OWASP Serverless Top 10


The OWASP Top 10: Serverless Interpretation is now available.


When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as AWS, Azure and GCP. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed.

However, even if these applications are running without a managed server, they still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks.

The interpretation report examines the differences in attack vectors, security weaknesses, and the business impact of application attacks on in the serverless world, and, most importantly, the report will suggest ways to to prevent them. As we will be able to see in the report, attack and defense techniques are different from what we used to in the traditional application world.

After that, an open-call will be established to collect data in the wild and establishing the official Serverless Top 10 Report.


OWASP Serverless Top 10 aims at educating practitioners and organizations about the consequences of the most common serverless application security vulnerabilities, as well as providing basic techniques to identify and protect against them.


The OWASP Serverless Top 10 is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 4.0 license (CC BY-SA 4.0).


Tal Melamed OWASP LinkedIn




Report Reviewers
Assaf Hefetz, Snyk
Erez Metula, AppSec Labs
Erez Yalon, Checkmarx
Frank M. Catucci, OWASP
Guy Bernhart-Magen, Intel
Hemed Gur Ary, OWASP
Jeff Williams, Contrast Security
Jim DelGrosso, Synopsys
Jochanan Sommerfeld, RDuck
Kobi Lechner, INFINIDAT
Limor Sylvie Kessem, IBM
Marcin Hoppe, Auth0
Mark Johnston, Google
Martin Knobloch, OWASP
Matthew Henderson, Microsoft
Matteo Meucci, Minded Security
Owen Pendlebury, OWASP
Paco Hope, AWS
Patrick Laverty, Rapid7
Rupack Ganguly, Serverless Inc.
Tanya Janca, Microsoft
Tash Norris, Capital One
Tom Brennan, IOActive
Yan Cui, DAZN
Youssef Elmalty, AWS

Get Involved

Get involved in OWASP Serverless Top 10!

You do not have to be a security expert or a programmer to contribute. Contact the Project Leader(s) to get involved, we welcome any type of suggestions and comments.

Possible ways to get contribute:

  • We are actively looking for organizations and individuals that will provide vulnerability prevalence data.
  • Translation efforts (later stages)
  • Assisting in the development of related tools (e.g. DVSA)


Join out Slack channel


The project is maintained in the OWASP Serverless Top 10.

Feel free to open or solve an issue.

Ready to contribute directly into the repo? Great! Just make sure you read the How to Contribute guide.

News & Events

Translation Efforts

  • Chinese: [OWASP Top 10 - Serverless Interpretation 中文版(PDF)](https://github.com/OWASP/Serverless-Top-10-Project/raw/master/2018/cn/OWASP-Top-10-Serverless-Interpretation-cn-v1.0.pdf)

项目牵头人:肖文棣、王颉([email protected]) 项目组成员:刘晓辉、李宇全、明敏、王斌(排名不分先后,按姓氏拼音排列)

Planned Projects

  • Serverless Security Top 10
  • DVSA - Damn Vulnerable Serverless Application


Coming soon!