Open Web Application Security Project has recently introduced the new top 10 projects -non -human identity (NHI) top 10. For many years, Owasp has provided important guidance and practical frameworks to security experts and developers through the top 10 projects. API and web application security list widely used.
Non -human identity security shows new interests in the cyber security industry, and for API, service accounts, OAuth apps, SSH keys, the role of IAM, and other machine qualifications and workload identity. It covers relevant risks and lack of monitoring.
The flagship OWASP top 10 projects may ask, taking into account the fact that developers already cover a wide range of security risks -we really need the Top 10 NHI? The short answer is -yes. Look at the reasons to explore the top 10 NHI risks.
Why NHI Top 10 is needed
Other Owasp projects may touch related vulnerabilities, such as secret misunderstandings, but the risks related to NHIS and them are far beyond that. Security incidents that use NHI do not expand mainly on exposed secrets. They have been extended to excessive authority, OAuth phishing attacks, and IAM roles used for horizontal movements.
It’s important, but the existing Owasp Top 10 Lists do not properly deal with the existing issues. NHI is very common in the development and runtime environment at any stage of the development pipeline, as it is an important connectivity of systems, services, data, and AI agents.
As the frequency of attacks for NHIS is increasing, it is essential to provide a dedicated guide on risk facing developers.
Understand Owasp Top 10 ranking standards
It is important to understand the rankings behind the top 10 projects before jumping into the actual risk. The Owasp Top 10 Project determines the risk of risk according to the standard parameter set.
Accessories: If the tissue lacks sufficient protection, evaluate whether the attacker can easily use a specific vulnerability. Impact: Consider damage that risks may give business management and system. Pair rate: Ignore existing protection measures and evaluate how common security issues are in various environments. Detection possibilities: Measure the difficulty of finding weaknesses using standard monitoring and detection tools.
Decompose the top 10 risks of Owasp NHI
Now, for meat. Explore the top risks that have won the spot in the top 10 NHI lists and why they are important.
NHI10: 2025- NHI human use
NHIS has been designed to promote the automated process, services, and applications that are automated without human intervention. However, in the development and maintenance phases, developers or administrators reuse NHIS for ideal manual operations that should be implemented using personal human qualifications with appropriate privileges. there is. This can cause privileged misuse, and if this abuse key is part of the Exploit, it is difficult to know who will be responsible for it.
NHI9: 2025 -NHI reuse
NHI reusable occurs when the team reuses the same service account, for example, multiple applications. It is convenient, but this may violate the minimum privilege principle and publish multiple services in the case of infringing NHI.
NHI8: 2025- Environment separation
Strict lack of isolation in the environment can lead to testing NHIS bleeding to production. An example of the real world is a midnight snowstorm against Microsoft. This Microsoft found that the OAuth app used for the test had high privileges in production, and the confidential data was released.
NHI7: 2025-Secret of long life
Long -term effective secrets bring serious risks. The remarkable case was related to Microsoft AI inadvertently disclosed access tokens in public GitHub repositories.
NHI6: 2025 -CENSECURE CLOUD DEPLOYMENT configuration
The CI/CD pipeline requires essentially widespread authority and makes it a major target for attackers. Inforcement shortages, such as hard -coded qualification information and excessive tolerant OIDC configuration, can lead to an unauthorized access to important resources and may be exposed to violations.
NHI5: 2025- Excessive blessed NHI
Many NHIs have excessive privileges due to insufficient provisioning practices. According to recent CSA reports, 37 % of NHI -related security incidents have been caused by an unprecedented identity that emphasizes the appropriate access control and the urgent need for a minimal pre -building practice.
NHI4: 2025-Safe authentication method
Many platforms such as Microsoft 365 and Google Workspace support MFA and support non -safe authentication methods such as implicit OAuth flows and App passwords that are susceptible to attacks. Developers often do not recognize these outdated mechanism security risks, leading to a wide range of use and potential exploitation.
NHI3: 2025- Vulnerable third party NHI
Many development pipelines depend on third -party tools and services to promote development, enhancing functions and monitoring applications. These tools and services are integrated directly with IDE and code resetti using NHI, such as API keys, OAuth apps, and service accounts. The opposite of vendors such as CircleCi, OKTA, GitHub, etc., emphasizes the importance of being forced to compete for the rotation of qualification information, and emphasizes the importance of carefully monitoring and mapping these external ownership. I am doing it.
NHI2: 2025- Secret leakage
Secret leaks are still the best concerns and often function as the initial access vector of the attacker. According to a survey, 37 % of the tissue has a hard -codeed secret in the application, making it a major target.
NHI1: 2025- Inappropriate offboard
Inappropriate off -boarding is ranked as a risk of the top NHI, and is not deleted or abolished after the service is deleted after the employee has left, or after a third party has been deleted. Refers to monitoring. In fact, more than 50 % of the organization does not have a formal process to turn NHIS out of the ship. NHI, which is no longer necessary but still active, creates a wide range of attacks, especially for insider threats.
Standardized framework with NHI security
The Top 10 of Owasp NHI fills a significant gap by showing light on the unique security issues brought by NHIS. Security and development teams lack the clear and standardized views of the risks brought by these identity and the clear and standardized views on how to include them in the security program. Therefore, Astrix Security implemented Owasp NHI top 10 as a compliance dashboard framework.
ASTRIX OWASP NHI Top 10 Compliance Dashboard
This feature relies on the results of the organization’s security survey with the top 10 risks in NHI, which helps security experts to visualize the current posture, identify the gap, and prioritize the next step.
If you use the dashboard along the top 10 frameworks, you will quickly see which area requires most and tracking the improvement over time.
Source link
