OWSAP
Discover OWASP's NHI Top 10 framework for securing non-human identities. Learn k...
A rising and often overlooked threat demands urgent focus: **Non-Human Identities (NHIs)**. These include API keys, service accounts, OAuth apps, SSH keys, IAM roles, and other machine credentials essential for automating systems. Recognizing the urgency of securing these identities, the **Open Web Application Security Project (OWASP)** has introduced the **NHI Top 10**, a framework specifically designed to address their associated risks.
This Threatfeed provides an in-depth analysis of the OWASP NHI Top 10, exploring why it’s essential, breaking down each risk, and providing actionable best practices to secure NHIs.
## What Are Non-Human Identities (NHIs)?
NHIs represent credentials, tokens, and roles used to facilitate automated processes between systems, services, and applications. Unlike human identities, NHIs are designed to operate autonomously and are often embedded in CI/CD pipelines, cloud infrastructures, and runtime environments. Their prevalence makes them a critical connectivity enabler but also an attractive target for attackers.
### Why Are NHIs High-Risk?
NHIs often lack the oversight, monitoring, and lifecycle management applied to human identities. For instance, many organizations fail to monitor their usage effectively, leading to vulnerabilities such as outdated or unused service accounts being exploited. For example, many organizations have experienced breaches where outdated or unused service accounts were exploited, leading to unauthorized access to critical systems. This lack of oversight allows malicious actors to leverage forgotten NHIs as entry points, highlighting the importance of consistent monitoring and lifecycle management to mitigate these risks. For instance, many organizations fail to track the use of API keys or service accounts after their initial creation, leading to a lack of visibility into how these credentials are used or whether they are still required. Additionally, inadequate monitoring of NHI activity means that unusual or malicious behavior, such as unexpected access to sensitive data or systems, often goes undetected until it’s too late. They are:
- Frequently overprivileged.
- Long-lived, with credentials rarely rotated.
- Misconfigured, leading to improper access.
- Overlooked during security audits.
---
## Why Did OWASP Introduce the NHI Top 10?
OWASP’s traditional Top 10 frameworks for API and web application security address general vulnerabilities but fail to cover the unique challenges NHIs pose. NHIs operate autonomously, which means they often lack human oversight and rely heavily on proper configuration and lifecycle management. This independence creates unique risks, such as long-lived secrets, improper provisioning, and unmonitored activity. Unlike traditional vulnerabilities that target user interactions, NHIs are systemic and pervasive, potentially impacting entire systems when exploited. Unlike traditional vulnerabilities, which often focus on user input validation or web exploits, NHI risks involve systemic issues such as secret management, overprivileged identities, and insecure integrations. NHIs function autonomously, lacking the oversight typically associated with human interactions, and this autonomy can amplify the scope and impact of security breaches if not properly managed. NHIs operate autonomously across environments, making their misuse harder to detect and potentially more damaging. The **NHI Top 10** fills this gap by identifying the specific risks and providing actionable strategies for developers and security professionals.
### Key Drivers Behind NHI Top 10:
1. **Prevalence of NHIs:** NHIs are ubiquitous in modern development and runtime environments.
2. **Increasing Attacks:** Threat actors, like those in the UNC5537 attack, exploit NHIs for unauthorized access, data theft, and lateral movement.
3. **Gaps in Existing Frameworks:** Risks like excessive permissions, secret leakage, and insecure authentication methods are inadequately addressed in traditional security lists.
---
## OWASP NHI Top 10: Detailed Breakdown
### **1. Improper Offboarding (NHI1:2025)**
Improper offboarding occurs when NHIs remain active after they’re no longer needed, such as when an employee leaves, a service is retired, or a vendor’s contract ends. For example, orphaned accounts can provide an easy entry point for attackers, leading to unauthorized access and potential breaches. For example, in a well-documented case, a cloud services provider experienced a data breach when credentials tied to a decommissioned service account were exploited months after the service had been retired. Such incidents highlight the critical need for formal offboarding processes. For example, a 2022 report revealed that over 40% of organizations had orphaned credentials still providing access to critical systems, exposing them to insider threats and unauthorized access. These orphaned identities are ripe for exploitation, often by insiders or attackers who gain access to forgotten credentials.
**Key Stats:**
- Over 50% of organizations lack formal processes for decommissioning NHIs.
**Actionable Steps:**
- Implement automated lifecycle management for NHIs.
- Establish ownership and enforce periodic reviews of active identities.
- Regularly audit and decommission unused NHIs.
---
### **2. Secret Leakage (NHI2:2025)**
Hardcoded secrets within applications or repositories frequently serve as an attacker’s entry point. Once exposed, these secrets allow unauthorized access to sensitive systems.
**Real-World Example:**
A GitHub breach exposed API keys, enabling attackers to infiltrate internal systems.
**Actionable Steps:**
- Use secret management tools like HashiCorp Vault or AWS Secrets Manager.
- Automate secret rotation to minimize exposure.
- Scan code repositories for hardcoded secrets.
---
### **3. Vulnerable Third-Party NHIs (NHI3:2025)**
Many organizations rely on third-party tools and integrations that connect via NHIs, such as API keys or OAuth apps. Compromising these third-party NHIs can have a cascading effect on multiple systems.
**Real-World Incidents:**
Breaches involving CircleCI, Okta, and GitHub highlight the risks of relying on external NHIs.
**Actionable Steps:**
- Vet third-party integrations rigorously.
- Restrict third-party NHIs to specific environments and tasks.
- Monitor and map external NHI usage.
---
### **4. Insecure Authentication Methods (NHI4:2025)**
Many platforms still support outdated methods like implicit OAuth flows and app passwords, which bypass MFA. These methods persist due to backward compatibility requirements for legacy systems and ease of integration, despite posing significant security risks. These insecure methods persist primarily because they provide backward compatibility for older systems and ease of integration for legacy applications. Transitioning to newer, more secure authentication mechanisms often involves significant time, resources, and coordination, which organizations may perceive as a barrier to immediate adoption. However, this reliance on outdated methods exposes systems to increased security risks. These methods remain in use largely due to backward compatibility requirements or legacy system dependencies, where transitioning to newer protocols is often seen as costly or disruptive. However, this continued support poses significant security risks, as attackers can exploit these outdated mechanisms to gain unauthorized access. These insecure methods make NHIs susceptible to compromise.
**Actionable Steps:**
- Enforce secure authentication methods, such as PKI-based certificates or short-lived tokens.
- Disable legacy authentication mechanisms.
- Educate developers about the risks of insecure authentication.
---
### **5. Overprivileged NHIs (NHI5:2025)**
NHIs are often granted excessive permissions to “just make it work,” creating a wide attack surface. If compromised, these overprivileged accounts allow attackers to access critical resources.
**Stats:**
- 37% of NHI-related incidents stem from overprivileged identities.
**Actionable Steps:**
- Apply the principle of least privilege.
- Use role-based access control (RBAC) to limit permissions.
- Regularly audit permissions for NHIs.
---
### **6. Insecure Cloud Deployment Configurations (NHI6:2025)**
Misconfigured CI/CD pipelines or cloud deployments often expose NHIs to unauthorized access. Examples include hardcoded credentials and overly permissive OpenID Connect (OIDC) configurations.
**Actionable Steps:**
- Secure CI/CD pipelines with strict access controls.
- Use ephemeral credentials in cloud deployments.
- Audit cloud configurations regularly.
---
### **7. Long-Lived Secrets (NHI7:2025)**
Secrets with extended validity are high-risk, as attackers can exploit them long after they’ve been exposed.
**Real-World Example:**
Microsoft AI exposed an access token that remained valid for over two years, compromising 38 terabytes of data.
**Actionable Steps:**
- Use automated tools to rotate secrets frequently.
- Replace static credentials with dynamic, short-lived tokens.
---
### **8. Environment Isolation (NHI8:2025)**
A lack of strict separation between environments (e.g., test vs. production) allows NHIs to unintentionally operate across boundaries, increasing the risk of exploitation.
**Real-World Example:**
The Midnight Blizzard attack on Microsoft leveraged test NHIs with high production privileges.
**Actionable Steps:**
- Enforce strict environment isolation.
- Prohibit test NHIs from accessing production systems.
- Conduct regular reviews of environment configurations.
---
### **9. NHI Reuse (NHI9:2025)**
Reusing NHIs across multiple systems increases the blast radius if a single identity is compromised.
**Actionable Steps:**
- Create unique NHIs for each application or system.
- Monitor usage to prevent unauthorized sharing.
---
### **10. Human Use of NHIs (NHI10:2025)**
NHIs are designed for automation but are sometimes repurposed for manual operations by developers or administrators. This misuse creates accountability gaps and increases the risk of privilege abuse.
**Actionable Steps:**
- Prohibit human use of NHIs.
- Train teams on proper identity usage.
- Implement strict policies to enforce separation.
---
## Key Takeaways and Best Practices
### **Why Securing NHIs Is Crucial**
The OWASP NHI Top 10 underscores the critical role NHIs play in modern infrastructures and highlights the unique risks they pose. By directly addressing vulnerabilities such as secret leakage, overprivileged accounts, and insecure integrations, this framework provides actionable solutions tailored to the challenges of managing NHIs. It equips organizations with practical strategies to mitigate risks, streamline NHI management, and bolster overall security in an increasingly interconnected digital environment. As attackers increasingly target these identities, securing them becomes paramount.
### **Comprehensive Best Practices**
1. **Adopt the OWASP NHI Top 10 Framework:** Use it as a guide to systematically address NHI risks.
2. **Automate Credential Management:** Leverage tools for secret rotation, short-lived tokens, and passwordless authentication.
3. **Enforce Least Privilege:** Limit NHI permissions to only what is necessary.
4. **Implement Advanced Monitoring:** Track NHI usage and detect anomalies in real-time.
5. **Strengthen Environment Isolation:** Ensure test NHIs don’t bleed into production environments.
---
## Conclusion
The introduction of the OWASP NHI Top 10 marks a significant milestone in addressing the growing risks of non-human identities. By adopting this framework, organizations can systematically tackle vulnerabilities unique to NHIs, ensuring stronger security practices and reduced risk exposure. It highlights the critical need to secure NHIs, which are becoming increasingly prevalent across modern infrastructures, making the framework an indispensable tool in today’s cybersecurity landscape. By providing a structured approach to tackling vulnerabilities such as improper offboarding, secret leakage, and overprivileged accounts, this framework enables organizations to proactively mitigate risks. Adopting these guidelines ensures stronger security practices, reduces potential attack surfaces, and enhances resilience against NHI-related threats. By following the actionable steps outlined in this guide, organizations can strengthen their security posture, mitigate vulnerabilities, and reduce the likelihood of NHI-related breaches. As the use of NHIs expands in modern applications, adopting these best practices is no longer optional—it’s a necessity.
