The Open Internet Utility Safety Venture has just lately launched a brand new High 10 venture – the Non-Human Id (NHI) High 10. For years, OWASP has offered safety professionals and builders with important steerage and actionable frameworks by means of its High 10 initiatives, together with the extensively used API and Internet Utility safety lists.
Non-human identification safety represents an rising curiosity within the cybersecurity business, encompassing the dangers and lack of oversight related to API keys, service accounts, OAuth apps, SSH keys, IAM roles, secrets and techniques, and different machine credentials and workload identities.
Contemplating that the flagship OWASP High 10 initiatives already cowl a broad vary of safety dangers builders ought to give attention to, one would possibly ask – do we actually want the NHI High 10? The brief reply is – sure. Let’s have a look at why, and discover the highest 10 NHI dangers.
Why we’d like the NHI High 10
Whereas different OWASP initiatives would possibly contact on associated vulnerabilities, similar to secrets and techniques misconfiguration, NHIs and their related dangers go properly past that. Safety incidents leveraging NHIs do not simply revolve round uncovered secrets and techniques; they prolong to extreme permissions, OAuth phishing assaults, IAM roles used for lateral motion, and extra.
Whereas essential, the present OWASP High 10 lists do not correctly handle the distinctive challenges NHIs current. Being the crucial connectivity enablers between programs, companies, knowledge, and AI brokers, NHIs are extraordinarily prevalent throughout improvement and runtime environments, and builders work together with them at each stage of the event pipeline.
With the rising frequency of assaults focusing on NHIs, it grew to become crucial to equip builders with a devoted information to the dangers they face.
Understanding the OWASP High 10 rating standards
Earlier than we dive into the precise dangers, it is necessary to know the rating behind the High 10 initiatives. OWASP High 10 initiatives comply with an ordinary set of parameters to find out danger severity:
- Exploitability: Consider how simply an attacker can exploit a given vulnerability if the group lacks adequate safety.
- Affect: Considers the potential injury the danger may inflict on enterprise operations and programs.
- Prevalence: Assesses how frequent the safety situation is throughout totally different environments, disregarding present protecting measures.
- Detectability: Measures the problem of recognizing the weak point utilizing normal monitoring and detection instruments.
Breaking down the OWASP NHI High 10 dangers
Now to the meat. Let’s discover the highest dangers that earned a spot on the NHI High 10 checklist and why they matter:
NHI10:2025 – Human Use of NHI
NHIs are designed to facilitate automated processes, companies, and purposes with out human intervention. Nonetheless, through the improvement and upkeep phases, builders or directors might repurpose NHIs for guide operations that ought to ideally be carried out utilizing private human credentials with applicable privileges. This could trigger privilege misuse, and, if this abused secret is a part of an exploit, it is onerous to know who’s accountable for it.
NHI9:2025 – NHI Reuse
NHI reuse happens when groups repurpose the identical service account, for instance, throughout a number of purposes. Whereas handy, this violates the precept of least privilege and may expose a number of companies within the case of a compromised NHI – rising the blast radius.
NHI8:2025 – Surroundings Isolation
An absence of strict setting isolation can result in take a look at NHIs bleeding into manufacturing. An actual-world instance is the Midnight Blizzard assault on Microsoft, the place an OAuth app used for testing was discovered to have excessive privileges in manufacturing, exposing delicate knowledge.
NHI7:2025 – Lengthy-Lived Secrets and techniques
Secrets and techniques that stay legitimate for prolonged durations pose a major danger. A notable incident concerned Microsoft AI inadvertently exposing an entry token in a public GitHub repository, which remained energetic for over two years and offered entry to 38 terabytes of inner knowledge.
NHI6:2025 – Insecure Cloud Deployment Configurations
CI/CD pipelines inherently require in depth permissions, making them prime targets for attackers. Misconfigurations, similar to hardcoded credentials or overly permissive OIDC configurations, can result in unauthorized entry to crucial sources, exposing them to breaches.
NHI5:2025 – Overprivileged NHI
Many NHIs are granted extreme privileges attributable to poor provisioning practices. In response to a latest CSA report, 37% of NHI-related safety incidents had been attributable to overprivileged identities, highlighting the pressing want for correct entry controls and least-privilege practices.
NHI4:2025 – Insecure Authentication Strategies
Many platforms like Microsoft 365 and Google Workspace nonetheless help insecure authentication strategies like implicit OAuth flows and app passwords, which bypass MFA and are vulnerable to assaults. Builders are sometimes unaware of the safety dangers of those outdated mechanisms, which results in their widespread use, and potential exploitation.
NHI3:2025 – Weak Third-Occasion NHI
Many improvement pipelines depend on third-party instruments and companies to expedite improvement, improve capabilities, monitor purposes, and extra. These instruments and companies combine straight with IDEs and code repos utilizing NHIs like API keys, OAuth apps, and repair accounts. Breaches involving distributors like CircleCI, Okta, and GitHub have pressured clients to scramble to rotate credentials, highlighting the significance of tightly monitoring and mapping these externally owned NHIs.
NHI2:2025 – Secret Leakage
Secret leakage stays a high concern, typically serving because the preliminary entry vector for attackers. Analysis signifies that 37% of organizations have hardcoded secrets and techniques inside their purposes, making them prime targets.
NHI1:2025 – Improper Offboarding
Ranked as the highest NHI danger, improper offboarding refers back to the prevalent oversight of lingering NHIs that weren’t eliminated or decommissioned after an worker left, a service was eliminated, or a 3rd get together was terminated. In actual fact, over 50% of organizations haven’t any formal processes to offboard NHIs. NHIs which are now not wanted however stay energetic create a big selection of assault alternatives, particularly for insider threats.
A standardized framework for NHI safety
The OWASP NHI High 10 fills a crucial hole by shedding gentle on the distinctive safety challenges posed by NHIs. Safety and improvement groups alike lack a transparent, standardized view of the dangers these identities pose, and how one can go about together with them in safety packages. As their utilization continues to broaden throughout fashionable purposes, initiatives just like the OWASP NHI High 10 change into extra essential than ever.