Source URL: https://owasp.org/www-project-non-human-identities-top-10/
Source: Hacker News
Title: OWASP Non-Human Identities Top
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses the challenges and security risks associated with Non-Human Identities (NHIs) in software development. It outlines the NHIs top 10 list, which includes critical vulnerabilities and risks that organizations face with NHIs, emphasizing actionable preventive measures and incident response practices. The content is particularly relevant for security professionals in AI, cloud, and infrastructure, given the increasing reliance on automated identities in cloud applications.
Detailed Description: The text provides a detailed overview of the NHIs Top 10 list, which highlights the most pressing security challenges related to non-human identities within organizations. Here are the major points:
– **Definition of Non-Human Identities (NHIs)**: NHIs are entities such as service accounts and API keys that facilitate application creation, posing unique security risks.
– **Top 10 Security Risks**:
– **Improper Offboarding**: Failure to deactivate service accounts when no longer needed can lead to unauthorized access.
– **Secret Leakage**: Leakage of sensitive NHIs due to poor practices like hard-coding in source code or inadequate storage solutions can lead to exploitable vulnerabilities.
– **Third-party Integration Risks**: Dependencies on third-party NHIs can introduce vulnerabilities, especially if these services are compromised.
– **Weak Authentication**: Utilizing deprecated or insecure authentication methods increases exposure to attacks.
– **Over-Privileged NHIs**: Assigning excessive permissions to NHIs can be exploited by attackers if compromised.
– **Credential Exposure in CI/CD Pipelines**: Static credentials and improper validation of identity tokens in CI/CD processes can provide attackers with privileged access if exposed.
– **Long-lived Secrets**: Non-expiring secrets increase the window of opportunity for attackers if they are compromised.
– **Environment Isolation Breach**: Reusing NHIs across different environments, such as development and production, can introduce vulnerabilities.
– **Credential Reuse Risks**: Using the same NHI across various applications increases the risk of broader access if one instance is compromised.
– **Misuse of NHIs**: Misappropriating NHIs for tasks better suited for human identities can obscure accountability and auditing.
– **Call to Action for Contribution**: The text encourages individuals and organizations to participate in refining the NHIs Top 10 list by providing data, translations, suggestions, and real-world examples.
This comprehensive overview of NHIs’ associated risks is essential for security professionals, as it provides both insights into common vulnerabilities and a path to improving secure practices in the development lifecycle. Understanding and mitigating these risks can significantly enhance an organization’s overall security posture within increasingly automated environments.