Understanding OWASP’s Top 10 list of non-human identity critical risks

OWASP recommends specific mitigations in addition to those discussed above, including strict environment isolation for NHIs, applying the principle of least privilege, enforcing environment-specific access controls, and segregating infrastructure for sensitive resources. Again, the theme here is mitigating systemic impacts and limiting them to specific environments through these mitigating controls and measures.

Credential reuse has long been something practitioners have cautioned against but has nevertheless made its way into various compliance frameworks, best practices guides, and more. That is why it is unsurprising to see it listed here as a risk factor for NHIs.

As the table above mentions, tailoring granular permissions for each NHI can be complicated, so organizations may default to reusing NHIs with broad permissions. This makes them compelling targets for exploitation with widespread ramifications for impact if compromised.

OWASP discusses how NHIs, such as service accounts, API keys, and machine credentials, are fundamental to modern applications, services, authentication, and authorization.

Suppose organizations are reusing NHIs across several applications and services. In that case, the potential for impact is significant — it can lead to vulnerability/attack chaining and widespread impact for an organization if one of the NHIs that is reused is compromised, especially if it is overprivileged (NHI5). There is a lack of environment isolation (NHI8).

OWASP provides examples such as reusing Kubernetes service accounts, sharing API keys between applications, and reusing cloud credentials such as AWS IAM Roles across different services and resources.

To mitigate these risks, OWASP recommends assigning unique NHIs to each application or service and the environment, enforcing the principle of least privilege, and auditing and reviewing the use of NHIs.

NHIs, such as service accounts, API tokens, workload identities, and secrets, enable programmatic access to applications and services. That said, as OWASP discusses, it isn’t uncommon for developers or users to misuse NHIs for manual tasks rather than the original intent of automated activities and workflows.

OWASP

This poses several risks because human activities could be perceived as programmatic, limiting auditing and monitoring, covering up activities by benign insiders, or even insider threats, and, most notably, potential attackers.

OWASP cites example scenarios such as administrators using service account credentials, developers executing commands with NHIs, sharing API tokens among team members, and even attackers leveraging NHIs for persistence.

The final set of mitigations for the least risk in the OWASP NHI Top 10 involves using dedicated identities, auditing and monitoring NHI activity (one we’ve seen several times), using context-aware access controls, and educating developers and administrators on the risk of human use of NHIs. These measures provide technical and cultural controls to limit the human use of NHIs and their associated risks.