The Open Internet Software Safety Venture has not too long ago launched a brand new High 10 challenge – the Non-Human Id (NHI) High 10. For years, OWASP has supplied security professionals and builders with important steerage and actionable frameworks by means of its High 10 tasks, together with the broadly used API and Internet Software security lists.
Non-human identification security represents an rising curiosity within the cybersecurity trade, encompassing the dangers and lack of oversight related to API keys, service accounts, OAuth apps, SSH keys, IAM roles, secrets and techniques, and different machine credentials and workload identities.
Contemplating that the flagship OWASP High 10 tasks already cowl a broad vary of security dangers builders ought to deal with, one would possibly ask – do we actually want the NHI High 10? The quick reply is – sure. Let’s examine why, and discover the highest 10 NHI dangers.
Why we’d like the NHI High 10
Whereas different OWASP tasks would possibly contact on associated vulnerabilities, equivalent to secrets and techniques misconfiguration, NHIs and their related dangers go nicely past that. Safety incidents leveraging NHIs do not simply revolve round uncovered secrets and techniques; they lengthen to extreme permissions, OAuth phishing assaults, IAM roles used for lateral motion, and extra.
Whereas essential, the prevailing OWASP High 10 lists do not correctly tackle the distinctive challenges NHIs current. Being the important connectivity enablers between programs, providers, knowledge, and AI brokers, NHIs are extraordinarily prevalent throughout growth and runtime environments, and builders work together with them at each stage of the event pipeline.
With the rising frequency of assaults focusing on NHIs, it grew to become crucial to equip builders with a devoted information to the dangers they face.
Understanding the OWASP High 10 rating standards
Earlier than we dive into the precise dangers, it is essential to grasp the rating behind the High 10 tasks. OWASP High 10 tasks comply with a regular set of parameters to find out threat severity:
- Exploitability: Consider how simply an attacker can exploit a given vulnerability if the group lacks ample safety.
- Influence: Considers the potential injury the chance might inflict on enterprise operations and programs.
- Prevalence: Assesses how widespread the security concern is throughout completely different environments, disregarding current protecting measures.
- Detectability: Measures the problem of recognizing the weak point utilizing commonplace monitoring and detection instruments.
Breaking down the OWASP NHI High 10 dangers
Now to the meat. Let’s discover the highest dangers that earned a spot on the NHI High 10 checklist and why they matter:
NHI10:2025 – Human Use of NHI
NHIs are designed to facilitate automated processes, providers, and purposes with out human intervention. Nevertheless, through the growth and upkeep phases, builders or directors could repurpose NHIs for handbook operations that ought to ideally be carried out utilizing private human credentials with applicable privileges. This will trigger privilege misuse, and, if this abused secret’s a part of an exploit, it is laborious to know who’s accountable for it.
NHI9:2025 – NHI Reuse
NHI reuse happens when groups repurpose the identical service account, for instance, throughout a number of purposes. Whereas handy, this violates the precept of least privilege and may expose a number of providers within the case of a compromised NHI – rising the blast radius.
NHI8:2025 – Atmosphere Isolation
A scarcity of strict atmosphere isolation can result in take a look at NHIs bleeding into manufacturing. An actual-world instance is the Midnight Blizzard assault on Microsoft, the place an OAuth app used for testing was discovered to have excessive privileges in manufacturing, exposing delicate knowledge.
NHI7:2025 – Lengthy-Lived Secrets and techniques
Secrets and techniques that stay legitimate for prolonged intervals pose a big threat. A notable incident concerned Microsoft AI inadvertently exposing an entry token in a public GitHub repository, which remained energetic for over two years and supplied entry to 38 terabytes of inside knowledge.
NHI6:2025 – Insecure Cloud Deployment Configurations
CI/CD pipelines inherently require intensive permissions, making them prime targets for attackers. Misconfigurations, equivalent to hardcoded credentials or overly permissive OIDC configurations, can result in unauthorized entry to important assets, exposing them to breaches.
NHI5:2025 – Overprivileged NHI
Many NHIs are granted extreme privileges resulting from poor provisioning practices. Based on a latest CSA report, 37% of NHI-related security incidents had been brought on by overprivileged identities, highlighting the pressing want for correct entry controls and least-privilege practices.
NHI4:2025 – Insecure Authentication Strategies
Many platforms like Microsoft 365 and Google Workspace nonetheless help insecure authentication strategies like implicit OAuth flows and app passwords, which bypass MFA and are inclined to assaults. Builders are sometimes unaware of the security dangers of those outdated mechanisms, which results in their widespread use, and potential exploitation.
NHI3:2025 – Susceptible Third-Social gathering NHI
Many growth pipelines depend on third-party instruments and providers to expedite growth, improve capabilities, monitor purposes, and extra. These instruments and providers combine immediately with IDEs and code repos utilizing NHIs like API keys, OAuth apps, and repair accounts. Breaches involving distributors like CircleCI, Okta, and GitHub have pressured prospects to scramble to rotate credentials, highlighting the significance of tightly monitoring and mapping these externally owned NHIs.
NHI2:2025 – Secret Leakage
Secret leakage stays a prime concern, usually serving because the preliminary entry vector for attackers. Analysis signifies that 37% of organizations have hardcoded secrets and techniques inside their purposes, making them prime targets.
NHI1:2025 – Improper Offboarding
Ranked as the highest NHI threat, improper offboarding refers back to the prevalent oversight of lingering NHIs that weren’t eliminated or decommissioned after an worker left, a service was eliminated, or a 3rd social gathering was terminated. In truth, over 50% of organizations haven’t any formal processes to offboard NHIs. NHIs which are now not wanted however stay energetic create a wide selection of assault alternatives, particularly for insider threats.
A standardized framework for NHI security
The OWASP NHI High 10 fills a important hole by shedding gentle on the distinctive security challenges posed by NHIs. Safety and growth groups alike lack a transparent, standardized view of the dangers these identities pose, and easy methods to go about together with them in security packages. For that, Astrix Safety applied the OWASP NHI High 10 as a framework in its compliance dashboard.
 |
| The Astrix OWASP NHI High 10 Compliance Dashboard |
This functionality correlates the group’s security findings with the NHI High 10 dangers, to assist security professionals visualize the present posture, determine gaps, and prioritize subsequent steps.
Utilizing the dashboard alongside the High 10 framework enables you to rapidly see which areas want essentially the most consideration and monitor enchancment over time.
