OWASP Non-Human Identities Top 10
We’re thrilled to introduce the OWASP Non-Human Identities Top 10 for 2025!
This comprehensive list highlights the most critical challenges in integrating Non-Human Identities (NHIs) into the development lifecycle, ranked based on exploitability, prevalence, detectability, and impact.
What is Non-Human Identities top 10?
The Non-human identity (NHI) top 10 is a comprehensive list of the most pressing security risks and vulnerabilities that non-human identities present to organizations.
Non-human identities are prevalent in usage for facilitating creation of applications by developers, and the project is aimed at helping security professionals thoroughly understand their non-human attack surface, so they can better protect and manage it. The project spans across thoroughly explaining the risks and their potential exploits, as well as providing actionable prevention practices and incident response playbooks.
NHI Top 10 - 2025 - A sneak peak
Improper offboarding refers to the inadequate deactivation or removal of non-human identities (NHIs) such as service accounts and access keys when they are no longer needed. Unmonitored and deprecated services may remain vulnerable, and their associated NHIs can be exploited by attackers to gain unauthorized access to sensitive systems and data. Read More »
Secret Leakage refers to the leakage of sensitive NHIs such as API keys, tokens, encryption keys, and certificates to unsanctioned data stores throughout the software development lifecycle When secrets are leaked —for instance, hard-coded into source code, stored in plain text configuration files, or sent over public chat applications —they become susceptible to exposure. Read More »
Third-party non-human identities (NHIs) are extensively integrated into the development workflow, both through the use of integrated development environments (IDEs) and their extensions and also through the use of 3rd party SaaS. If a third-party extension is compromised—whether through a security vulnerability or a malicious update—it can be exploited to steal these credentials or misuse the granted permissions. Read More »
Developers frequently integrate internal and external (third-party) services into their applications. These services require access to resources within these systems, necessitating authentication credentials. However, some authentication methods are deprecated, vulnerable to known attacks, or considered weak due to outdated security practices. Utilizing insecure or obsolete authentication mechanisms can expose organizations to significant risks. Read More »
During application development and maintenance, developers or administrators may assign NHIs with significantly more privileges than required for their function. When an over-privileged NHI is compromised — whether through vulnerabilities in the application, malware, or other security breaches — attackers can exploit the excessive permissions. Read More »
Continuous Integration and Continuous Deployment (CI/CD) applications enable developers to automate the process of building, testing, and deploying code to production environments. These integrations often require authentication with cloud services, typically achieved using static credentials or OpenID Connect (OIDC). Static credentials can be inadvertently exposed through code repositories, logs, or configuration files. If compromised, these credentials can provide attackers with persistent and potentially privileged access to production environments. While OIDC offers a more secure alternative, if the identity tokens are not properly validated or there are no strict conditions on token claims unauthorized users might exploit these weaknesses to gain access. Read More »
Long-lived Secrets refers to the use of sensitive NHIs such as API keys, tokens, encryption keys, and certificates with expiration dates that are too far in the future or that don’t expire at all. If a breached secret is long-lived, it provides attackers with access to sensitive services without any time constraints. Read More »
Environment isolation is a fundamental security practice in cloud application deployment, where separate environments are used for development, testing, staging, and production. NHIs are often utilized during the deployment process and throughout an application’s lifecycle. However, reusing the same NHIs across multiple environments—especially between testing and production—can introduce significant security vulnerabilities. Read More »
Reusing the same NHI across different applications, services, or components — even if they are deployed together — introduces significant security risks. If an NHI is compromised in one area, an attacker can exploit it to gain unauthorized access to other parts of the system that use the same credentials. Read More »
During application development and maintenance, developers or administrators may misuse NHIs for manual tasks that should be performed using individual human identities with appropriate privileges. This practice introduces significant security risks such as elevated privileges for NHIs, lack of auditing and accountability due to indistinguishable activity between humans and automation. Read More »
Project Road Map
- Submission of project proposal ✓
- Reaching out to prominent contributors of the identity security space ✓
- Mapping out top risks ✓
- Data collection on chosen risks ✓
- A public survey co-operated with Cloud Security Alliance (CSA)
- Data assessment on real-life environments and platforms
- Public data collection of zero-day vulnerabilities
- Aggregation of data and risk scoring ✓
- Final draft of the top 10 risks alongside above Documentation efforts (ongoing)
- Round-table together with contributors and leaders to construct roadmap towards project review and graduation to a Lab project
How to contribute
Involvement in the development and promotion of OWASP Non-Human Identities Top 10 is actively encouraged! You do not have to be a security expert in order to contribute.
Here are some ways you can help:
- We are looking for organizations and individuals that will provide vulnerability prevalence data
- Translate the top 10 to non-English languages
- Review, critique and suggest improvements to the Top 10 list
- Star the GitHub Project
- Contribute real world examples to categories in the Top 10 list
- Add your Success Story - tell us and the world how you’re using the Top 10 list
Individuals and organizations that provide a significant contribution to the project will be listed on the acknowledgments page.
How to reach out:
- Give us feedback / suggestions / report bugs on GitHub
- Join our email group
- Contact the project leads
- Talk to us on Slack (#non-human-identities-top-10)
Got an idea?
Got any ideas on how to make this project better? These guidelines will help with how to get involved:
- Join the conversation on email or Slack to find collaborators or see if others have a similar interest.
- Search the project’s GitHub issues for related proposals. Found one? Join it!
- If you haven’t found a relevant issue, create one! Clearly specify why your proposal is important and which changes are proposed. Advertise your proposal to others to find collaborators.
Getting Started with your first Pull Request
A Pull Request (PR) can be created by following these steps.
Remember to:
- Fork the repository.
- Create an initial draft implementing your proposal and submit it for review as a PR. Don’t let perfect be the enemy of good.
- Advertise your proposal to others and ask for reviews.
- Once your PR is merged, continue to submit PRs to fine-tune and improve on previous versions.
- Congrats and thank you!
Contributors
Individuals that provided a significant contribution to the project:
| Name | Affiliation | Contact |
|---|---|---|
| Roni Lichtman | Torch Security | Twitter LinkedIn |
| Tal Skverer | Astrix Security | |
| Or Cohen | - | |
| Idan Basre | - | |
| Amir Benvenisti | - | |
| Dor Dali | Cyolo | |
| Jack Schofield | Snyk |