What the OWASP API Security Top 10 2023 means for serverless applications

The OWASP Serverless Top 10 was last updated in 2017. The OWASP API Security Top 10 was recently updated, and it provides a relevant list to consider for our serverless architectures because many are API-based and event-driven. We will review some of the API security risks and how they apply to serverless applications.

API1:2023 — Broken Object Level Authorization (BOLA)

In 2017, the OWASP Top 10 and OWASP Serverless Top 10 listed injection as the highest security risk. In 2021, the OWASP Top 10 updated it to broken access control. The OWASP API Top 10 has listed BOLA as the highest risk since 2019.

What is BOLA? It’s being able to get data that’s not intended for you.

What is broken object level authorization?

Our serverless functions sometimes return data specific to users. They should authorize API calls with tokens that contain user information. They can use this user information (like, user IDs) to query for user data that have that user ID.

For example, we can use authorizer functions in Amazon API Gateway to verify the user and forward the user ID to the function that queries the database. We can set the user ID as a primary key or sort key in our DynamoDB table so the function can query data for that specific user. We…