Putting the OWASP "Non-Human Identities Top 10" into practice

As we usher in 2025, Non-Human Identities present a more pressing risk than ever. In the era where agentic AI, copilots, and chatbots can make decisions, communicate, and act on behalf of humans, securing these entities is top of mind with security teams. 

The Open Worldwide Application Security Project (OWASP) Foundation works to improve the security of software through its community-led open-source software projects. With hundreds of chapters worldwide, tens of thousands of members, and local and global conferences, OWASP provides community-driven thought leadership and practical guidance for security teams.

This year, they’ve published the OWASP Non-Human Identities Top 10, a report that outlines the top 10 most pressing vulnerabilities related to NHIs, based on exploitability, prevalence, detectability, and technical impact. 

Putting the OWASP Non-Human Identities Top 10 into practice

The project delves into each of the 10 issues to provide a summary, possible scenarios,  preventative measures that organizations can take, and references and data points from past breaches. 

Along with an understanding of each of these issues, it is critical to understand the steps that security teams should take to mitigate the risks.

1. Improper Offboarding: This section includes the improper revocation of Non-Human Identities that are no longer needed, which can leave organizations vulnerable. 

In order to properly address this challenge, organizations first need a comprehensive inventory of all their NHIs, including the scopes associated with each one. This should also provide visibility into which permissions are, or are not, being used. That way, security teams can deactivate inactive service accounts or revoke unused keys. 

2. Secret Leakage: This can mean exposing secrets in source code, storing them in plain text, or sent in direct messages. 

The first step in addressing this vulnerability is carefully monitoring how each secret is being used. In the event that a secret is leaked and ends up in the hands of a bad actor, this allows security teams to track the potential blast radius. The other aspect is maintaining strict security policies around secrets, to limit secret leakage in the first place. 

3. Vulnerable Third-Party NHI: The supply chain and third party access are one of the most vulnerable exposure points for many organizations. An insecure company within a supply chain or a vendor with poor security practices directly compromises the security posture of all the organizations they work with. 

Addressing supply chain vulnerabilities is extremely complex and requires a multi-layered approach to security. The first step that organizations can take is to implement regular and careful monitoring of their NHIs, data, and systems. This way, if their supply chain is compromised, they’ll know quickly. It’s also imperative in tracking the potential lateral movement that a bad actor could take.  

4. Insecure Authentication: Inadequate authentication practices are a known risk, especially for human users. This threat is exacerbated with the rise of NHIs that have privileged access to sensitive data.  

Securing authentication is perhaps one of the more well-documented solutions available. Developers can follow the latest standards and adhere to industry best practices in order to protect their organizations. 

5. Overprivileged NHI: Permissions granted to NHIs are often elevated and rarely reviewed. In order to eliminate or avoid friction, these entities are often granted more permissions than they require. This presents a considerable risk to organizations - if compromised, these overprivileged NHIs can act as a ‘golden ticket’ for attackers to gain entry to sensitive data. 

Regularly auditing NHI permissions is critical. Security teams should turn to tools that surface scopes associated with each NHI, and flag which are unused. This allows them to rightsize permissions and ultimately reduce the potential blast radius. 

6. Insecure Cloud Deployment Configurations: CI/CD pipelines have contributed to the proliferation of NHIs, but can also present risks if credentials are exposed through code repositories or config files. 

The most impactful way to mitigate this risk is by reducing the reliance on static credentials. Organizations should move toward ephemeral credentials and just-in-time access. Though this may be a longer-term vision for many organizations, it represents the only surefire way to avoid this risk. In the interim, security teams should keep close tabs on the activity associated with a given authenticator. This can help ensure that breaches are detected early, so lateral movement and encryption can be minimized. 

7. Long-Lived Secrets: Static credentials for NHIs, such as API keys or service account passwords, can pose a serious risk if not updated regularly.

Automed rotations based on policies or on-demand is key to addressing the risks associated with long-lived secrets. This can limit or thwart bad actors – essentially, if a credential or key falls into the wrong hands, rotation frequency can make the difference between a damaging breach, and a close call. Regular rotations and the elimination of long-lived secrets are critical to reducing the attack surface of an organization. 

8. Environment Isolation: By separating environments used for development, testing, staging, and production, organizations can ensure that customers and users have a smooth and seamless experience. However, the same secrets or NHIs are often used across these environments, which can introduce risk in scenarios where certain environments have access to sensitive data. 

Companies should avoid re-using NHIs across environments, and should ensure that production environments always have distinct NHIs. This ensures that anything touching sensitive customer data is safeguarded, and that access cannot spill over from lower scrutiny environments. 

9. NHI Re-use: Often, teams will reuse service accounts or other NHIs to avoid friction. Rather than following multi-step IT processes to request a new service account, many teams will repurpose an existing identity. This makes it nearly impossible for IT and security teams to track the blast radius associated with an NHI, and exponentially increases the potential lateral movement that a threat actor could take. 

Introducing best practices to reduce the re-use of NHIs and increasing internal awareness about the risks of service account abuse is key. Beyond that, security teams should adopt tooling that allows them to track service account usage across systems. This allows them to keep tabs on superfluous usage, outside the expected or approved scope. 

10. Human Use of NHI: Finally, giving human users access to interactively login to a service account and take actions as an NHI can be incredibly risky. When a human acts as a non-human entity, there is a lack of individual accountability, no tracking or session recording, and often excessive visibility or access. 

Monitoring NHI usage allows security teams to detect instances where humans may be logging in as NHIs. Instead, developers and admins should create dedicated human user identities for testing or debugging, and a check-out process with session recordings for anytime a human needs to access a non-human account (ie break-glass scenarios).