Non-human identities (NHIs) are used to provide authorization to software entities such as applications, APIs, bots, and automated systems to access secured resources. Unlike human identities, NHIs are not controlled or directly owned by a human. Their identity object and authentication often work differently to human, and common human user security measures do not apply to them.
+
Examples of NHIs include:
+
+
API keys used by microservices to access database applications.
+
Service accounts in backend systems connecting multiple subsystems.
+
Roles assocaited with automated services to access cloud resources.
+
Tokens used by bots to access protected application resources.
+
+
As modern software becomes increasingly automated and interconnected, NHIs have become essential to application development.
Mismanagement of NHIs introduces significant security risks. Key issues include:
+
+
Excessive Permissions: NHIs are commonly granted very broad access to resources which leads to a widespread damage if compromised.
+
Credential Mismanagement: NHI credentials can easily be wrongly managed: leaving hardcoded keys in code, poor or no rotation policies, and usage of deprecated authentication method make NHI vulnerable to compromise.
+
Lack of Monitoring: NHIs are notoriously under-monitored, allowing malicious activity to go unnoticed.
+
+
The key issues above make it so a compromised NHIs can lead to unauthorized access, data breaches, or attacks on infrastructure. With NHIs playing critical roles in development pipelines, cloud environments, and SaaS ecosystems, securing them is essential.
In recent worlds, with the increase of prevalence in using NHIs, real-world incidents involving a compromised NHI have grown exponentially. Some of the highest profile incidents are presented below and demonstrate the risks of insecure NHIs:
+
+
Microsoft's Midnight Blizzard Breach (January 2024): A nation-state actor, Midnight Blizzard, initiated an attack against Microsoft's tenant. After gaining access to a non-production Microsoft 365 test tenant, they exploited a legacy OAuth application — an unmanaged non-human identity — with full privileges to access Microsoft's production environment. This led to unauthorized access to corporate email accounts, resulting in the exfiltration of sensitive communications and documents.
+
Okta's Support System Breach (November 2023): Okta has experienced a security breach involving a compromised service account. An employee had saved the credentials for this service account to their personal Google account after signing in on an Okta-managed device. The compromise of the employee's personal Google account allowed attackers to obtain these credentials, granting unauthorized access to Okta's customer support system. The attackers accessed files related to 134 customers, including HTTP Archive (HAR) files containing sensitive data like session tokens.
+
Internet Archive's Zendesk Support Platform Breach (October 2024): Attackers exploited unrotated access tokens tied to the Internet Archive's Zendesk support platform, leading to unauthorized access and potential data exposure. This incident highlights the importance of regularly rotating and securing non-human identity credentials to prevent unauthorized access.
The OWASP Non-Human Identity (NHI) Top 10 identifies and ranks the most critical risks associated with NHIs, providing a practical guide for developers and organizations.
We identified key risks through real-world incidents, surveys, CVE databases, and industry input. Using the collected data and based on the OWASP Risk Rating Methodology, we ranked the top 10 risks to provide a clear prioritized list.
Welcome to the OWASP Non-Human Identity (NHI) Top 10 - 2025!
This project outlines the top 10 risks associated with non-human identities (NHIs) for application developers. With NHIs becoming vital in development pipelines, understanding these risks is critical.
The list was compiled by identifying key risks organizations face with NHIs and ranking them using the OWASP Risk Rating Methodology. Data sources included real-world breaches, surveys, CVE databases, and more. For details on our process, see Ranking Criteria and Methodology and Data.
Start with the project's Introduction, and explore the OWASP Non-Human Identity Top 10 - 2025 for an overview of the risks.
Contributions are welcome! See our Contributing Guidelines to get involved and help improve the project.
"},{"location":"top-10-2025/","title":"OWASP Non-Human Identities Top 10 - 2025","text":"
TBD
"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Home","text":"
Welcome to the OWASP Non-Human Identity (NHI) Top 10 - 2025!
This project outlines the top 10 risks associated with non-human identities (NHIs) for application developers. With NHIs becoming vital in development pipelines, understanding these risks is critical.
The list was compiled by identifying key risks organizations face with NHIs and ranking them using the OWASP Risk Rating Methodology. Data sources included real-world breaches, surveys, CVE databases, and more. For details on our process, see Ranking Criteria and Methodology and Data.
Start with the project's Introduction, and explore the OWASP Non-Human Identity Top 10 - 2025 for an overview of the risks.
Contributions are welcome! See our Contributing Guidelines to get involved and help improve the project.
"},{"location":"introduction/","title":"Introduction","text":""},{"location":"introduction/#what-are-non-human-identities-nhis","title":"What Are Non-Human Identities (NHIs)?","text":"
Non-human identities (NHIs) are used to provide authorization to software entities such as applications, APIs, bots, and automated systems to access secured resources. Unlike human identities, NHIs are not controlled or directly owned by a human. Their identity object and authentication often work differently to human, and common human user security measures do not apply to them.
Examples of NHIs include:
API keys used by microservices to access database applications.
Service accounts in backend systems connecting multiple subsystems.
Roles assocaited with automated services to access cloud resources.
Tokens used by bots to access protected application resources.
As modern software becomes increasingly automated and interconnected, NHIs have become essential to application development.
"},{"location":"introduction/#the-importance-of-securing-nhis","title":"The Importance of Securing NHIs","text":"
Mismanagement of NHIs introduces significant security risks. Key issues include:
Excessive Permissions: NHIs are commonly granted very broad access to resources which leads to a widespread damage if compromised.
Credential Mismanagement: NHI credentials can easily be wrongly managed: leaving hardcoded keys in code, poor or no rotation policies, and usage of deprecated authentication method make NHI vulnerable to compromise.
Lack of Monitoring: NHIs are notoriously under-monitored, allowing malicious activity to go unnoticed.
The key issues above make it so a compromised NHIs can lead to unauthorized access, data breaches, or attacks on infrastructure. With NHIs playing critical roles in development pipelines, cloud environments, and SaaS ecosystems, securing them is essential.
"},{"location":"introduction/#examples-of-risks-and-breaches","title":"Examples of Risks and Breaches","text":"
In recent worlds, with the increase of prevalence in using NHIs, real-world incidents involving a compromised NHI have grown exponentially. Some of the highest profile incidents are presented below and demonstrate the risks of insecure NHIs:
Microsoft's Midnight Blizzard Breach (January 2024): A nation-state actor, Midnight Blizzard, initiated an attack against Microsoft's tenant. After gaining access to a non-production Microsoft 365 test tenant, they exploited a legacy OAuth application \u2014 an unmanaged non-human identity \u2014 with full privileges to access Microsoft's production environment. This led to unauthorized access to corporate email accounts, resulting in the exfiltration of sensitive communications and documents.
Okta's Support System Breach (November 2023): Okta has experienced a security breach involving a compromised service account. An employee had saved the credentials for this service account to their personal Google account after signing in on an Okta-managed device. The compromise of the employee's personal Google account allowed attackers to obtain these credentials, granting unauthorized access to Okta's customer support system. The attackers accessed files related to 134 customers, including HTTP Archive (HAR) files containing sensitive data like session tokens.
Internet Archive's Zendesk Support Platform Breach (October 2024): Attackers exploited unrotated access tokens tied to the Internet Archive's Zendesk support platform, leading to unauthorized access and potential data exposure. This incident highlights the importance of regularly rotating and securing non-human identity credentials to prevent unauthorized access.
"},{"location":"introduction/#about-the-owasp-nhi-top-10-project","title":"About the OWASP NHI Top 10 Project","text":"
The OWASP Non-Human Identity (NHI) Top 10 identifies and ranks the most critical risks associated with NHIs, providing a practical guide for developers and organizations.
"},{"location":"introduction/#why-this-project-matters","title":"Why This Project Matters","text":"
As NHIs become more prevalent, securing them has become as important as protecting human users. This project aims to:
Raise awareness of NHI-related security challenges.
Offer actionable insights for securing NHIs from their most dangerous risks.
Help developers and organizations prioritize risks and implement best practices.
"},{"location":"introduction/#how-we-built-the-list","title":"How We Built the List","text":"
We identified key risks through real-world incidents, surveys, CVE databases, and industry input. Using the collected data and based on the OWASP Risk Rating Methodology, we ranked the top 10 risks to provide a clear prioritized list.
"},{"location":"introduction/#what-developers-should-do","title":"What Developers Should Do","text":"
Developers can use this project to:
Understand the risks associated with NHIs in their applications.
Apply the recommended practices to secure NHIs and mitigate threats.
Monitor and improve their NHI security continuously.
"},{"location":"methodology-and-data/","title":"Methodology and Data","text":"
"},{"location":"top-10-2025/","title":"OWASP Non-Human Identities Top 10 - 2025","text":"
TBD
"}]}
\ No newline at end of file
diff --git a/index.html b/index.html
index 697ac6e..7e87757 100644
--- a/index.html
+++ b/index.html
@@ -522,23 +522,113 @@
OWASP Non-Human Identities Top 10
-
The Non-human identity (NHI) top 10 is a comprehensive list of the most pressing security risks and vulnerabilities that non-human identities present to organizations.
-Non-human identities are prevalent in usage for facilitating creation of applications by developers, and the project is aimed at helping security professionals thoroughly understand their non-human attack surface, so they can better protect and manage it. The project spans across thoroughly explaining the risks and their potential exploits, as well as providing actionable prevention practices and incident response playbooks.
This comprehensive list highlights the most critical challenges in integrating Non-Human Identities (NHIs) into the development lifecycle, ranked based on exploitability, prevalence, detectability, and impact.
+
+
What is Non-Human Identities top 10?
+
+
The Non-human identity (NHI) top 10 is a comprehensive list of the most pressing security risks and vulnerabilities that non-human identities present to organizations.
+
+
Non-human identities are prevalent in usage for facilitating creation of applications by developers, and the project is aimed at helping security professionals thoroughly understand their non-human attack surface, so they can better protect and manage it. The project spans across thoroughly explaining the risks and their potential exploits, as well as providing actionable prevention practices and incident response playbooks.
Improper offboarding refers to the inadequate deactivation or removal of non-human identities (NHIs) such as service accounts and access keys when they are no longer needed.
+Unmonitored and deprecated services may remain vulnerable, and their associated NHIs can be exploited by attackers to gain unauthorized access to sensitive systems and data.
+Read More »
Secret Leakage refers to the leakage of sensitive NHIs such as API keys, tokens, encryption keys, and certificates to unsanctioned data stores throughout the software development lifecycle
+When secrets are leaked —for instance, hard-coded into source code, stored in plain text configuration files, or sent over public chat applications —they become susceptible to exposure.
+Read More »
Third-party non-human identities (NHIs) are extensively integrated into the development workflow, both through the use of integrated development environments (IDEs) and their extensions and also through the use of 3rd party SaaS.
+If a third-party extension is compromised—whether through a security vulnerability or a malicious update—it can be exploited to steal these credentials or misuse the granted permissions.
+Read More »
Developers frequently integrate internal and external (third-party) services into their applications. These services require access to resources within these systems, necessitating authentication credentials.
+However, some authentication methods are deprecated, vulnerable to known attacks, or considered weak due to outdated security practices. Utilizing insecure or obsolete authentication mechanisms can expose organizations to significant risks.
+Read More »
During application development and maintenance, developers or administrators may assign NHIs with significantly more privileges than required for their function.
+When an over-privileged NHI is compromised — whether through vulnerabilities in the application, malware, or other security breaches — attackers can exploit the excessive permissions.
+Read More »
Continuous Integration and Continuous Deployment (CI/CD) applications enable developers to automate the process of building, testing, and deploying code to production environments.
+These integrations often require authentication with cloud services, typically achieved using static credentials or OpenID Connect (OIDC).
+Static credentials can be inadvertently exposed through code repositories, logs, or configuration files. If compromised, these credentials can provide attackers with persistent and potentially privileged access to production environments.
+While OIDC offers a more secure alternative, if the identity tokens are not properly validated or there are no strict conditions on token claims unauthorized users might exploit these weaknesses to gain access.
+Read More »
Long-lived Secrets refers to the use of sensitive NHIs such as API keys, tokens, encryption keys, and certificates with expiration dates that are too far in the future or that don’t expire at all.
+If a breached secret is long-lived, it provides attackers with access to sensitive services without any time constraints.
+Read More »
Environment isolation is a fundamental security practice in cloud application deployment, where separate environments are used for development, testing, staging, and production.
+NHIs are often utilized during the deployment process and throughout an application’s lifecycle. However, reusing the same NHIs across multiple environments—especially between testing and production—can introduce significant security vulnerabilities.
+Read More »
Reusing the same NHI across different applications, services, or components — even if they are deployed together — introduces significant security risks. If an NHI is compromised in one area, an attacker can exploit it to gain unauthorized access to other parts of the system that use the same credentials.
+Read More »
During application development and maintenance, developers or administrators may misuse NHIs for manual tasks that should be performed using individual human identities with appropriate privileges. This practice introduces significant security risks such as elevated privileges for NHIs, lack of auditing and accountability due to indistinguishable activity between humans and automation.
+Read More »
+
+
Project Road Map
-
Submission of project proposal (Now)
-
Reaching out to prominent contributors of the identity security space (Ongoing)
-
Mapping out top X risks
-
Data collection on chosen risks
+
Submission of project proposal ✓
+
Reaching out to prominent contributors of the identity security space ✓
+
Mapping out top risks ✓
+
Data collection on chosen risks ✓
A public survey co-operated with Cloud Security Alliance (CSA)
Data assessment on real-life environments and platforms
+
Public data collection of zero-day vulnerabilities
-
Aggregation of data and risk scoring
-
Final draft of the top 10 risks alongside above Documentation efforts
-
Round-table together with contributors and leaders to construct roadmap towards project review and graduation to a Lab project (~6 months after project inception)
+
Aggregation of data and risk scoring ✓
+
Final draft of the top 10 risks alongside above Documentation efforts (ongoing)
+
Round-table together with contributors and leaders to construct roadmap towards project review and graduation to a Lab project