Source: The Hacker News Author: [email protected] (The Hacker News) URL: https://thehackernews.com/2025/01/do-we-really-need-owasp-nhi-top-10.html

ONE SENTENCE SUMMARY:

The OWASP NHI Top 10 highlights critical security risks associated with non-human identities, emphasizing their increasing importance in modern applications.

MAIN POINTS:

1. The NHI Top 10 addresses unique security risks beyond the scope of existing OWASP Top 10 projects.
2. Non-human identities (NHIs) include API keys, OAuth apps, IAM roles, and other machine credentials.
3. NHIs enable critical system connectivity, making them prevalent across development and runtime environments.
4. Ranking criteria for OWASP Top 10 risks include exploitability, impact, prevalence, and detectability.
5. Improper offboarding of NHIs is the top risk, with over 50% of organizations lacking formal offboarding processes.
6. Secret leakage is a leading issue, with 37% of organizations hardcoding secrets into applications.
7. Overprivileged NHIs and insecure authentication methods expose systems to significant exploitation risks.
8. NHI reuse and lack of environment isolation increase the blast radius of potential breaches.
9. Vulnerable third-party NHIs in development pipelines present risks from integrations with external tools and services.
10. Long-lived secrets and insecure cloud deployment configurations are frequently exploited vulnerabilities.

TAKEAWAYS:

1. The NHI Top 10 addresses critical gaps in existing security frameworks for non-human identities.
2. Proper NHI offboarding and least-privilege practices are essential to mitigate significant attack vectors.
3. Developers must avoid insecure authentication methods and ensure strict environment isolation for NHIs.
4. Organizations should prioritize secret management to prevent leakage and unauthorized access.
5. Monitoring third-party NHIs and reducing overprivileged roles can minimize risks in development pipelines.