Back to Details

owasp-serverless-top-10

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

OWASP Serverless Top 10

OWASP Serverless Top 10

This skill encodes the OWASP Top 10 Serverless Interpretation for secure serverless design and review. References are loaded per risk. Based on OWASP Top 10 Serverless Interpretation 2018. See the official PDF for the exact 10 categories.
本技能整合了OWASP Top 10无服务器解读,用于指导安全的无服务器设计与审核。每种风险都配有参考资料,基于2018年版OWASP Top 10无服务器解读。具体的10类风险可查看官方PDF

When to Read Which Reference

何时查阅对应参考资料

RiskRead
SL1 Injection (Serverless)references/sl01-injection.md
SL2 Broken Authentication (Serverless)references/sl02-broken-auth.md
SL3 Sensitive Data Exposure (Serverless)references/sl03-sensitive-data-exposure.md
SL4 XML External Entities (Serverless)references/sl04-xxe.md
SL5 Broken Access Control (Serverless)references/sl05-broken-access-control.md
SL6 Security Misconfiguration (Serverless)references/sl06-misconfiguration.md
SL7 XSS (Serverless)references/sl07-xss.md
SL8 Insecure Deserialization (Serverless)references/sl08-insecure-deserialization.md
SL9 Using Components with Known Vulnerabilities (Serverless)references/sl09-vulnerable-components.md
SL10 Insufficient Logging and Monitoring (Serverless)references/sl10-logging-monitoring.md
风险查阅链接
SL1 注入(无服务器场景)references/sl01-injection.md
SL2 身份验证失效(无服务器场景)references/sl02-broken-auth.md
SL3 敏感数据暴露(无服务器场景)references/sl03-sensitive-data-exposure.md
SL4 XML外部实体(无服务器场景)references/sl04-xxe.md
SL5 访问控制失效(无服务器场景)references/sl05-broken-access-control.md
SL6 安全配置错误(无服务器场景)references/sl06-misconfiguration.md
SL7 跨站脚本攻击(无服务器场景)references/sl07-xss.md
SL8 不安全的反序列化(无服务器场景)references/sl08-insecure-deserialization.md
SL9 使用存在已知漏洞的组件(无服务器场景)references/sl09-vulnerable-components.md
SL10 日志与监控不足(无服务器场景)references/sl10-logging-monitoring.md

Quick Patterns

快速实践模式

  • Validate and sanitize event input (injection); use least privilege for function IAM; avoid hardcoded secrets; secure config and dependencies; enable logging and monitoring.
  • 验证并清洗事件输入(防范注入);为函数IAM使用最小权限原则;避免硬编码密钥;保护配置与依赖;启用日志与监控。

Quick Reference / Examples

速查参考/示例

TaskApproach
Prevent event injectionValidate/sanitize all event data (API Gateway, S3, SNS). See SL1.
Least privilege IAMScope function roles to exact resources needed. See SL5.
Manage secretsUse Secrets Manager/Parameter Store, not env vars. See SL3.
Secure dependenciesPin versions, scan for vulnerabilities. See SL9.
Enable loggingCloudWatch/X-Ray for all functions. See SL10.
Safe - input validation in Lambda:
python
import json
def handler(event, context):
    body = json.loads(event.get("body", "{}"))
    user_id = body.get("user_id", "")
    if not user_id.isalnum() or len(user_id) > 36:
        return {"statusCode": 400, "body": "Invalid user_id"}
    # Proceed with validated input
Safe - least privilege IAM policy:
yaml
undefined
任务实现方法
防范事件注入验证/清洗所有事件数据(API Gateway、S3、SNS)。查看SL1
最小权限IAM将函数角色的权限范围限定为所需的精确资源。查看SL5
密钥管理使用Secrets Manager/Parameter Store,而非环境变量。查看SL3
安全依赖管理锁定版本,扫描漏洞。查看SL9
启用日志为所有函数配置CloudWatch/X-Ray。查看SL10
安全示例 - Lambda中的输入验证:
python
import json
def handler(event, context):
    body = json.loads(event.get("body", "{}"))
    user_id = body.get("user_id", "")
    if not user_id.isalnum() or len(user_id) > 36:
        return {"statusCode": 400, "body": "Invalid user_id"}
    # 使用验证后的输入继续处理
安全示例 - 最小权限IAM策略:
yaml
undefined

serverless.yml

serverless.yml

provider: iam: role: statements: - Effect: Allow Action: dynamodb:GetItem Resource: arn:aws:dynamodb:::table/users

**Unsafe - overly permissive IAM:**
```yaml
provider: iam: role: statements: - Effect: Allow Action: dynamodb:GetItem Resource: arn:aws:dynamodb:::table/users

**不安全示例 - 过度宽松的IAM:**
```yaml

NEVER do this

切勿这样做

statements:
  • Effect: Allow Action: "" Resource: ""
undefined
statements:
  • Effect: Allow Action: "" Resource: ""
undefined

Workflow

工作流程

Load the reference for the risk you are addressing. Confirm exact risk names from the official OWASP Serverless Top 10 PDF.
针对你要处理的风险加载对应的参考资料。请从官方OWASP Serverless Top 10 PDF中确认准确的风险名称。