The Open Worldwide Application Security Project (OWASP) has made a groundbreaking move by publishing its inaugural “Non-Human Identities (NHI) Top 10” list, aimed at identifying the primary security risks associated with non-human digital identities like service accounts, API keys, and machine credentials. This initiative is specifically designed to address the unique security challenges that have emerged with the increasing reliance on automated systems, applications, and cloud-based infrastructure. Highlighting the vulnerabilities and providing actionable mitigation strategies marks a significant step in enhancing cybersecurity in an era dominated by digital automation.
Understanding Non-Human Identities
As companies transition more and more into automated environments, there has been a notable surge in non-human digital identities. Typically, organizations now possess between 10 to 50 times more NHIs than human counterparts. This dramatic increase has significantly broadened the attack surface for potential cyber threats, amplifying the urgency to secure these digital identities effectively. Non-human identities include service accounts, API keys, machine credentials, and various automation tools, all of which, if compromised, can lead to severe security breaches.
OWASP’s NHI Top 10 list aims to bring attention to these escalating risks and guide organizations on how to mitigate them. High-profile breaches in recent years involving NHIs have highlighted the inadequacies of traditional cybersecurity measures, which were primarily designed for human users. As automated entities grow in complexity and scope, the need for specialized security frameworks becomes increasingly apparent. The publication serves to educate organizations on the critical importance of adapting their security strategies to protect against these new-age threats.
Primary Risks and Mitigations
The OWASP NHI Top 10 list identifies a wide array of security risks and offers detailed mitigation strategies. One of the most prominent risks is improper offboarding, where inactive NHI credentials are not deactivated in a timely manner. Often, organizations fail to update their systems to remove these credentials after the retirement of applications, services, or automated workflows. As a result, these orphaned accounts become easy targets for attackers seeking unauthorized access. Standardized and automated deactivation processes are key to mitigating this risk, alongside regular audits of active NHIs to ensure all credentials are accounted for and correctly managed.
Another critical risk highlighted in the list is secret leakage. Sensitive credentials such as API keys and tokens often get exposed through code repositories, configuration files, or Continuous Integration/Continuous Deployment (CI/CD) pipelines. This makes them highly susceptible to theft and misuse by malicious actors. To combat secret leakage, organizations should adopt the use of ephemeral credentials, employ secret management tools, and automate the detection and rotation of keys. By implementing these measures, the risk of sensitive information exposure can be significantly reduced, thereby strengthening overall security.
Third-Party and Authentication Risks
Vulnerable third-party NHIs represent a considerable risk due to the elevated permissions typically required by third-party integrations, such as plugins or Software as a Service (SaaS) applications. These elevated permissions make third-party NHIs attractive targets for attackers. As a mitigation strategy, organizations are encouraged to thoroughly vet third-party vendors, limit their permissions to the minimum necessary, and monitor third-party behaviors closely. Regularly rotating credentials for third-party NHIs can further enhance security, reducing the potential impact of any compromise.
Insecure authentication remains a persistent risk, especially with the continued use of legacy or insecure authentication methods such as static credentials and outdated protocols. Transitioning to modern authentication protocols, like OAuth 2.1 and OpenID Connect (OIDC), is essential to mitigate these risks. These newer protocols offer enhanced security features that better protect against unauthorized access attempts. Phasing out outdated mechanisms and adopting robust, contemporary authentication methods can help organizations maintain a higher level of security for their NHIs.
Overprivileged NHIs and Cloud Deployment
Overprivileged NHIs pose a severe risk, as granting NHIs excessive permissions violates the principle of least privilege. In the event of a compromise, the damage potential can be significantly increased if the compromised NHI holds more permissions than necessary. To mitigate this risk, organizations should enforce the principle of least privilege rigorously, conduct regular permission audits, and adopt Just-in-Time (JIT) access policies. These measures can help ensure that NHIs only have the access they require for their specific functions, limiting the scope of potential security breaches.
Insecure cloud deployment configurations also contribute to the overall risk of security breaches. Misconfigured CI/CD pipelines and cloud environments, resulting in hard-coded credentials and improperly stored secrets, are common causes for concern. Moving towards dynamically generated tokens, securing CI/CD pipelines, and leveraging credential management tools such as AWS Secrets Manager are essential steps in mitigating these risks. By addressing these weak points in cloud deployment configurations, organizations can better protect their NHIs from potential exploitation.
Addressing Long-Lived Secrets
Long-lived secrets, or static credentials with extended expiration periods, present another significant risk. These credentials offer attackers a prolonged window of opportunity to exploit them if they become compromised. To mitigate this risk, organizations should adopt strategies such as frequent rotation of keys, using short-lived credentials, and embracing zero-trust principles. These measures help reduce the potential duration and impact of any compromise by ensuring that credentials are regularly refreshed and less likely to be exploitable.
Environment isolation is another critical component of a robust security strategy. Weak separation between development, testing, and production environments increases the risk of cascading failures if a breach occurs. Enforcing strict isolation policies and implementing environment-specific access controls are fundamental steps to prevent cross-environment compromise. Additionally, avoiding the reuse of credentials across multiple applications or environments is imperative to minimize security risks, with unique NHIs assigned to each context for better control and monitoring.
Ensuring Proper Use
Improper use of NHIs by humans also poses significant security risks. When developers or administrators misuse NHIs designed for automated processes, it complicates activity monitoring and raises the potential for insider threats. Organizations must prohibit human use of NHIs and implement close monitoring of NHI activity. It is also essential to raise awareness among developers and administrators about the associated risks and best practices for managing NHIs. Educating staff on the correct usage and monitoring protocols can help reduce the likelihood of misuse and improve overall security posture.
Continuous Improvement
The Open Worldwide Application Security Project (OWASP) has taken a groundbreaking step by releasing its first-ever “Non-Human Identities (NHI) Top 10” list. This list aims to pinpoint the main security threats linked to non-human digital identities, such as service accounts, API keys, and machine credentials. The initiative is tailored to tackle the unique security issues that have surfaced due to the growing dependency on automated systems, applications, and cloud-based infrastructure. By identifying these vulnerabilities and offering actionable mitigation strategies, OWASP is making a substantial contribution to strengthening cybersecurity in a time dominated by digital automation. This move is crucial as it addresses the complexities and risks brought about by the increasing integration of automation and machine identities in our systems. As organizations continue to adopt these technologies, having a clear understanding of potential security pitfalls and how to counteract them becomes more critical than ever.
