Source: The Hacker News Author: info@thehackernews.com (The Hacker News) URL: https://thehackernews.com/2025/01/do-we-really-need-owasp-nhi-top-10.html
-
ONE SENTENCE SUMMARY: The OWASP NHI Top 10 highlights critical security risks associated with non-human identities, emphasizing their increasing importance in modern applications.
-
MAIN POINTS:
-
The NHI Top 10 addresses unique security risks beyond the scope of existing OWASP Top 10 projects.
-
Non-human identities (NHIs) include API keys, OAuth apps, IAM roles, and other machine credentials.
-
NHIs enable critical system connectivity, making them prevalent across development and runtime environments.
-
Ranking criteria for OWASP Top 10 risks include exploitability, impact, prevalence, and detectability.
-
Improper offboarding of NHIs is the top risk, with over 50% of organizations lacking formal offboarding processes.
-
Secret leakage is a leading issue, with 37% of organizations hardcoding secrets into applications.
-
Overprivileged NHIs and insecure authentication methods expose systems to significant exploitation risks.
-
NHI reuse and lack of environment isolation increase the blast radius of potential breaches.
-
Vulnerable third-party NHIs in development pipelines present risks from integrations with external tools and services.
-
Long-lived secrets and insecure cloud deployment configurations are frequently exploited vulnerabilities.
-
TAKEAWAYS:
-
The NHI Top 10 addresses critical gaps in existing security frameworks for non-human identities.
-
Proper NHI offboarding and least-privilege practices are essential to mitigate significant attack vectors.
-
Developers must avoid insecure authentication methods and ensure strict environment isolation for NHIs.
-
Organizations should prioritize secret management to prevent leakage and unauthorized access.
-
Monitoring third-party NHIs and reducing overprivileged roles can minimize risks in development pipelines.