Full Report
The Open Web Application Security Project has recently introduced a new Top 10 project - the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists. Non-human identity security represents an emerging
Analysis Summary
# Best Practices: OWASP Non-Human Identity (NHI) Top 10 Security
## Overview
These practices address the emerging security risks associated with Non-Human Identities (NHIs), which include machine credentials like API keys, service accounts, OAuth apps, SSH keys, and IAM roles. The OWASP NHI Top 10 provides a dedicated framework to manage the unique security challenges and lack of oversight surrounding these automated identities which are critical connectivity enablers but often possess excessive permissions.
## Key Recommendations
### Immediate Actions
1. **Inventory and Discovery:** Immediately begin an aggressive inventory collection of all Non-Human Identities across the entire IT estate (including cloud environments, CI/CD pipelines, and applications). Prioritize mapping credentials used for externally-owned systems (e.g., vendors, CI/CD tools).
2. **Review Top Risk Mitigation (NHI1, NHI2):** Conduct an immediate high-level review of processes related to the top two risks: identify and immediately disable/rotate any NHIs suspected of being unused or improperly offboarded (NHI1). Scan source code repositories and configuration files for hardcoded secrets (NHI2) and remediate any found instances via immediate rotation or secure secret management integration.
### Short-term Improvements (1-3 months)
1. **Implement NHI Offboarding Policy (NHI1):** Formalize and enforce an auditable process for decommissioning NHIs immediately upon service termination, third-party removal, or employee departure. This process must involve verification that the identity is no longer referenced anywhere in the environment.
2. **Enforce Principle of Least Privilege (NHI9):** Audit all existing NHIs to identify instances of reuse across multiple, unrelated applications or services. Begin projects to isolate and create unique credentials (service accounts, keys) for each distinct application or workload requiring access.
3. **Restrict Human Use (NHI10):** Enforce controls and monitoring to prevent the manual use of NHI credentials (API keys, service accounts) by developers or administrators for tasks that should use personal, appropriately privileged human accounts.
### Long-term Strategy (3+ months)
1. **Establish Centralized Credential Lifecycle Management:** Implement a centralized vault or secrets management solution for managing, accessing, and automatically rotating *all* NHI secrets (API keys, database credentials, etc.), ensuring they are never hardcoded.
2. **Integrate NHI Security into DevSecOps:** Incorporate automated scanning tools into the CI/CD pipeline to consistently check for exposed credentials (NHI2) and over-privileged service role configurations **before** deployment.
3. **Develop NHI Monitoring and Anomaly Detection:** Deploy continuous monitoring solutions capable of detecting anomalous behavior associated with service accounts and other NHIs (e.g., excessive API calls, access patterns deviating from historical norms) to detect lateral movement or compromise.
## Implementation Guidance
### For Small Organizations
- **Focus on Tooling:** Prioritize adopting one robust secrets management tool (if budgets allow) to replace manual hardcoding across all projects.
- **Manual Inventory:** Use cloud provider native tools (e.g., IAM access advisor reports) and simple scripts to build the initial NHI inventory manually, focusing first on high-risk public cloud assets.
- **Adopt Best Practices Early:** Enforce per-application service accounts from the start for any new development project to prevent NHI reuse (NHI9).
### For Medium Organizations
- **Cross-Functional Policy:** Establish required cross-functional sign-off (Security, DevOps, Engineering) before provisioning any new production-level NHI.
- **Automated Scanning Integration:** Fully integrate secret scanning tools into source code repositories and require remediation before merging code into the main branch.
- **Phased Offboarding Rollout:** Pilot the formal NHI offboarding process (NHI discovery, quarantine, deletion) within one major business unit before a full organizational rollout.
### For Large Enterprises
- **Standardized Identity Plane:** Treat NHIs as first-class citizens within the central Identity and Access Management (IAM) framework, requiring standardized provisioning/de-provisioning workflows similar to human users.
- **Vendor Credential Audits:** Implement quarterly audits specifically tracking keys and tokens granted to third-party vendors (Vender-Owned NHIs), validating necessity and scope of permissions.
- **Advanced Behavioral Analysis:** Deploy security information and event management (SIEM) correlation rules specifically designed to detect the unusual activity patterns associated with compromised NHIs, distinguishing expected workload traffic from potential lateral movement.
## Configuration Examples
*The provided context does not contain specific technical configuration examples (e.g., policy syntax, specific tool settings). The focus is primarily on risk identification and procedural best practices.*
**Placeholder for future specifics:** *When addressing NHI2 (Secret Leakage), configuration best practices would involve disabling default credentials upon service initiation and enforcing use of ephemeral credentials via roles/instance profiles over long-lived secrets.*
## Compliance Alignment
- **OWASP Top 10:** Directly addresses emerging risks highlighted by the NHI Top 10 framework.
- **Principle of Least Privilege:** Critical for achieving compliance targets related to access control specified in standards like **NIST SP 800-53** (Access Control AC category) and **ISO 27001** (A.9 Access Control).
- **Secrets Management:** Aligns with recommended controls in frameworks like **CIS Controls** (Control 2: Inventory and Control of Assets, Control 4: Secure Configuration of Assets).
## Common Pitfalls to Avoid
- **Treating NHIs as Low Priority:** Avoid viewing service accounts or API keys as less critical than user credentials. They often have persistent, high-privilege access.
- **Relying Solely on Key Rotation:** Simply rotating secrets on a schedule without understanding *which application* owns the key or *if* the key is still necessary (Improper Offboarding - NHI1).
- **Using the Same Key Everywhere:** Failing to adhere to the principle of separation and reuse (NHI9), which guarantees that one compromised credential grants access to multiple unrelated systems.
- **Ignoring Vendor Access:** Allowing external vendors access via persistent keys or roles without rigorous, short-term credential lifecycles.
## Resources
- OWASP Non-Human Identities Top 10 Project Site (Search for the official OWASP NHI Top 10 documentation).
- Guides on implementing robust secrets management solutions (e.g., Vault, AWS Secrets Manager, Azure Key Vault documentation).
- NIST Special Publication 800-53 controls related to Access Control (AC).