OWASP Non-Human Identities Top 10 - 2025

Explore the most critical security risks for non-human identities. Understanding these risks is crucial for maintaining a robust security posture in modern IT environments.

NHI1:2025

Improper Offboarding

Inadequate deactivation or removal of non-human identities when no longer needed.

Key Mitigation:

Implement automated offboarding processes for non-human identities
Regularly audit and review all active non-human identities

References:

Learn More about Improper Offboarding

NHI2:2025

Secret Leakage

Unintended exposure of sensitive non-human identity credentials to unauthorized parties.

Key Mitigation:

Use secret management tools to securely store and manage secrets
Implement automated secret scanning in CI/CD pipelines

References:

Learn More about Secret Leakage

NHI3:2025

Excessive Permissions

Non-human identities are granted more permissions than necessary for their intended functions.

Key Mitigation:

Implement the principle of least privilege for all non-human identities
Regularly review and audit permissions

References:

Learn More about Excessive Permissions

NHI4:2025

Inadequate Rotation

Failure to regularly update or rotate credentials for non-human identities.

Key Mitigation:

Implement automated credential rotation processes
Use short-lived tokens or certificates where possible

References:

Learn More about Inadequate Rotation

NHI5:2025

Insecure Communication

Non-human identities communicate over insecure channels or without proper encryption.

Key Mitigation:

Enforce encryption for all non-human identity communications
Implement proper certificate validation and pinning

References:

Learn More about Insecure Communication

NHI6:2025

Lack of Monitoring and Auditing

Insufficient monitoring and auditing of non-human identity activities and access patterns.

Key Mitigation:

Implement comprehensive logging for all non-human identity activities
Set up real-time alerting for suspicious activities or access patterns

References:

Learn More about Lack of Monitoring and Auditing

NHI7:2025

Improper Access Control

Inadequate or misconfigured access controls for non-human identities.

Key Mitigation:

Implement the principle of least privilege for all non-human identities
Use role-based access control (RBAC) and attribute-based access control (ABAC)

References:

Learn More about Improper Access Control

NHI8:2025

Insufficient Identity Governance

Lack of proper governance and lifecycle management for non-human identities.

Key Mitigation:

Implement a comprehensive identity governance and administration (IGA) solution
Establish clear policies and procedures for non-human identity lifecycle management

References:

Learn More about Insufficient Identity Governance

NHI9:2025

Vulnerable Dependencies

Use of outdated or vulnerable dependencies in systems utilizing non-human identities.

Key Mitigation:

Regularly update and patch all software dependencies
Implement automated vulnerability scanning in the development pipeline

References:

Learn More about Vulnerable Dependencies

NHI10:2025

Inadequate Disaster Recovery

Insufficient planning for recovery and continuity of non-human identities in disaster scenarios.

Key Mitigation:

Implement robust backup and recovery procedures for all non-human identity management systems
Regularly test disaster recovery plans

References:

Learn More about Inadequate Disaster Recovery