AgentSkillsCN

owasp-serverless-top-10

OWASP Web应用安全十大风险——涵盖预防、检测与修复。适用于访问控制、身份认证、加密与敏感数据保护、输入验证与注入攻击、安全设计、安全配置、依赖管理、会话与身份管理、反序列化或CI/CD完整性保障、日志记录与监控,以及服务器端请求(SSRF)等场景的实施与审查。

SKILL.md
--- frontmatter
name: owasp-serverless-top-10
description: "OWASP Serverless Top 10 - prevention, detection, and remediation for serverless (Lambda, Functions) security. Use when building or reviewing serverless apps - event injection, over-permissioned functions, insecure deps, secrets, config, and other serverless-specific interpretations of the Web Top 10."

OWASP Serverless Top 10

This skill encodes the OWASP Top 10 Serverless Interpretation for secure serverless design and review. References are loaded per risk. Based on OWASP Top 10 Serverless Interpretation 2018. See the official PDF for the exact 10 categories.

When to Read Which Reference

RiskRead
SL1 Injection (Serverless)references/sl01-injection.md
SL2 Broken Authentication (Serverless)references/sl02-broken-auth.md
SL3 Sensitive Data Exposure (Serverless)references/sl03-sensitive-data-exposure.md
SL4 XML External Entities (Serverless)references/sl04-xxe.md
SL5 Broken Access Control (Serverless)references/sl05-broken-access-control.md
SL6 Security Misconfiguration (Serverless)references/sl06-misconfiguration.md
SL7 XSS (Serverless)references/sl07-xss.md
SL8 Insecure Deserialization (Serverless)references/sl08-insecure-deserialization.md
SL9 Using Components with Known Vulnerabilities (Serverless)references/sl09-vulnerable-components.md
SL10 Insufficient Logging and Monitoring (Serverless)references/sl10-logging-monitoring.md

Quick Patterns

  • Validate and sanitize event input (injection); use least privilege for function IAM; avoid hardcoded secrets; secure config and dependencies; enable logging and monitoring.

Quick Reference / Examples

TaskApproach
Prevent event injectionValidate/sanitize all event data (API Gateway, S3, SNS). See SL1.
Least privilege IAMScope function roles to exact resources needed. See SL5.
Manage secretsUse Secrets Manager/Parameter Store, not env vars. See SL3.
Secure dependenciesPin versions, scan for vulnerabilities. See SL9.
Enable loggingCloudWatch/X-Ray for all functions. See SL10.

Safe - input validation in Lambda:

python
import json
def handler(event, context):
    body = json.loads(event.get("body", "{}"))
    user_id = body.get("user_id", "")
    if not user_id.isalnum() or len(user_id) > 36:
        return {"statusCode": 400, "body": "Invalid user_id"}
    # Proceed with validated input

Safe - least privilege IAM policy:

yaml
# serverless.yml
provider:
  iam:
    role:
      statements:
        - Effect: Allow
          Action: dynamodb:GetItem
          Resource: arn:aws:dynamodb:*:*:table/users

Unsafe - overly permissive IAM:

yaml
# NEVER do this
statements:
  - Effect: Allow
    Action: "*"
    Resource: "*"

Workflow

Load the reference for the risk you are addressing. Confirm exact risk names from the official OWASP Serverless Top 10 PDF.