The Open Internet Software Safety Mission has lately presented a brand new Most sensible 10 mission – the Non-Human Identification (NHI) Most sensible 10. For years, OWASP has equipped safety pros and builders with very important steering and actionable frameworks via its Most sensible 10 initiatives, together with the commonly used API and Internet Software safety lists.
Non-human identification safety represents an rising hobby within the cybersecurity business, encompassing the dangers and loss of oversight related to API keys, carrier accounts, OAuth apps, SSH keys, IAM roles, secrets and techniques, and different system credentials and workload identities.
Taking into account that the flagship OWASP Most sensible 10 initiatives already duvet a wide vary of safety dangers builders must focal point on, one would possibly ask – can we in reality want the NHI Most sensible 10? The fast solution is – sure. Let’s have a look at why, and discover the highest 10 NHI dangers.
Why we’d like the NHI Most sensible 10
Whilst different OWASP initiatives would possibly contact on connected vulnerabilities, equivalent to secrets and techniques misconfiguration, NHIs and their related dangers pass way past that. Safety incidents leveraging NHIs do not simply revolve round uncovered secrets and techniques; they lengthen to over the top permissions, OAuth phishing assaults, IAM roles used for lateral motion, and extra.
Whilst a very powerful, the prevailing OWASP Most sensible 10 lists do not correctly deal with the original demanding situations NHIs provide. Being the vital connectivity enablers between methods, services and products, knowledge, and AI brokers, NHIs are extraordinarily prevalent throughout building and runtime environments, and builders have interaction with them at each and every level of the advance pipeline.
With the rising frequency of assaults concentrated on NHIs, it was crucial to equip builders with a devoted information to the dangers they face.
Working out the OWASP Most sensible 10 rating standards
Ahead of we dive into the true dangers, you have to perceive the rating at the back of the Most sensible 10 initiatives. OWASP Most sensible 10 initiatives practice a typical set of parameters to decide possibility severity:
- Exploitability: Evaluation how simply an attacker can exploit a given vulnerability if the group lacks enough coverage.
- Affect: Considers the possible injury the danger may inflict on industry operations and methods.
- Occurrence: Assesses how not unusual the safety factor is throughout other environments, pushing aside current protecting measures.
- Detectability: Measures the trouble of recognizing the weak spot the use of same old tracking and detection equipment.
Breaking down the OWASP NHI Most sensible 10 dangers
Now to the beef. Let’s discover the highest dangers that earned a place at the NHI Most sensible 10 record and why they topic:
NHI10:2025 – Human Use of NHI
NHIs are designed to facilitate computerized processes, services and products, and programs with out human intervention. On the other hand, right through the advance and upkeep stages, builders or directors would possibly repurpose NHIs for handbook operations that are meant to preferably be carried out the use of non-public human credentials with suitable privileges. It will purpose privilege misuse, and, if this abused key is a part of an exploit, it is exhausting to understand who’s in control of it.
NHI9:2025 – NHI Reuse
NHI reuse happens when groups repurpose the similar carrier account, for instance, throughout a couple of programs. Whilst handy, this violates the primary of least privilege and will divulge a couple of services and products in relation to a compromised NHI – expanding the blast radius.
NHI8:2025 – Surroundings Isolation
A loss of strict atmosphere isolation may end up in take a look at NHIs bleeding into manufacturing. An actual-world instance is the Middle of the night Snowstorm assault on Microsoft, the place an OAuth app used for checking out was once discovered to have top privileges in manufacturing, exposing delicate knowledge.
NHI7:2025 – Lengthy-Lived Secrets and techniques
Secrets and techniques that stay legitimate for prolonged classes pose an important possibility. A notable incident concerned Microsoft AI inadvertently exposing an get right of entry to token in a public GitHub repository, which remained lively for over two years and equipped get right of entry to to 38 terabytes of inside knowledge.
NHI6:2025 – Insecure Cloud Deployment Configurations
CI/CD pipelines inherently require intensive permissions, making them top goals for attackers. Misconfigurations, equivalent to hardcoded credentials or overly permissive OIDC configurations, may end up in unauthorized get right of entry to to vital assets, exposing them to breaches.
NHI5:2025 – Overprivileged NHI
Many NHIs are granted over the top privileges because of deficient provisioning practices. In line with a up to date CSA document, 37% of NHI-related safety incidents have been led to through overprivileged identities, highlighting the pressing want for right kind get right of entry to controls and least-privilege practices.
NHI4:2025 – Insecure Authentication Strategies
Many platforms like Microsoft 365 and Google Workspace nonetheless reinforce insecure authentication strategies like implicit OAuth flows and app passwords, which bypass MFA and are vulnerable to assaults. Builders are regularly blind to the safety dangers of those old-fashioned mechanisms, which results in their popular use, and doable exploitation.
NHI3:2025 – Susceptible 3rd-Birthday celebration NHI
Many building pipelines depend on third-party equipment and services and products to expedite building, strengthen functions, observe programs, and extra. Those equipment and services and products combine at once with IDEs and code repos the use of NHIs like API keys, OAuth apps, and repair accounts. Breaches involving distributors like CircleCI, Okta, and GitHub have compelled consumers to scramble to rotate credentials, highlighting the significance of tightly tracking and mapping those externally owned NHIs.
NHI2:2025 – Secret Leakage
Secret leakage stays a most sensible worry, regularly serving because the preliminary get right of entry to vector for attackers. Analysis signifies that 37% of organizations have hardcoded secrets and techniques inside their programs, making them top goals.
NHI1:2025 – Incorrect Offboarding
Ranked as the highest NHI possibility, unsuitable offboarding refers back to the prevalent oversight of lingering NHIs that weren’t got rid of or decommissioned after an worker left, a carrier was once got rid of, or a 3rd get together was once terminated. In reality, over 50% of organizations haven’t any formal processes to offboard NHIs. NHIs which are now not wanted however stay lively create a wide selection of assault alternatives, particularly for insider threats.
A standardized framework for NHI safety
The OWASP NHI Most sensible 10 fills a vital hole through losing gentle at the distinctive safety demanding situations posed through NHIs. Safety and building groups alike lack a transparent, standardized view of the dangers those identities pose, and tips on how to pass about together with them in safety methods. For that, Astrix Safety applied the OWASP NHI Most sensible 10 as a framework in its compliance dashboard.
 |
| The Astrix OWASP NHI Most sensible 10 Compliance Dashboard |
This capacity correlates the group’s safety findings with the NHI Most sensible 10 dangers, to lend a hand safety pros visualize the present posture, determine gaps, and prioritize subsequent steps.
The use of the dashboard along the Most sensible 10 framework allows you to briefly see which spaces want essentially the most consideration and monitor growth through the years.