The Open Worldwide Application Security Project’s (OWASP) released the first “Non-Human Identities (NHI) Top 10 used to provide authorization to software entities such as applications, APIs, bots, and automated systems to access secured resources.
As organizations increasingly rely on automated systems, applications, and cloud-based infrastructure, the rapid proliferation of non-human digital identities such as service accounts, API keys, and machine credentials has created an expansive and often under-addressed attack surface.
Organizations now commonly have 10 to 50 times more NHIs than their human counterparts, presenting a growing security concern.
This exponential increase in credentials has heightened the potential for security breaches, as credentials remain the leading attack vector in cyber incidents, per Verizon’s Data Breach Investigations Report.
Examples of NHIs include:
- API keys used by microservices to access database applications.
- Service accounts in backend systems connecting multiple subsystems.
- Roles assocaited with automated services to access cloud resources.
- Tokens used by bots to access protected application resources.
Why the OWASP NHI Top 10 Matters
Organizations should take note of the new OWASP list, which aims to increase awareness of NHI-related cybersecurity risks, provide actionable guidance, and offer strategies for mitigating vulnerabilities.
Recent high-profile breaches, including Microsoft’s Midnight Blizzard Attack (2024), the Internet Archive’s Zendesk Support Platform Hack (2024), and the Okta Support System Compromise (2023), underscore the critical importance of securing NHIs.
The initiative highlights a growing recognition that traditional cybersecurity measures around identity management are insufficient for modern environments, where automated entities now play a dominant role.
OWASP’s Top 10 list outlines the most prevalent NHI risks, along with associated mitigations, to help organizations prioritize improvements in their security postures.
Highlights from the OWASP NHI Top 10
1. Improper Offboarding
Organizations frequently fail to deactivate NHI credentials after applications, services, or automated workflows are retired. These orphaned accounts can become prime targets for attackers to gain unauthorized access.
Mitigation: Implement standardized NHI offboarding processes, automate deactivation of unused credentials, and conduct regular audits of active NHIs.
2. Secret Leakage
Sensitive credentials, such as API keys and tokens, are often exposed through code repositories, configuration files, or CI/CD pipelines, making them vulnerable to attacks.
Mitigation: Employ ephemeral credentials, use secret management tools, automate secret detection, and rotate keys regularly.
3. Vulnerable Third-Party NHIs
Third-party integrations, such as plugins or SaaS applications, often require elevated permissions, making them high-value targets for attackers.
- Mitigation: Vet third-party vendors rigorously, limit permissions, monitor third-party behavior, and rotate credentials.
4. Insecure Authentication
Obsolete or insecure authentication methods, such as legacy protocols or static credentials, remain a significant risk.
- Mitigation: Adopt modern protocols like OAuth 2.1 and OpenID Connect (OIDC) and phase out outdated authentication mechanisms.
5. Overprivileged NHIs
Many NHIs are granted excessive permissions, a common violation of the principle of least privilege, which increases the potential damage from a compromised account.
Mitigation: Enforce least privilege, conduct regular permission audits, and adopt Just-in-Time (JIT) access policies.
6. Insecure Cloud Deployment Configurations
Misconfigurations in CI/CD pipelines and cloud environments—such as hard-coded credentials or improperly stored secrets—are leading causes of security incidents.
Mitigation: Transition to dynamically generated tokens, secure CI/CD pipelines, and use tools like AWS Secrets Manager for credential management.
7. Long-Lived Secrets
Static credentials with excessively long expiration periods create opportunities for attackers to exploit vulnerabilities over time.
Mitigation: Rotate keys frequently, use short-lived credentials, and incorporate zero-trust principles.
8. Environment Isolation
Poor separation between development, testing, and production environments increases the risk of cascading failures in the event of a breach.
Mitigation: Enforce strict isolation policies, implement environment-specific access controls, and segregate sensitive resources.
9. NHI Reuse
Reusing credentials across multiple applications or environments results in compounded security risks if a single credential is compromised.
- Mitigation: Assign unique NHIs to each application or environment and enforce strict auditing of credential use.
10. Human Use of NHIs
Developers or administrators sometimes misuse NHIs intended for automated processes, making activity harder to monitor and increasing the likelihood of insider threats.
- Mitigation: Prohibit human use of NHIs, monitor NHI activity, and raise awareness of risks among developers and administrators.
Why Addressing NHI Risks Is a Top Priority
The report emphasizes that many security practices for NHIs are not inherently complex, but their scale in modern organizations is what makes them challenging.
The sheer volume of NHIs in environments with multiple Identity Providers (IdPs), hybrid cloud setups, and containerized workflows renders manual management nearly impossible without advanced tooling.
OWASP’s recommendations aim to address these challenges by promoting automation, adherence to security best practices, and leveraging advanced credential management platforms to monitor and secure NHI activity.
“The rapid evolution of cyber threats necessitates a proactive and structured approach to managing NHI risks,” OWASP noted in its release.
As organizations continue to adopt automation, cloud-native technologies, and SaaS applications, NHIs will outnumber human credentials even further. The OWASP NHI Top 10 offers a vital roadmap to securing these identities and minimizing risks in the increasingly digital and interconnected landscape of 2025.
For businesses, this means assessing current gaps, prioritizing corrective actions, and investing in modern identity management and security solutions. Ultimately, the ability to secure NHIs will play a crucial role in determining their resilience against cyber threats.
To learn more about the OWASP NHI Top 10 and its implementation, visit OWASP’s official website. For ongoing updates on cybersecurity trends, subscribe to resources like the Resilient Cyber Newsletter, which reaches thousands of professionals in the AppSec, AI, and supply chain security domains.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Also Read: