OWASP Non-Human Identities Top 10
18 comments
·February 4, 2025chillax
A better link would be the dedicated site for it, also contains introduction which describes what NHI are: https://owasp.org/www-project-non-human-identities-top-10/20...
dang
Ok, we've changed to that from https://owasp.org/www-project-non-human-identities-top-10/. Thanks!
xg15
They are using some fancy wording, but this just seems to be about regular service accounts (i.e. "bots") when they are mixed with user accounts in a SoA setting. No AI needed.
killerpopiller
AI is not mentioned. Besides, service accounts are not bots.
The collection provides a structured approach to self audit the security practice regarding non-human identities. The recent CCC showcased breach of a VW connected car repository based on the exploitation of those NHI.
benatkin
I agree. A bot is a program or an application that provides some sort of functionality that appears automated or autonomous in some way. A service account could be the primary identity of a bot, but that doesn't make it a bot.
ALLTaken
I am confused with the wording. Is there an official description of Non-Human Identities?
I only known service accounts, which pose similar threat. Both AI and Humans can use service accounts and api-keys to pose the same threats.
But it's ultimately known and wide-spread as service accounts from what I know. Is non-human identity referring to a special case or attack vector?
chillax
Here is how OWASP define it:
> Non-human identities (NHIs) are used to provide authorization to software entities such as applications, APIs, bots, and automated systems to access secured resources. Unlike human identities, NHIs are not controlled or directly owned by a human. Their identity object and authentication often work differently to human, and common human user security measures do not apply to them.
https://owasp.org/www-project-non-human-identities-top-10/20...
ale42
I think it's just a fancy description for service accounts, but possibly extended to any kind of access that is used for machine-to-machine interaction rather than for users; I guess tokens used by IoT devices to access an API would also count as NHI. I guess that "Non-Human" doesn't imply any AI around (nor other animals or extraterrestrials, although I guess nobody thought that...).
xarope
they kind of mention various examples throughout, e.g.:
- such as service accounts and access keys
- such as API keys, tokens, encryption keys, and certificates
- typically achieved using static credentials or OpenID Connect (OIDC)
- sensitive NHIs such as API keys, tokens, encryption keys, and certificates
LoganDark
Hah, turns out they're talking about stuff like access tokens, not otherkin!
CodeCompost
Sorry but can anybody explain what Non-Human Identities are?
Ekaros
I think OWASP it self have pretty good explanation in their introduction chapter:
https://owasp.org/www-project-non-human-identities-top-10/20...
null
aetherspawn
Based on the title and the first few paragraphs, I expected this to be about risk of datacenter security breaches by Bears, and the like.
rzzzt
Mice and ants are listed as some of the greater enemies of the datacenter according to a pest control company's website. I guess bees would cause some inconvenience too.
magicalhippo
Full title is "OWASP Non-Human Identities Top 10".
This comprehensive list highlights the most critical challenges in integrating Non-Human Identities (NHIs) into the development lifecycle, ranked based on exploitability, prevalence, detectability, and impact.
OhNoNotAgain_99
[dead]
This focuses mostly more on internal security (i.e after the attacker already has a foothold inside) versus the classic OWASP that are for external front fracing applications