Mitigations
OWASP recommends particular mitigations along with these mentioned above, together with strict atmosphere isolation for NHIs, making use of the precept of least privilege, imposing environment-specific entry controls, and segregating infrastructure for delicate sources. Once more, the theme right here is mitigating systemic impacts and limiting them to particular environments by these mitigating controls and measures.
NHI danger No. 9: Reusing NHIs
Credential reuse has lengthy been one thing practitioners have cautioned in opposition to however has nonetheless made its method into varied compliance frameworks, greatest practices guides, and extra. That’s the reason it’s unsurprising to see it listed right here as a danger issue for NHIs.
OWASP
Because the desk above mentions, tailoring granular permissions for every NHI will be sophisticated, so organizations could default to reusing NHIs with broad permissions. This makes them compelling targets for exploitation with widespread ramifications for influence if compromised.
OWASP discusses how NHIs, similar to service accounts, API keys, and machine credentials, are basic to fashionable purposes, providers, authentication, and authorization.
Suppose organizations are reusing NHIs throughout a number of purposes and providers. In that case, the potential for influence is critical — it may well result in vulnerability/assault chaining and widespread influence for a company if one of many NHIs that’s reused is compromised, particularly whether it is overprivileged (NHI5). There’s a lack of atmosphere isolation (NHI8).
OWASP supplies examples similar to reusing Kubernetes service accounts, sharing API keys between purposes, and reusing cloud credentials similar to AWS IAM Roles throughout completely different providers and sources.
Mitigations
To mitigate these dangers, OWASP recommends assigning distinctive NHIs to every utility or service and the atmosphere, imposing the precept of least privilege, and auditing and reviewing using NHIs.
NHI danger No. 10: Human use of NHI
NHIs, similar to service accounts, API tokens, workload identities, and secrets and techniques, allow programmatic entry to purposes and providers. That stated, as OWASP discusses, it isn’t unusual for builders or customers to misuse NHIs for handbook duties slightly than the unique intent of automated actions and workflows.
OWASP
This poses a number of dangers as a result of human actions may very well be perceived as programmatic, limiting auditing and monitoring, protecting up actions by benign insiders, and even insider threats, and, most notably, potential attackers.
OWASP cites instance situations similar to directors utilizing service account credentials, builders executing instructions with NHIs, sharing API tokens amongst crew members, and even attackers leveraging NHIs for persistence.
Mitigations
The ultimate set of mitigations for the least danger within the OWASP NHI High 10 entails utilizing devoted identities, auditing and monitoring NHI exercise (one we’ve seen a number of occasions), utilizing context-aware entry controls, and educating builders and directors on the chance of human use of NHIs. These measures present technical and cultural controls to restrict the human use of NHIs and their related dangers.
