Open Web Application Security Project recently submitted new 10 best projects – Non -Human Identity (NHI) Top 10. Over the years Owasp provides safety specialists and developers basic recommendations and effective structures through the 10 best projects, including widely used security lists API and web applications.
The security of inhuman identification causes new interests in the cybersecurity industry, covering the risks and lack of supervision associated with API keys, Service AccountsOauth programs, SSH keys, Iam roles, secrets and other machine credentials and workload IDs.
Given that the flagship top 10 Owasp projects are already covering a wide range of safety risks, which should focus on developers, you can ask: do we really need the top 10 NHI? Short answer – yes. Let’s see why, and study 10 major NHI risks.
Why do us NHI Top 10
While other Owasp projects can affect appropriate vulnerabilities such as the wrong secrets configuration, NHI and related risks go far beyond this. Safety incidents The use of NHIS not only rotates around open secrets; They spread over over -permits, phishing attacks Oauth, roles Iam used for side movementAnd much more.
Despite the importance, existing lists of the top 10 Owasp do not solve properly unique problems that arise in NHI. Being critically important to connect between systems, services, data and artificial intelligence agents, NHI is extremely common in the development and execution environments, and developers interact with them at each stage of the development.
Since increases the incidence of attacks aimed at NHIIt was necessary to give the developers a special risk management that they face.
Understanding the 10 best OWASP rating criteria
Before we delve into the actual risks, it is important to understand the rating of the top 10 projects. Top 10 Owasp projects follow a standard set of parameters to determine the risk of risk:
- Opportunity to use: Evaluate how easy the attacker can use this vulnerability if the organizations lack enough protection.
- Impact: Consider the potential damage that the risk can cause business operations and systems.
- Prevalence: Estimates how common the safety problem in different environments, excluding existing protection measures.
- Exception: Measures the difficulty of detecting weak areas using standard monitoring and detection.
Consideration of the 10 best risks Owasp NHI
Now to the meat. Let’s study the basic risks that deserved the place on NHI Top 10 List and why they are important:
NHI10: 2025 – Use human nhi
NHI is designed to facilitate automated processes, services and applications without human intervention. However, at the stages of development and service, developers or administrators can repurpose NHI for manual operations, which ideally should be performed using personal credentials with appropriate privileges. This can lead to misuse of privileges, and if this abused key is part of the exploit, it is difficult to understand who is responsible for it.
NHI9: 2025 – re -use NHI
Re -use nhi occurs when the team re -profiles the same Service accountFor example, in several programs. Despite the fact that it is convenient, this violates the principle of the slightest privileges and can reveal several services in the case of compromised NHI – increasing the explosion radius.
NHI8: 2025 – Insulation Wednesday
Absence strict environmental isolation can lead to bleeding test NHI into production. A real example is An midnight blizzard Attack on Microsoft, where the Oauth program used for testing has high privileges in production, revealing confidential data.
NHI7: 2025 – The secrets of long -lived
The secrets that remain in force for a long time are a significant danger. A noticeable incident is related to artificial intelligence Microsoft, which unintentions exposed the access marker in the GITHUB public repository, which remained active for more than two years and provided access to 38 internal terabs.
NHI6: 2025 – dangerous cloud deployment configuration
CI/CD conveyors in essence require extensive permits, making them the main targets for attackers. Incorrect configurations, such as harshly set accounts or over -resolution OIDC configurations, can lead to unauthorized access to critically important resources by exposing them to violations.
NHI5: 2025 – Over -privileged NHI
Many NHI are provided with excessive privileges due to poor security practice. According to the words a A recent CSA report37% of the NHI security incidents were caused by excessively privileged identities, emphasizing the urgent need for proper control and practice of the slightest privileges.
NHI4: 2025 – Dangerous Authentication Methods
Many platforms such as Microsoft 365 and Google Workspace still support dangerous authentication methods such as implicit Oauth flows and passwords bypassing MFA and amenable to attack. Developers often do not know about the risks of the safety of these outdated mechanisms, leading to their widespread use and potential exploitation.
NHI3: 2025 – vulnerable NHI third party
Many developers are based on the tools and services of other manufacturers to accelerate the development, expansion of opportunities, monitoring applications, etc. These tools and services integrate directly with IDE and code repositories using NHI, such as API keys, Oauth applications and services accounts. Violations related to suppliers such as Circleci, Okta and GitHub made customers struggled to save the credentials, which emphasizes the importance of careful monitoring and displaying these NHIs.
NHI2: 2025 – Secret Leak
The secrets leak remains the main problem, often serving the original vector for attackers. Studies show that 37% of organizations have severely encrypted secrets in their programs, making them the main goals.
NHI1: 2025 – Wrong Exit Out
Incorrect exception, which is among the highest risks of the NHI, belongs to the widespread surveillance of long NHI, which have not been removed or derived from work after the employee’s departure, deletion of the service or the third party’s termination. In fact, more than 50% of organizations have no official processes to remove NHI. NHI, which are no longer needed but remain active, create a wide range of attack opportunities, especially for insider threats.
Standardized NHI security base
Top 10 Owasp NHI fills the critical space, shedding light on the unique security issues that create NHI. The security teams and developers lack accurately, a standardized view risks that carry these identities and how to include them in security programs. Because their use continues to expand in modern programs, projects such as OWASP NHI Top 10 become more important than ever.
