Understanding OWASP's First Top 10 Non-Human Identities Security Risks
As the digital landscape evolves, non-human identities (NHIs)—such as service accounts, APIs, and machine credentials—have become critical components in automated workflows and cloud-based infrastructures. However, the growing reliance on these digital entities has expanded the attack surface for cyber threats. The OWASP NHI Top 10 aims to shed light on the most pressing security risks associated with NHIs and provides organizations with best practices for mitigating vulnerabilities to prevent potential breaches. This blog post explores the key findings of the report and offers actionable insights to enhance non-human identity management and security.
OWASP
1/20/20252 min read
The Open Worldwide Application Security Project (OWASP) has released its inaugural "Non-Human Identities (NHI) Top 10" list, highlighting the most critical security risks associated with non-human digital identities. These NHIs include service accounts, API keys, and machine credentials that authorize software entities such as applications, APIs, bots, and automated systems to access secured resources.
As organizations increasingly rely on automated systems and cloud-based infrastructure, the number of NHIs has surged, often outnumbering human users by a factor of 10 to 50. This rapid proliferation has expanded the attack surface, with credentials remaining the leading attack vector in cyber incidents, according to Verizon’s Data Breach Investigations Report.
Recent high-profile breaches, including Microsoft's Midnight Blizzard Attack (2024), the Internet Archive’s Zendesk Support Platform Hack (2024), and the Okta Support System Compromise (2023), underscore the critical importance of securing NHIs. OWASP's NHI Top 10 list aims to raise awareness of these cybersecurity risks and provide actionable guidance for mitigating vulnerabilities.
Here are some of the key risks identified in the OWASP NHI Top 10:
1. Improper Offboarding: Failure to deactivate NHI credentials after applications or services are retired can leave orphaned accounts vulnerable to unauthorized access.
Mitigation: Implement standardized offboarding processes, automate deactivation of unused credentials, and conduct regular audits of active NHIs.
2. Secret Leakage: Exposure of sensitive credentials through code repositories, configuration files, or CI/CD pipelines makes them susceptible to attacks.
Mitigation: Employ ephemeral credentials, use secret management tools, automate secret detection, and rotate keys regularly.
3. Vulnerable Third-Party NHIs: Third-party integrations requiring elevated permissions can become high-value targets for attackers.
Mitigation: Vet third-party vendors rigorously, limit permissions, monitor third-party behavior, and rotate credentials.
4. Insecure Authentication: Use of obsolete or insecure authentication methods poses significant risks.
Mitigation: Adopt modern protocols like OAuth 2.1 and OpenID Connect (OIDC) and phase out outdated authentication mechanisms.
5. Overprivileged NHIs: Granting excessive permissions to NHIs violates the principle of least privilege, increasing potential damage from compromised accounts.
Mitigation: Enforce least privilege, conduct regular permission audits, and adopt Just-in-Time (JIT) access policies.
By addressing these and other risks outlined in the OWASP NHI Top 10, organizations can strengthen their security postures and better protect against threats targeting non-human digital identities.
