deploy: 6d4fc85

2025/9-nhi-reuse/index.html

@@ -800,7 +800,7 @@ <h3 id="references">References<a class="headerlink" href="#references" title="Pe
 </ul>
 <h3 id="data-points">Data Points<a class="headerlink" href="#data-points" title="Permanent link">&para;</a></h3>
 <ul>
-<li><strong>Cloud Vulnerability Database -</strong> Chronicle cross-customer bucket access</li>
+<li><strong>Cloud Vulnerability Database</strong> - Chronicle cross-customer bucket access</li>
 <li><strong>CSA NHI Report</strong> - 14% of organizations need consumer identification as the most important capability of an NHI tool. (11/16)</li>
 <li><strong>Recent Breach</strong> - .env file Breach - <a href="https://medium.com/@ronilichtman/large-scale-extortion-via-secrets-in-env-files-why-secret-vaults-just-arent-enough-9b4c568724ca">link</a></li>
 </ul>

2025/methodology-and-data/index.html

@@ -816,36 +816,68 @@ <h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanen
 <h3 id="data-sources">Data Sources<a class="headerlink" href="#data-sources" title="Permanent link">&para;</a></h3>
 <p>The following sources were identified and utilized:</p>
 <ol>
-<li><strong>Recent Breaches</strong>: A compilation of <a href="https://docs.google.com/document/d/18Bu2ixzbxWFP-OBt7ZeOojBsOQ9daqUc8jw6uETbOO0/edit?tab=t.f6ika6u9gf17#heading=h.m5vxaikeuzj1">high-profile breaches</a> from the past 3 years involving Non-Human Identity (NHI) abuse at one or more stages of the attack.</li>
-<li><strong>CVE Scores</strong>: Publicly available vulnerabilities from the <a href="https://nvd.nist.gov">NVD</a> (National Vulnerability Database) were analyzed, using CVSS severity scores as a key metric.</li>
-<li><strong>Survey Data</strong>: Surveys highlighting pressing issues in the NHI domain were compiled into data points supporting criteria ranking for each risk. These included:</li>
+<li>
+<p><strong>Recent Breaches</strong>: A compilation of <a href="https://docs.google.com/document/d/18Bu2ixzbxWFP-OBt7ZeOojBsOQ9daqUc8jw6uETbOO0/edit?tab=t.f6ika6u9gf17#heading=h.m5vxaikeuzj1">high-profile breaches</a> from the past 3 years involving Non-Human Identity (NHI) abuse at one or more stages of the attack.</p>
+</li>
+<li>
+<p><strong>CVE Scores</strong>: Publicly available vulnerabilities from the <a href="https://nvd.nist.gov">NVD</a> (National Vulnerability Database) were analyzed, using CVSS severity scores as a key metric.</p>
+</li>
+<li>
+<p><strong>Survey Data</strong>: Surveys highlighting pressing issues in the NHI domain were compiled into data points supporting criteria ranking for each risk. These included:</p>
+</li>
 <li>Datadog's State of Cloud Security (2022, <a href="https://www.datadoghq.com/state-of-cloud-security-2023/">2023</a>, and <a href="https://www.datadoghq.com/state-of-cloud-security/">2024</a>)</li>
 <li>CSA NHI Report (<a href="https://cloudsecurityalliance.org/artifacts/state-of-non-human-identity-security-survey-report">2024</a>)</li>
 <li>Verizon's Data Breach Investigations Report (DBIR, <a href="https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf">2024</a>)</li>
 </ol>
 <h2 id="methodology">Methodology<a class="headerlink" href="#methodology" title="Permanent link">&para;</a></h2>
 <h3 id="initial-drafting">Initial Drafting<a class="headerlink" href="#initial-drafting" title="Permanent link">&para;</a></h3>
-<p>The project team initially drafted 12 risks within the Non-Human Identity security domain. This process involved consultation with:
-- Prominent community figures
-- Vulnerability databases
-- Publicly available incident reports</p>
+<p>The project team initially drafted 12 risks within the Non-Human Identity security domain. This process involved consultation with:</p>
+<ul>
+<li>
+<p>Prominent community figures</p>
+</li>
+<li>
+<p>Vulnerability databases</p>
+</li>
+<li>
+<p>Publicly available incident reports</p>
+</li>
+</ul>
 <p>Only issues reported within the past three years were considered. Each identified risk was documented with a description, example attacks, and relevant references. The initial draft was shared publicly for review and feedback.</p>
 <h3 id="data-collection">Data Collection<a class="headerlink" href="#data-collection" title="Permanent link">&para;</a></h3>
 <p>In the second phase, the team began collecting and reviewing publicly available data. The collected data was matched to specific data points for each risk, ensuring comprehensive coverage.</p>
 <h3 id="criteria-and-ranking-methodology">Criteria and Ranking Methodology<a class="headerlink" href="#criteria-and-ranking-methodology" title="Permanent link">&para;</a></h3>
-<p>The team convened to discuss and finalize the ranking methodology. The following criteria were selected as the most relevant metrics:
-- <strong>Exploitability</strong>
-- <strong>Detectability</strong>
-- <strong>Prevalence</strong>
-- <strong>Technical Impact</strong></p>
+<p>The team convened to discuss and finalize the ranking methodology. The following criteria were selected as the most relevant metrics:</p>
+<ul>
+<li>
+<p><strong>Exploitability</strong></p>
+</li>
+<li>
+<p><strong>Detectability</strong></p>
+</li>
+<li>
+<p><strong>Prevalence</strong></p>
+</li>
+<li>
+<p><strong>Technical Impact</strong></p>
+</li>
+</ul>
 <p>Terminology was aligned with these criteria (see <a href="../ranking-criteria/">Ranking Criteria</a> for details).</p>
 <h3 id="risk-ranking">Risk Ranking<a class="headerlink" href="#risk-ranking" title="Permanent link">&para;</a></h3>
 <p>Each contributor was assigned specific risks to evaluate. The team ranked each risk according to the collected data points and aligned them with the chosen terminology. This work resulted in an initial draft of the OWASP NHI Top-10.</p>
 <h3 id="validation-and-finalization">Validation and Finalization<a class="headerlink" href="#validation-and-finalization" title="Permanent link">&para;</a></h3>
-<p>The draft rankings were shared publicly, and the team held review meetings to:
-- Validate consistency across risks
-- Ensure alignment with terminology
-- Confirm that scores were supported by the collected data points</p>
+<p>The draft rankings were shared publicly, and the team held review meetings to:</p>
+<ul>
+<li>
+<p>Validate consistency across risks</p>
+</li>
+<li>
+<p>Ensure alignment with terminology</p>
+</li>
+<li>
+<p>Confirm that scores were supported by the collected data points</p>
+</li>
+</ul>
 <p>In the final phase, the team assigned weights to each criterion based on its impact on risk severity. Terminology values were converted into numerical scores, and a weighted average was calculated for each risk. This process produced the <a href="https://docs.google.com/spreadsheets/d/1pAOrTpD-3tRzCUqLhfTuMkN_SbhIjC7Icvf6vqqYOOU/edit?gid=0#gid=0">final risk scores</a>.</p>
 
 

404.html

@@ -695,7 +695,7 @@ <h2>Corporate Supporters</h2>
       </ul>
     </nav>
     <p class="disclaimer">
-      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2025, OWASP Foundation, Inc.
+      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2025, OWASP Foundation, Inc.
     </p>
   </section>
 </footer>

assets/sitedata/menus.json

@@ -114,8 +114,18 @@
 				{
 					"title": "OWASP SnowFROC 2025",
 					"url": "https://snowfroc.com/",
+					"opentab": "true"	
+				},
+				{
+					"title": "OWASP Boston Application Security Conference 2025",
+					"url": "https://basconf.org/",
 					"opentab": "true"				
 				},
+				{
+					"title": "OWASP AppSec Israel 2025",
+					"url": "https://appsecil.org/?utm_source=owasp-web&utm_medium=event-page&utm_campaign=none",
+					"opentab": "true"					
+				},
 				{
 					"title": "OWASP LASCON 2025",
 					"url": "https://lascon.org/",

index.html

@@ -1079,7 +1079,7 @@ <h2>Corporate Supporters</h2>
       </ul>
     </nav>
     <p class="disclaimer">
-      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2025, OWASP Foundation, Inc.
+      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2025, OWASP Foundation, Inc.
     </p>
   </section>
 </footer>