NHI Forum
Notifications
Clear all
Topic starter
01/12/2025 1:40 pm
Read full article here: https://www.unosecur.com/blog/owasp-top-10-for-non-human-identities-nhi-why-securing-machine-identities-is-now-mission-critical/?utm_source=nhimg
Modern infrastructure no longer runs on human users. It runs on machines. API keys, cloud roles, OAuth applications, workload identities, service accounts, bots, and autonomous agents silently authenticate billions of times per day across CI/CD pipelines, microservices, cloud workloads, and SaaS ecosystems. These Non-Human Identities (NHIs) now outnumber human identities by more than 45:1 in large enterprises, creating an invisible security perimeter that most organizations still cannot see, measure, or control.
While enterprises have matured human identity security through MFA, SSO, passwordless access, and UEBA, the machine identity layer remains largely unmanaged. Compromised keys, forgotten service accounts, overprivileged OAuth apps, and hardcoded secrets have repeatedly led to large-scale cloud breaches.
The OWASP NHI Top 10 (2025 Initial Edition) was created to confront this strategic blind spot. It is the first vendor-neutral global standard dedicated to machine identity security and highlights real-world incidents where insecure NHIs triggered data loss, supply-chain compromise, or massive lateral cloud access.
At Unosecur, identity has always been the control plane of the cloud. The OWASP NHI Top 10 reinforces a reality we observe daily: automation has outpaced identity governance, and securing human users alone no longer protects the enterprise.
Why NHIs Matter More Than Ever
Three industry shifts explain why NHI security has become a core cybersecurity priority:
- Machines Now Hold the Most Privilege
Service accounts and automation workloads routinely possess admin-level access, often without MFA, token binding, session control, or behavioral context.
- Automation Without Visibility Prevents Governance
Most security teams cannot answer basic questions:
- How many machine identities exist?
- What do they access?
- Who owns them?
- When were they last rotated?
Without visibility, automation becomes blind, and governance becomes impossible.
- Attacks on NHIs Are Faster and Harder to Detect
A leaked API key gives an attacker instant authenticated access. Machine traffic blends into normal automation events, resulting in:
- No login anomalies
- No MFA failures
- No user behavioral alerts
This is why machine-identity-based attacks dominate the cloud breach landscape.
The OWASP Top 10 for NHIs (2025)
Below is a refined and publication-ready breakdown of each risk category with real-world incidents.
|
Rank |
Risk Name |
Summary |
Real Incident |
|
NHI1 |
Improper Offboarding |
Abandoned API keys, legacy service accounts, orphaned OAuth apps remain active and allow long-term covert access. |
Microsoft Midnight Blizzard (2024) — compromise began with an unused test account. |
|
NHI2 |
Secret Leakage |
Credentials stored in Git repos, CI logs, containers, mobile apps, or telemetry provide attackers direct system impersonation. |
Tata Motors (2025) — hardcoded secrets exposed 70 TB of records. |
|
NHI3 |
Vulnerable Third-Party NHIs |
SaaS and vendor automations introduce machine identities outside enterprise governance. |
Sisense (2024) — compromise of vendor access led to multi-org breach. |
|
NHI4 |
Insecure Authentication |
Static API keys, weak OAuth flows, and non-expiring SAS tokens enable trivial replay. |
Azure SAS Token Exposure (2023). |
|
NHI5 |
Overprivileged NHIs |
Broad privileges given to automation widen the blast radius when compromised. |
CircleCI (2023) — overprivileged OAuth token exfiltration. |
|
NHI6 |
Insecure Cloud Deployment |
Misconfigured OIDC trust, static CI credentials, and permissive IAM roles expose pipelines. |
GitHub OIDC → AWS (2024) — repo ambiguity allowed privilege assumption. |
|
NHI7 |
Long-Lived Secrets |
Year-old tokens enable persistent access with no behavioral anomaly detection. |
Snowflake (2024) — stale API keys enabled dataset theft. |
|
NHI8 |
Environment Isolation Failures |
One identity reused across dev and prod collapses separation of duties. |
Azure Managed Identity (2024) — cross-environment exposure. |
|
NHI9 |
Identity Reuse |
Same service account across multiple systems prevents rotation and attribution. |
Google Chronicle (2023) — multi-tenant access via shared backend identity. |
|
NHI10 |
Human Use of NHIs |
Developers manually use machine credentials, bypassing authentication controls and audit trails. |
CircleCI (2023) — manual use of automation token enabled impersonation. |
Structural Challenges Exposed by OWASP NHI
The Top 10 reveals deeper systemic gaps:
- Lack of full NHI discovery and inventory
- Fragmented storage across vaults, IAMs, GitHub, and CI/CD
- Blind trust chains between workloads and SaaS
- Human engineering shortcuts (long-lived tokens, shared accounts)
- Identity-not-network as the true perimeter
Machine-identity security is now a board-level topic because these risks scale silently.
How Unosecur Operationalizes the OWASP NHI Framework
|
Challenge |
How Unosecur Solves It |
|
Lack of NHI visibility |
Automated multi-cloud and SaaS NHI discovery and attribution |
|
Orphaned identities |
Lifecycle governance, auto-offboarding, expiry enforcement |
|
Credential compromise |
ITDR for machine impersonation and session anomaly detection |
|
CI/CD risks |
Shift-left NHI policy enforcement during build and deployment |
|
OWASP compliance |
Continuous scoring, drift alerts, and audit-ready reporting |
Unosecur treats NHIs as first-class citizens of the identity plane, combining:
- Identity discovery
- Access governance
- Secrets posture management
- ITDR for machine identities
- AI-driven risk prioritization
Conclusion: The Enterprise Perimeter Is Now Identity — and Most of It Is Machine
Machine identities are the backbone of automation, CI/CD, SaaS integration, and agentic AI systems. They authenticate more frequently, hold more privilege, and move more data than human users — yet continue to be the most undersecured layer in the cloud stack.
The OWASP NHI Top 10 is a wake-up call for the industry.
The organizations that will withstand the next generation of cyberattacks are those that treat every identity — human and non-human — as a high-value attack surface.
With full visibility, automated governance, and identity-centric threat detection across cloud and SaaS environments, Unosecur enables enterprises to secure every machine identity everywhere — at scale, by design, and without slowing innovation.
Because the perimeter is no longer a place.
The perimeter is identity. And most of those identities are machines.
Forum Statistics
8
Forums
847
Topics
865
Posts
6
Online
108
Members
Latest Post: Prevention-First Security: Orange Business’ Secrets Transformation Journey Our newest member: beondenood Recent Posts Unread Posts
