owasp-cloud-native-top-10
OWASP Cloud-Native Application Security Top 10
This skill encodes the OWASP Cloud-Native Application Security Top 10 for secure cloud-native design and review. References are loaded per risk. Based on OWASP Cloud-Native Application Security Top 10 2022. The official list defines 6 risks (CNAS-1 to CNAS-6); the project is archived.
When to Read Which Reference
| Risk | Read |
|---|---|
| CNAS-1 Insecure cloud, container or orchestration configuration | references/cnas-1-insecure-configuration.md |
| CNAS-2 Injection flaws | references/cnas-2-injection-flaws.md |
| CNAS-3 Improper authentication and authorization | references/cnas-3-auth.md |
| CNAS-4 CI/CD pipeline and software supply chain flaws | references/cnas-4-cicd-supply-chain.md |
| CNAS-5 Insecure secrets storage | references/cnas-5-secrets-storage.md |
| CNAS-6 Over-permissive or insecure network policies | references/cnas-6-network-policies.md |
Quick Patterns
- Harden cloud and container config; validate input and avoid injection; enforce auth and least privilege; secure CI/CD and supply chain; protect secrets; apply network segmentation.
More from yariv1025/skills
owasp-mobile-top-10
OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography.
16owasp-api-security-top-10
OWASP API Security Top 10 - prevention, detection, and remediation for REST/GraphQL/API security. Use when designing or reviewing APIs - object- and function-level authorization, authentication, rate limiting and resource consumption, sensitive business flows, SSRF, API inventory and versioning, or consumption of third-party APIs.
14agent-dev-guardrails
Enforce disciplined agent development workflows with plan-first development, small-slice execution, specialized self-review roles, quality gates, and project setup. Use when starting a new project, setting up development conventions, wanting structured planning, or needing the agent to follow best practices for code quality, review, and validation.
8owasp-iot-top-10
OWASP IoT Top 10 - prevention, detection, and remediation for IoT device and ecosystem security. Use when designing or reviewing IoT devices - passwords, network services, ecosystem interfaces, secure updates, components, data transfer/storage, device management, default settings, physical hardening, privacy.
7owasp-serverless-top-10
OWASP Serverless Top 10 - prevention, detection, and remediation for serverless (Lambda, Functions) security. Use when building or reviewing serverless apps - event injection, over-permissioned functions, insecure deps, secrets, config, and other serverless-specific interpretations of the Web Top 10.
7owasp-privacy-top-10
OWASP Top 10 Privacy Risks - prevention, detection, and remediation for privacy in web applications. Use when addressing app vulnerabilities, data leakage, breach response, consent, transparency, data deletion, data quality, session expiration, user access rights, excessive data collection.
6