OWASP Top 10 Non-Human Identities Risks - 2025¶
| Risk | Description |
|---|---|
| NHI1:2025 Improper Offboarding | Improper offboarding refers to the inadequate deactivation or removal of non-human identities (NHIs) such as service accounts and access keys when they are no longer needed. Unmonitored and deprecated services may remain vulnerable, and their associated NHIs can be exploited by attackers to gain unauthorized access to sensitive systems and data. |
| NHI2:2025 Secret Leakage | Secret Leakage refers to the leakage of sensitive NHIs such as API keys, tokens, encryption keys, and certificates to unsanctioned data stores throughout the software development lifecycle. When secrets are leaked — for instance, hard-coded into source code, stored in plain text configuration files, or sent over public chat applications — they become susceptible to exposure. |
| NHI3:2025 Vulnerable Third-Party NHI | Third-party non-human identities (NHIs) are extensively integrated into the development workflow, both through the use of integrated development environments (IDEs) and their extensions and also through the use of 3rd party SaaS. If a third-party extension is compromised—whether through a security vulnerability or a malicious update—it can be exploited to steal these credentials or misuse the granted permissions. |
| NHI4:2025 Insecure Authentication | Developers frequently integrate internal and external (third-party) services into their applications. These services require access to resources within these systems, necessitating authentication credentials. However, some authentication methods are deprecated, vulnerable to known attacks, or considered weak due to outdated security practices. Utilizing insecure or obsolete authentication mechanisms can expose organizations to significant risks. |
| NHI5:2025 Overprivileged NHI | During application development and maintenance, developers or administrators may assign NHIs with significantly more privileges than required for their function. When an over-privileged NHI is compromised — whether through vulnerabilities in the application, malware, or other security breaches — attackers can exploit the excessive permissions. |
| NHI6:2025 Insecure Cloud Deployment Configurations | Continuous Integration and Continuous Deployment (CI/CD) applications enable developers to automate the process of building, testing, and deploying code to production environments. These integrations often require authentication with cloud services, typically achieved using static credentials or OpenID Connect (OIDC). Static credentials can be inadvertently exposed through code repositories, logs, or configuration files. If compromised, these credentials can provide attackers with persistent and potentially privileged access to production environments. While OIDC offers a more secure alternative, if the identity tokens are not properly validated or there are no strict conditions on token claims unauthorized users might exploit these weaknesses to gain access. |
| NHI7:2025 Long-Lived Secrets | Long-lived Secrets refers to the use of sensitive NHIs such as API keys, tokens, encryption keys, and certificates with expiration dates that are too far in the future or that don’t expire at all. If a breached secret is long-lived, it provides attackers with access to sensitive services without any time constraints. |
| NHI8:2025 Environment Isolation | Environment isolation is a fundamental security practice in cloud application deployment, where separate environments are used for development, testing, staging, and production. NHIs are often utilized during the deployment process and throughout an application's lifecycle. However, reusing the same NHIs across multiple environments—especially between testing and production—can introduce significant security vulnerabilities. |
| NHI9:2025 NHI Reuse | Reusing the same NHI across different applications, services, or components — even if they are deployed together — introduces significant security risks. If an NHI is compromised in one area, an attacker can exploit it to gain unauthorized access to other parts of the system that use the same credentials. |
| NHI10:2025 Human Use of NHI | During application development and maintenance, developers or administrators may misuse NHIs for manual tasks that should be performed using individual human identities with appropriate privileges. This practice introduces significant security risks such as elevated privileges for NHIs, lack of auditing and accountability due to indistinguishable activity between humans and automation. |