The Open Net Utility Safety Mission has just lately launched a brand new High 10 challenge – the Non-Human Id (NHI) High 10. For years, OWASP has offered safety professionals and builders with important steering and actionable frameworks via its High 10 tasks, together with the extensively used API and Net Utility safety lists.
Non-human identification safety represents an rising curiosity within the cybersecurity trade, encompassing the dangers and lack of oversight related to API keys, service accounts, OAuth apps, SSH keys, IAM roles, secrets and techniques, and different machine credentials and workload identities.
Contemplating that the flagship OWASP High 10 tasks already cowl a broad vary of safety dangers builders ought to concentrate on, one may ask – do we actually want the NHI High 10? The brief reply is – sure. Let’s examine why, and discover the highest 10 NHI dangers.
Why we’d like the NHI High 10
Whereas different OWASP tasks may contact on associated vulnerabilities, equivalent to secrets and techniques misconfiguration, NHIs and their related dangers go effectively past that. Safety incidents leveraging NHIs do not simply revolve round uncovered secrets and techniques; they lengthen to extreme permissions, OAuth phishing assaults, IAM roles used for lateral motion, and extra.
Whereas essential, the present OWASP High 10 lists do not correctly handle the distinctive challenges NHIs current. Being the essential connectivity enablers between techniques, providers, knowledge, and AI brokers, NHIs are extraordinarily prevalent throughout growth and runtime environments, and builders work together with them at each stage of the event pipeline.
With the rising frequency of assaults concentrating on NHIs, it grew to become crucial to equip builders with a devoted information to the dangers they face.
Understanding the OWASP High 10 rating standards
Earlier than we dive into the precise dangers, it is necessary to grasp the rating behind the High 10 tasks. OWASP High 10 tasks comply with an ordinary set of parameters to find out danger severity:
- Exploitability: Consider how simply an attacker can exploit a given vulnerability if the group lacks adequate safety.
- Impression: Considers the potential injury the chance may inflict on enterprise operations and techniques.
- Prevalence: Assesses how widespread the safety subject is throughout totally different environments, disregarding current protecting measures.
- Detectability: Measures the problem of recognizing the weak spot utilizing customary monitoring and detection instruments.
Breaking down the OWASP NHI High 10 dangers
Now to the meat. Let’s discover the highest dangers that earned a spot on the NHI High 10 listing and why they matter:
NHI10:2025 – Human Use of NHI
NHIs are designed to facilitate automated processes, providers, and purposes with out human intervention. Nevertheless, through the growth and upkeep phases, builders or directors might repurpose NHIs for handbook operations that ought to ideally be performed utilizing private human credentials with applicable privileges. This will trigger privilege misuse, and, if this abused key’s a part of an exploit, it is onerous to know who’s accountable for it.
NHI9:2025 – NHI Reuse
NHI reuse happens when groups repurpose the identical service account, for instance, throughout a number of purposes. Whereas handy, this violates the precept of least privilege and might expose a number of providers within the case of a compromised NHI – growing the blast radius.
NHI8:2025 – Surroundings Isolation
A scarcity of strict setting isolation can result in take a look at NHIs bleeding into manufacturing. An actual-world instance is the Midnight Blizzard assault on Microsoft, the place an OAuth app used for testing was discovered to have excessive privileges in manufacturing, exposing delicate knowledge.
NHI7:2025 – Lengthy-Lived Secrets and techniques
Secrets and techniques that stay legitimate for prolonged intervals pose a big danger. A notable incident concerned Microsoft AI inadvertently exposing an entry token in a public GitHub repository, which remained lively for over two years and offered entry to 38 terabytes of inner knowledge.
NHI6:2025 – Insecure Cloud Deployment Configurations
CI/CD pipelines inherently require in depth permissions, making them prime targets for attackers. Misconfigurations, equivalent to hardcoded credentials or overly permissive OIDC configurations, can result in unauthorized entry to essential assets, exposing them to breaches.
NHI5:2025 – Overprivileged NHI
Many NHIs are granted extreme privileges resulting from poor provisioning practices. Based on a latest CSA report, 37% of NHI-related safety incidents have been brought on by overprivileged identities, highlighting the pressing want for correct entry controls and least-privilege practices.
NHI4:2025 – Insecure Authentication Strategies
Many platforms like Microsoft 365 and Google Workspace nonetheless help insecure authentication strategies like implicit OAuth flows and app passwords, which bypass MFA and are inclined to assaults. Builders are sometimes unaware of the safety dangers of those outdated mechanisms, which results in their widespread use, and potential exploitation.
NHI3:2025 – Weak Third-Social gathering NHI
Many growth pipelines depend on third-party instruments and providers to expedite growth, improve capabilities, monitor purposes, and extra. These instruments and providers combine straight with IDEs and code repos utilizing NHIs like API keys, OAuth apps, and repair accounts. Breaches involving distributors like CircleCI, Okta, and GitHub have compelled prospects to scramble to rotate credentials, highlighting the significance of tightly monitoring and mapping these externally owned NHIs.
NHI2:2025 – Secret Leakage
Secret leakage stays a prime concern, usually serving because the preliminary entry vector for attackers. Analysis signifies that 37% of organizations have hardcoded secrets and techniques inside their purposes, making them prime targets.
NHI1:2025 – Improper Offboarding
Ranked as the highest NHI danger, improper offboarding refers back to the prevalent oversight of lingering NHIs that weren’t eliminated or decommissioned after an worker left, a service was eliminated, or a 3rd get together was terminated. In truth, over 50% of organizations haven’t any formal processes to offboard NHIs. NHIs which can be not wanted however stay lively create a big selection of assault alternatives, particularly for insider threats.
A standardized framework for NHI safety
The OWASP NHI High 10 fills a essential hole by shedding mild on the distinctive safety challenges posed by NHIs. Safety and growth groups alike lack a transparent, standardized view of the dangers these identities pose, and find out how to go about together with them in safety applications. For that, Astrix Safety applied the OWASP NHI High 10 as a framework in its compliance dashboard.
 |
| The Astrix OWASP NHI High 10 Compliance Dashboard |
This functionality correlates the group’s safety findings with the NHI High 10 dangers, to assist safety professionals visualize the present posture, determine gaps, and prioritize subsequent steps.
Utilizing the dashboard alongside the High 10 framework permits you to shortly see which areas want essentially the most consideration and observe enchancment over time.
