OWASP NHI Top 10 – Secret Leakage

Overview

Secret Leakage refers to the unintentional exposure of sensitive credentials—such as API keys, tokens, and database passwords—that authenticate non-human identities (NHIs). These secrets often end up in unsecured environments, where they can be exploited for unauthorized access, data theft, or lateral movement.

What Is Secret Leakage?

Within the OWASP NHI Top 10 framework, Secret Leakage ranks as one of the most common and severe vulnerabilities. Secrets are widely used for machine-to-machine communication across development, testing, and production environments. When hardcoded into codebases, logged in plaintext, or shared over unprotected channels, they become high-value targets for attackers.

Because these secrets often authorize access to critical systems—especially those tied to service accounts or machine credentials—their exposure can lead to significant operational and reputational damage.

How Does Secret Leakage Happen?

• Hardcoding credentials in source code or configuration files
• Committing secrets to public repositories
• Storing secrets in unsecured environment variables or chat platforms
• Logging secrets during error handling or debugging

The challenge lies in the widespread proliferation of secrets and the difficulty of consistently monitoring all potential leakage points.

Why Does Secret Leakage Matter?

Leaked secrets are often all that’s needed for an attacker to impersonate a trusted system. This grants them immediate access to sensitive resources, often bypassing traditional perimeter defenses. According to the CSA NHI Report, 31% of NHI-related security incidents were tied to poor secrets management—underscoring its critical role in secrets governance.

Recent breaches—like the Microsoft SAS token exposure and the Uber data leak—illustrate how improperly managed secrets can result in significant data loss and business disruption.

Astrix’s Solution for Secret Leakage

Astrix delivers automated, real-time protection against secret leakage:

• Protect Secrets with policy-based controls that scan environments and block risky exposures
• Detect Suspicious Non-Human Activity tied to exposed or misused credentials
• Remediate Automatically by revoking or rotating secrets, supported by integrations with secret managers and ITSM tools
• Lifecycle Management ensures secrets are versioned, rotated, and revoked when no longer in use

Combined with robust visibility into NHI usage, Astrix closes blind spots and enforces consistent, scalable protection across the secrets lifecycle.

Stop secret sprawl before it leads to breach. Explore how Astrix helps you prevent secret leakage and lock down credentials across your entire NHI ecosystem.

Learn more about the OWASP NHI Top 10 framework in Astrix’s introduction to the standard → Introducing the OWASP NHI Top 10.