owasp-serverless-top-10

OWASP Serverless Top 10 - prevention, detection, and remediation for serverless (Lambda, Functions) security. Use when building or reviewing serverless apps - event injection, over-permissioned functions, insecure deps, secrets, config, and other serverless-specific interpretations of the Web Top 10.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "owasp-serverless-top-10" with this command: npx skills add yariv1025/skills/yariv1025-skills-owasp-serverless-top-10

OWASP Serverless Top 10

This skill encodes the OWASP Top 10 Serverless Interpretation for secure serverless design and review. References are loaded per risk. Based on OWASP Top 10 Serverless Interpretation 2018. See the official PDF for the exact 10 categories.

When to Read Which Reference

RiskRead
SL1 Injection (Serverless)references/sl01-injection.md
SL2 Broken Authentication (Serverless)references/sl02-broken-auth.md
SL3 Sensitive Data Exposure (Serverless)references/sl03-sensitive-data-exposure.md
SL4 XML External Entities (Serverless)references/sl04-xxe.md
SL5 Broken Access Control (Serverless)references/sl05-broken-access-control.md
SL6 Security Misconfiguration (Serverless)references/sl06-misconfiguration.md
SL7 XSS (Serverless)references/sl07-xss.md
SL8 Insecure Deserialization (Serverless)references/sl08-insecure-deserialization.md
SL9 Using Components with Known Vulnerabilities (Serverless)references/sl09-vulnerable-components.md
SL10 Insufficient Logging and Monitoring (Serverless)references/sl10-logging-monitoring.md

Quick Patterns

  • Validate and sanitize event input (injection); use least privilege for function IAM; avoid hardcoded secrets; secure config and dependencies; enable logging and monitoring.

Quick Reference / Examples

TaskApproach
Prevent event injectionValidate/sanitize all event data (API Gateway, S3, SNS). See SL1.
Least privilege IAMScope function roles to exact resources needed. See SL5.
Manage secretsUse Secrets Manager/Parameter Store, not env vars. See SL3.
Secure dependenciesPin versions, scan for vulnerabilities. See SL9.
Enable loggingCloudWatch/X-Ray for all functions. See SL10.

Safe - input validation in Lambda:

import json
def handler(event, context):
    body = json.loads(event.get("body", "{}"))
    user_id = body.get("user_id", "")
    if not user_id.isalnum() or len(user_id) > 36:
        return {"statusCode": 400, "body": "Invalid user_id"}
    # Proceed with validated input

Safe - least privilege IAM policy:

# serverless.yml
provider:
  iam:
    role:
      statements:
        - Effect: Allow
          Action: dynamodb:GetItem
          Resource: arn:aws:dynamodb:*:*:table/users

Unsafe - overly permissive IAM:

# NEVER do this
statements:
  - Effect: Allow
    Action: "*"
    Resource: "*"

Workflow

Load the reference for the risk you are addressing. Confirm exact risk names from the official OWASP Serverless Top 10 PDF.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

owasp-api-security-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
8-yariv1025
Coding

agent-dev-guardrails

No summary provided by upstream source.

Repository SourceNeeds Review
8-yariv1025
General

owasp-iot-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025
General

owasp-mobile-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025