md
SL8 Insecure Deserialization (Serverless)	references/sl08-insecure-deserialization.md
SL9 Using Components with Known Vulnerabilities (Serverless)	references/sl09-vulnerable-components.md
SL10 Insufficient Logging and Monitoring (Serverless)	references/sl10-logging-monitoring.md

Quick Patterns

Validate and sanitize event input (injection); use least privilege for function IAM; avoid hardcoded secrets; secure config and dependencies; enable logging and monitoring.

Quick Reference / Examples

Task	Approach
Prevent event injection	Validate/sanitize all event data (API Gateway, S3, SNS). See SL1.
Least privilege IAM	Scope function roles to exact resources needed. See SL5.
Manage secrets	Use Secrets Manager/Parameter Store, not env vars. See SL3.
Secure dependencies	Pin versions, scan for vulnerabilities. See SL9.
Enable logging	CloudWatch/X-Ray for all functions. See SL10.

Safe - input validation in Lambda:

python

import json
def handler(event, context):
    body = json.loads(event.get("body", "{}"))
    user_id = body.get("user_id", "")
    if not user_id.isalnum() or len(user_id) > 36:
        return {"statusCode": 400, "body": "Invalid user_id"}
    # Proceed with validated input

Safe - least privilege IAM policy:

yaml

# serverless.yml
provider:
  iam:
    role:
      statements:
        - Effect: Allow
          Action: dynamodb:GetItem
          Resource: arn:aws:dynamodb:*:*:table/users

Unsafe - overly permissive IAM: