The Open Internet Software Safety Mission has not too long ago launched a brand new Prime 10 undertaking – the Non-Human Id (NHI) Prime 10. For years, OWASP has offered safety professionals and builders with important steerage and actionable frameworks via its Prime 10 tasks, together with the extensively used API and Internet Software safety lists.
Non-human id safety represents an rising curiosity within the cybersecurity business, encompassing the dangers and lack of oversight related to API keys, service accounts, OAuth apps, SSH keys, IAM roles, secrets and techniques, and different machine credentials and workload identities.
Contemplating that the flagship OWASP Prime 10 tasks already cowl a broad vary of safety dangers builders ought to give attention to, one would possibly ask – do we actually want the NHI Prime 10? The quick reply is – sure. Let’s examine why, and discover the highest 10 NHI dangers.
Why we want the NHI Prime 10
Whereas different OWASP tasks would possibly contact on associated vulnerabilities, akin to secrets and techniques misconfiguration, NHIs and their related dangers go properly past that. Safety incidents leveraging NHIs do not simply revolve round uncovered secrets and techniques; they lengthen to extreme permissions, OAuth phishing assaults, IAM roles used for lateral motion, and extra.
Whereas essential, the present OWASP Prime 10 lists do not correctly tackle the distinctive challenges NHIs current. Being the important connectivity enablers between techniques, companies, information, and AI brokers, NHIs are extraordinarily prevalent throughout growth and runtime environments, and builders work together with them at each stage of the event pipeline.
With the rising frequency of assaults focusing on NHIs, it grew to become crucial to equip builders with a devoted information to the dangers they face.
Understanding the OWASP Prime 10 rating standards
Earlier than we dive into the precise dangers, it is essential to know the rating behind the Prime 10 tasks. OWASP Prime 10 tasks observe a typical set of parameters to find out threat severity:
- Exploitability: Consider how simply an attacker can exploit a given vulnerability if the group lacks adequate safety.
- Affect: Considers the potential injury the chance may inflict on enterprise operations and techniques.
- Prevalence: Assesses how frequent the safety problem is throughout completely different environments, disregarding current protecting measures.
- Detectability: Measures the issue of recognizing the weak spot utilizing normal monitoring and detection instruments.
Breaking down the OWASP NHI Prime 10 dangers
Now to the meat. Let’s discover the highest dangers that earned a spot on the NHI Prime 10 record and why they matter:
NHI10:2025 – Human Use of NHI
NHIs are designed to facilitate automated processes, companies, and purposes with out human intervention. Nevertheless, throughout the growth and upkeep phases, builders or directors could repurpose NHIs for guide operations that ought to ideally be performed utilizing private human credentials with applicable privileges. This may trigger privilege misuse, and, if this abused secret’s a part of an exploit, it is laborious to know who’s accountable for it.
NHI9:2025 – NHI Reuse
NHI reuse happens when groups repurpose the identical service account, for instance, throughout a number of purposes. Whereas handy, this violates the precept of least privilege and may expose a number of companies within the case of a compromised NHI – growing the blast radius.
NHI8:2025 – Surroundings Isolation
An absence of strict surroundings isolation can result in check NHIs bleeding into manufacturing. An actual-world instance is the Midnight Blizzard assault on Microsoft, the place an OAuth app used for testing was discovered to have excessive privileges in manufacturing, exposing delicate information.
NHI7:2025 – Lengthy-Lived Secrets and techniques
Secrets and techniques that stay legitimate for prolonged intervals pose a big threat. A notable incident concerned Microsoft AI inadvertently exposing an entry token in a public GitHub repository, which remained energetic for over two years and offered entry to 38 terabytes of inside information.
NHI6:2025 – Insecure Cloud Deployment Configurations
CI/CD pipelines inherently require intensive permissions, making them prime targets for attackers. Misconfigurations, akin to hardcoded credentials or overly permissive OIDC configurations, can result in unauthorized entry to important sources, exposing them to breaches.
NHI5:2025 – Overprivileged NHI
Many NHIs are granted extreme privileges on account of poor provisioning practices. In line with a current CSA report, 37% of NHI-related safety incidents had been attributable to overprivileged identities, highlighting the pressing want for correct entry controls and least-privilege practices.
NHI4:2025 – Insecure Authentication Strategies
Many platforms like Microsoft 365 and Google Workspace nonetheless help insecure authentication strategies like implicit OAuth flows and app passwords, which bypass MFA and are inclined to assaults. Builders are sometimes unaware of the safety dangers of those outdated mechanisms, which results in their widespread use, and potential exploitation.
NHI3:2025 – Susceptible Third-Celebration NHI
Many growth pipelines depend on third-party instruments and companies to expedite growth, improve capabilities, monitor purposes, and extra. These instruments and companies combine instantly with IDEs and code repos utilizing NHIs like API keys, OAuth apps, and repair accounts. Breaches involving distributors like CircleCI, Okta, and GitHub have pressured prospects to scramble to rotate credentials, highlighting the significance of tightly monitoring and mapping these externally owned NHIs.
NHI2:2025 – Secret Leakage
Secret leakage stays a high concern, typically serving because the preliminary entry vector for attackers. Analysis signifies that 37% of organizations have hardcoded secrets and techniques inside their purposes, making them prime targets.
NHI1:2025 – Improper Offboarding
Ranked as the highest NHI threat, improper offboarding refers back to the prevalent oversight of lingering NHIs that weren’t eliminated or decommissioned after an worker left, a service was eliminated, or a 3rd occasion was terminated. Actually, over 50% of organizations haven’t any formal processes to offboard NHIs. NHIs which can be now not wanted however stay energetic create a big selection of assault alternatives, particularly for insider threats.
A standardized framework for NHI safety
The OWASP NHI Prime 10 fills a important hole by shedding mild on the distinctive safety challenges posed by NHIs. Safety and growth groups alike lack a transparent, standardized view of the dangers these identities pose, and methods to go about together with them in safety packages. As their utilization continues to broaden throughout fashionable purposes, tasks just like the OWASP NHI Prime 10 change into extra essential than ever.
