January 28, 2025
Do We Really Need The OWASP NHI Top 10?
The Open Web Application Security Project has recently introduced a new Top 10 project - the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists.  Non-human identity security represents an emerging

The Open Web Application Security Project has recently introduced a new Top 10 project – the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists.

Non-human identity security represents an emerging interest in the cybersecurity industry, encompassing the risks and lack of oversight associated with API keys, service accounts, OAuth apps, SSH keys, IAM roles, secrets, and other machine credentials and workload identities.

Considering that the flagship OWASP Top 10 projects already cover a broad range of security risks developers should focus on, one might ask – do we really need the NHI Top 10? The short answer is – yes. Let’s see why, and explore the top 10 NHI risks.

Why we need the NHI Top 10

While other OWASP projects might touch on related vulnerabilities, such as secrets misconfiguration, NHIs and their associated risks go well beyond that. Security incidents leveraging NHIs don’t just revolve around exposed secrets; they extend to excessive permissions, OAuth phishing attacks, IAM roles used for lateral movement, and more.

While crucial, the existing OWASP Top 10 lists don’t properly address the unique challenges NHIs present. Being the critical connectivity enablers between systems, services, data, and AI agents, NHIs are extremely prevalent across development and runtime environments, and developers interact with them at every stage of the development pipeline.

With the growing frequency of attacks targeting NHIs, it became imperative to equip developers with a dedicated guide to the risks they face.

Understanding the OWASP Top 10 ranking criteria

Before we dive into the actual risks, it’s important to understand the ranking behind the Top 10 projects. OWASP Top 10 projects follow a standard set of parameters to determine risk severity:

  • Exploitability: Evaluate how easily an attacker can exploit a given vulnerability if the organization lacks sufficient protection.
  • Impact: Considers the potential damage the risk could inflict on business operations and systems.
  • Prevalence: Assesses how common the security issue is across different environments, disregarding existing protective measures.
  • Detectability: Measures the difficulty of spotting the weakness using standard monitoring and detection tools.

Breaking down the OWASP NHI Top 10 risks

Now to the meat. Let’s explore the top risks that earned a spot on the NHI Top 10 list and why they matter:

NHI10:2025 – Human Use of NHI

NHIs are designed to facilitate automated processes, services, and applications without human intervention. However, during the development and maintenance phases, developers or administrators may repurpose NHIs for manual operations that should ideally be conducted using personal human credentials with appropriate privileges. This can cause privilege misuse, and, if this abused key is part of an exploit, it’s hard to know who is accountable for it.

NHI9:2025 – NHI Reuse

NHI reuse occurs when teams repurpose the same service account, for example, across multiple applications. While convenient, this violates the principle of least privilege and can expose multiple services in the case of a compromised NHI – increasing the blast radius.

NHI8:2025 – Environment Isolation

A lack of strict environment isolation can lead to test NHIs bleeding into production. A real-world example is the Midnight Blizzard attack on Microsoft, where an OAuth app used for testing was found to have high privileges in production, exposing sensitive data.

NHI7:2025 – Long-Lived Secrets

Secrets that remain valid for extended periods pose a significant risk. A notable incident involved Microsoft AI inadvertently exposing an access token in a public GitHub repository, which remained active for over two years and provided access to 38 terabytes of internal data.

NHI6:2025 – Insecure Cloud Deployment Configurations

CI/CD pipelines inherently require extensive permissions, making them prime targets for attackers. Misconfigurations, such as hardcoded credentials or overly permissive OIDC configurations, can lead to unauthorized access to critical resources, exposing them to breaches.

NHI5:2025 – Overprivileged NHI

Many NHIs are granted excessive privileges due to poor provisioning practices. According to a recent CSA report, 37% of NHI-related security incidents were caused by overprivileged identities, highlighting the urgent need for proper access controls and least-privilege practices.

NHI4:2025 – Insecure Authentication Methods

Many platforms like Microsoft 365 and Google Workspace still support insecure authentication methods like implicit OAuth flows and app passwords, which bypass MFA and are susceptible to attacks. Developers are often unaware of the security risks of these outdated mechanisms, which leads to their widespread use, and potential exploitation.

NHI3:2025 – Vulnerable Third-Party NHI

Many development pipelines rely on third-party tools and services to expedite development, enhance capabilities, monitor applications, and more. These tools and services integrate directly with IDEs and code repos using NHIs like API keys, OAuth apps, and service accounts. Breaches involving vendors like CircleCI, Okta, and GitHub have forced customers to scramble to rotate credentials, highlighting the importance of tightly monitoring and mapping these externally owned NHIs.

NHI2:2025 – Secret Leakage

Secret leakage remains a top concern, often serving as the initial access vector for attackers. Research indicates that 37% of organizations have hardcoded secrets within their applications, making them prime targets.

NHI1:2025 – Improper Offboarding

Ranked as the top NHI risk, improper offboarding refers to the prevalent oversight of lingering NHIs that were not removed or decommissioned after an employee left, a service was removed, or a third party was terminated. In fact, over 50% of organizations have no formal processes to offboard NHIs. NHIs that are no longer needed but remain active create a wide array of attack opportunities, especially for insider threats.

A standardized framework for NHI security

The OWASP NHI Top 10 fills a critical gap by shedding light on the unique security challenges posed by NHIs. Security and development teams alike lack a clear, standardized view of the risks these identities pose, and how to go about including them in security programs. As their usage continues to expand across modern applications, projects like the OWASP NHI Top 10 become more crucial than ever.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.