Introducing the OWASP NHI Top 10: Standardizing Non-Human Identity Security
The non-human identity market has significantly matured in the past couple of years. While NHIs like service accounts, API keys, and OAuth apps are not new, the realization that managing and securing them has to be a priority is somewhat recent.
With that, many security teams lack a clear, standardized view of the risks these identities pose, and how to go about including them in security programs. To address this gap, OWASP has launched the OWASP Non-Human Identities Top 10, a community-driven framework led by a collective of industry experts from leading cybersecurity companies, including Astrix Security.
Below, we dive into why this project is critical, what the Top 10 risks are, and how you can use it as a framework to build a resilient NHI security strategy.
Live Panel on Jan 23, 2025: Introducing the OWASP Top 10 with Project Leaders
What are the OWASP Top 10 projects?
The OWASP Top 10 lists have long been a cornerstone of web application security and beyond. They identify the most critical risks in web applications, APIs, and more. Security professionals and development teams worldwide rely on these lists to prioritize mitigation strategies and build security frameworks.
The new NHI Top 10 follows this tradition, providing a clear roadmap for addressing the most critical security implications of non-human identities.
Live Panel on Jan 23, 2025: Introducing the OWASP Top 10 with Project Leaders
Why we initiated the OWASP NHI Top 10 project
Automation, connectivity, AI adoption, and cloud adoption all rapidly increase the prevalence of non-human identities in corporate and engineering environments, making them a prominent (and very loved) attack vector for cybercriminals. OAuth apps, service accounts, secrets, AI Agents, and automated processes are often overprivileged, under-monitored, or poorly managed, all of which pose substantial risks.
By standardizing these issues into an NHI Top 10, we aim to ensure that organizations worldwide speak a common language and follow a standard set of guidelines for securing and managing non-human identities.
Live Panel on Jan 23, 2025: Introducing the OWASP Top 10 with Project Leaders
A quick look at the NHI Top 10
To give you the juice you came for, we included below the NHI Top 10, with links to the full description on the OWASP website:
- NHI1:2025 – Improper Offboarding
- NHI2:2025 – Secret Leakage
- NHI3:2025 – Vulnerable Third-Party NHI
- NHI4:2025 – Insecure Authentication
- NHI5:2025 – Overprivileged NHI
- NHI6:2025 – Insecure Cloud Deployment Configurations
- NHI7:2025 – Long-Lived Secrets
- NHI8:2025 – Environment Isolation
- NHI9:2025 – NHI Reuse
- NHI10:2025 – Human Use of NHI
How we ranked the top 10
The OWASP NHI Top 10 list was ranked based on the standard parameters of the OWASP Top 10 project:
- Exploitability Assumes the organization already has the specific vulnerability in place and that a potential attacker possesses the necessary skills and information to exploit it.
- Impact Evaluates the worst-case scenario by considering the most significant damage that the risk could inflict on systems and operations.
- Prevalence Assesses how frequently the security weakness appears across different environments, without taking any existing protective measures into account.
- Detectability Looks at how difficult it would be for an organization to spot the weakness, assuming that standard monitoring and detection capabilities are being used.
The contributors – security experts from Astrix Security, Palo Alto, Torch Security, Snyk, and Orca – reviewed real-world breach data, analyzed industry trends and reports, and drew on their collective experiences to rank each risk according to the above criteria.
Live Panel on Jan 23, 2025: Introducing the OWASP Top 10 with Project Leaders
How to use the OWASP NHI Top 10
To integrate the NHI Top 10 into your security approach, start by mapping your existing processes to the identified risks.
To simplify this, we built a compliance dashboard that correlates the organization’s security findings with the NHI Top 10 risks within the Astrix platform. This helps you visualize your current posture, identify gaps, and prioritize next steps.
Using the dashboard alongside the Top 10 framework lets you quickly see which areas need the most attention and track improvement over time.
What’s next: Live panel
Join us in a live panel on January 23,2025 to unpack the OWASP NHI Top 10 in more detail. This virtual event is a chance to ask questions, learn more about each risk, and get insights into the ranking process. Register here.
We look forward to sharing more about this project and hearing your experiences. In the meantime, explore the OWASP NHI Top 10 project repo at https://owasp.org/www-project-non-human-identities-top-10/2025/.
