科技回声

14 条评论

TIL that OWASP has a bunch of Top 10 projects other than application security. Some others I found:- Top 10 for LLMs - <a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/" rel="nofollow">https://owasp.org/www-project-top-10-for-large-language-mode...</a>- Top 10 for OT - <a href="https://ot.owasp.org/" rel="nofollow">https://ot.owasp.org/</a>- Top 10 for Smart Contracts - <a href="https://owasp.org/www-project-smart-contract-top-10/" rel="nofollow">https://owasp.org/www-project-smart-contract-top-10/</a>- Top 10 for Open Source Software - <a href="https://owasp.org/www-project-open-source-software-top-10/" rel="nofollow">https://owasp.org/www-project-open-source-software-top-10/</a>

评论 #42930237 未加载

chillax4 个月前

A better link would be the dedicated site for it, also contains introduction which describes what NHI are: <a href="https://owasp.org/www-project-non-human-identities-top-10/2025/" rel="nofollow">https://owasp.org/www-project-non-human-identities-top-10/20...</a>

评论 #42929664 未加载

LoganDark4 个月前

Hah, turns out they're talking about stuff like access tokens, not otherkin!

评论 #42931660 未加载

2d8a875f-39a2-44 个月前

I especially enjoyed NHI10:2025 Human Use of NHI.Time to stop all that pesky human use. Switch off the servers too, just to be sure.

评论 #42932978 未加载

mirages4 个月前

This focuses mostly more on internal security (i.e after the attacker already has a foothold inside) versus the classic OWASP that are for external front fracing applications

评论 #42931613 未加载

xg154 个月前

They are using some fancy wording, but this just seems to be about regular service accounts (i.e. "bots") when they are mixed with user accounts in a SoA setting. No AI needed.

评论 #42928977 未加载

评论 #42929334 未加载

评论 #42929605 未加载

antithesis-nl4 个月前

I would love to hear about any useful work around leak/abuse-resistance improvements of service accounts and API keys (i.e. the 'NHI' referenced here -- awkward terminology!). Passkeys are a great solution when some kind of end-user interactivity is feasible, and AWS Secrets Manager is supposedly very good if you're entirely on that platform, but for self-hosting, the options seem limited (and things like Hashicorp Vault still don't fully solve the problem)?I recently refactored a moderately complicated system to remove the need for periodic distribution of updated network access credentials, and the best I could come up with were X509 client certificates, which (even if in this case it was a big improvement over the existing state of affairs) feel archaic...

评论 #42935564 未加载

authnopuz4 个月前

Another good source of NHI definitions, concepts, and threats <a href="https://nhimg.org/the-ultimate-guide-to-non-human-identities" rel="nofollow">https://nhimg.org/the-ultimate-guide-to-non-human-identities</a>

belter4 个月前

It’s already wise to establish a shared authentication word or phrase with family and colleagues, because AI can now convincingly mimic a person’s face, voice, gestures, even their gait during video calls or phone conversations. A bot won’t know the secret passcode when you ask for it.Within the next 20–25 years, you may need that same safeguard in face-to-face meetings, since Replicants will be lifelike enough to fool anyone.Voight-Kampff Test: <a href="https://youtu.be/IbBfONITYNg" rel="nofollow">https://youtu.be/IbBfONITYNg</a>

评论 #42932154 未加载

batmansmk4 个月前

Identities are very hard to manage and secure overall. Audits are super long, tedious.Adding more dimensions into reviews that aren't properly done right now will be extremely tricky.

评论 #42931998 未加载

zingababba4 个月前

Wtf? We have been calling these workload identities for years.

CodeCompost4 个月前

Sorry but can anybody explain what Non-Human Identities are?

评论 #42930059 未加载

评论 #42931937 未加载

aetherspawn4 个月前

Based on the title and the first few paragraphs, I expected this to be about risk of datacenter security breaches by Bears, and the like.

评论 #42929188 未加载

magicalhippo4 个月前

Full title is "OWASP Non-Human Identities Top 10".This comprehensive list highlights the most critical challenges in integrating Non-Human Identities (NHIs) into the development lifecycle, ranked based on exploitability, prevalence, detectability, and impact.