deploy: 9ca8d0a

2025/2-secret-leakage/index.html

@@ -806,7 +806,7 @@ <h2 id="references">References<a class="headerlink" href="#references" title="Pe
 </ul>
 <h2 id="data-points">Data points<a class="headerlink" href="#data-points" title="Permanent link">&para;</a></h2>
 <ul>
-<li><a href="https://s3.amazonaws.com/content-production.cloudsecurityalliance/22j8ue25fxvafdnirpgoqtdv7l1u?response-content-disposition=inline%3B%20filename%3D%22The%20State%20of%20Non-Human%20Identity%20Security%2020240917.pdf%22%3B%20filename%2A%3DUTF-8%27%27The%2520State%2520of%2520Non-Human%2520Identity%2520Security%252020240917.pdf&amp;response-content-type=application%2Fpdf&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAS6XDIRHKHO4F5SU4%2F20241211%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20241211T163927Z&amp;X-Amz-Expires=300&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=394370ac74a7a3f24385341bdee52ca01958c4859595f1f9969ffefdaa6d6f2f">CSA NHI Report</a></li>
+<li><a href="https://cloudsecurityalliance.org/artifacts/state-of-non-human-identity-security-survey-report">CSA NHI Report</a></li>
 <li>31% of times poor secrets management was the cause for NHI-related security incidents. (6/10)</li>
 <li>21% of organizations put service accounts as most challenging to manage. (6/16)</li>
 <li>26% of organizations need management of secrets lifecycle as the most important capability of an NHI tool. (1/16)</li>

2025/3-vulnerable-third-party-nhi/index.html

@@ -793,20 +793,26 @@ <h2 id="references">References<a class="headerlink" href="#references" title="Pe
 </ul>
 <h2 id="data-points">Data points<a class="headerlink" href="#data-points" title="Permanent link">&para;</a></h2>
 <ul>
-<li><a href="(https://www.datadoghq.com/state-of-cloud-security/)">Datadog State of the Cloud 2024</a></li>
+<li><a href="(https://www.datadoghq.com/state-of-cloud-security/)">Datadog State of the Cloud 2024</a><ul>
 <li>10% third party integration to AWS are overprivileged.</li>
 <li>2% third party integration to AWS are vulnerable to confused deputy vulnerability.</li>
 <li>Initial access to 365 is made through malicious 3d-party OAuth apps.</li>
-<li><a href="https://s3.amazonaws.com/content-production.cloudsecurityalliance/22j8ue25fxvafdnirpgoqtdv7l1u?response-content-disposition=inline%3B%20filename%3D%22The%20State%20of%20Non-Human%20Identity%20Security%2020240917.pdf%22%3B%20filename%2A%3DUTF-8%27%27The%2520State%2520of%2520Non-Human%2520Identity%2520Security%252020240917.pdf&amp;response-content-type=application%2Fpdf&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAS6XDIRHKHO4F5SU4%2F20241211%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20241211T163927Z&amp;X-Amz-Expires=300&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=394370ac74a7a3f24385341bdee52ca01958c4859595f1f9969ffefdaa6d6f2f">CSA NHI Report</a></li>
+</ul>
+</li>
+<li><a href="https://s3.amazonaws.com/content-production.cloudsecurityalliance/22j8ue25fxvafdnirpgoqtdv7l1u?response-content-disposition=inline%3B%20filename%3D%22The%20State%20of%20Non-Human%20Identity%20Security%2020240917.pdf%22%3B%20filename%2A%3DUTF-8%27%27The%2520State%2520of%2520Non-Human%2520Identity%2520Security%252020240917.pdf&amp;response-content-type=application%2Fpdf&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAS6XDIRHKHO4F5SU4%2F20241211%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20241211T163927Z&amp;X-Amz-Expires=300&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=394370ac74a7a3f24385341bdee52ca01958c4859595f1f9969ffefdaa6d6f2f">CSA NHI Report</a><ul>
 <li>38% answers put supply chain attacks as one of the top 3 most concerning NHI threats. (2/10)</li>
 <li>16% answers put malicious suppliers as one of the top 3 most concerning NHI threats. (9/10)</li>
 <li>29% of times compromised external integrations were the cause for NHI-related security incidents. (7/10)</li>
 <li>21% of organizations put managing requests for third-party tools and services as most challenging to manage. (10/16)</li>
 <li>26% of organizations need visibility into third-party vendors as the most important capability of an NHI tool. (1/16)</li>
 <li>38% of organizations reported limited to no visibility into third-party vendors.</li>
-<li>Recent Breaches</li>
+</ul>
+</li>
+<li>Recent Breaches<ul>
 <li>Sisense Breach - <a href="https://medium.com/@ronilichtman/making-sense-out-of-the-sisense-hack-f61a3d9b80a7">link</a></li>
 </ul>
+</li>
+</ul>
 
 
 

2025/5-overprivileged-nhi/index.html

@@ -790,19 +790,25 @@ <h2 id="references">References<a class="headerlink" href="#references" title="Pe
 </ul>
 <h2 id="data-points">Data points<a class="headerlink" href="#data-points" title="Permanent link">&para;</a></h2>
 <ul>
-<li><a href="https://www.datadoghq.com/state-of-cloud-security/">Datadog State of the Cloud 2024</a></li>
+<li><a href="https://www.datadoghq.com/state-of-cloud-security/">Datadog State of the Cloud 2024</a><ul>
 <li>17.6% have excessive data access, such as listing and accessing data from all S3 buckets in the account</li>
 <li>10% of clusters have a dangerous node role that has full administrator access, allows for privilege escalation, has overly permissive data access (e.g., all S3 buckets), or allows for lateral movement across all workloads in the account</li>
 <li>Over one in three Google Cloud VMs (33%) have sensitive permissions to a project</li>
-<li><a href="https://s3.amazonaws.com/content-production.cloudsecurityalliance/22j8ue25fxvafdnirpgoqtdv7l1u?response-content-disposition=inline%3B%20filename%3D%22The%20State%20of%20Non-Human%20Identity%20Security%2020240917.pdf%22%3B%20filename%2A%3DUTF-8%27%27The%2520State%2520of%2520Non-Human%2520Identity%2520Security%252020240917.pdf&amp;response-content-type=application%2Fpdf&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAS6XDIRHKHO4F5SU4%2F20241211%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20241211T163927Z&amp;X-Amz-Expires=300&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=394370ac74a7a3f24385341bdee52ca01958c4859595f1f9969ffefdaa6d6f2f">CSA NHI Report</a> </li>
+</ul>
+</li>
+<li><a href="https://cloudsecurityalliance.org/artifacts/state-of-non-human-identity-security-survey-report">CSA NHI Report</a> <ul>
 <li>33% answers put over-privileged accounts as one of the top 3 most concerning NHI threats (3/10)</li>
 <li>37% of times over-privileged identities were the cause for NHI-related security incidents (2/10)</li>
 <li>22% of organizations need managing permissions as the most important capability of an NHI tool (5/16)</li>
 <li>26% of organizations believe that over 50% of their service accounts are over-privileged</li>
-<li><a href="https://orca.security/wp-content/uploads/2022/09/2022-State-of-Public-Cloud-Security-Report.pdf">Orca Security State of the Cloud Security report 2022</a></li>
+</ul>
+</li>
+<li><a href="https://orca.security/wp-content/uploads/2022/09/2022-State-of-Public-Cloud-Security-Report.pdf">Orca Security State of the Cloud Security report 2022</a><ul>
 <li>44% of environments have at least one privileged identity access management (IAM) role.</li>
 <li>23% have at least one EC2 Instance with Administrator IAM role.</li>
 </ul>
+</li>
+</ul>
 
 
 

2025/7-long-lived-secrets/index.html

@@ -780,17 +780,23 @@ <h2 id="references">References<a class="headerlink" href="#references" title="Pe
 </ul>
 <h2 id="data-points">Data points<a class="headerlink" href="#data-points" title="Permanent link">&para;</a></h2>
 <ul>
-<li><a href="https://www.datadoghq.com/state-of-cloud-security/">Datadog State of the Cloud 2024</a></li>
+<li><a href="https://www.datadoghq.com/state-of-cloud-security/">Datadog State of the Cloud 2024</a><ul>
 <li>46% of AWS orgs users use long-lived console credentials</li>
 <li>60% of keys across cloud providers have age &gt; 1 year</li>
-<li><a href="https://s3.amazonaws.com/content-production.cloudsecurityalliance/22j8ue25fxvafdnirpgoqtdv7l1u?response-content-disposition=inline%3B%20filename%3D%22The%20State%20of%20Non-Human%20Identity%20Security%2020240917.pdf%22%3B%20filename%2A%3DUTF-8%27%27The%2520State%2520of%2520Non-Human%2520Identity%2520Security%252020240917.pdf&amp;response-content-type=application%2Fpdf&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAS6XDIRHKHO4F5SU4%2F20241211%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20241211T163927Z&amp;X-Amz-Expires=300&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=394370ac74a7a3f24385341bdee52ca01958c4859595f1f9969ffefdaa6d6f2f">CSA NHI Report</a> </li>
+</ul>
+</li>
+<li><a href="hhttps://cloudsecurityalliance.org/artifacts/state-of-non-human-identity-security-survey-report">CSA NHI Report</a> <ul>
 <li>45% of times lack of credential rotation were the cause for NHI-related security incidents (1/10)</li>
 <li>26% of organizations need management of secrets lifecycle as the most important capability of an NHI tool (1/16)</li>
 <li>51% of organizations have no formal process to offboard or revoke long-lived API keys</li>
-<li><a href="https://orca.security/wp-content/uploads/2022/09/2022-State-of-Public-Cloud-Security-Report.pdf">Orca Security State of the Cloud Security report 2022</a></li>
+</ul>
+</li>
+<li><a href="https://orca.security/wp-content/uploads/2022/09/2022-State-of-Public-Cloud-Security-Report.pdf">Orca Security State of the Cloud Security report 2022</a><ul>
 <li>80% of organizations have KMS rotation disabled</li>
 <li>79% of organizations have at least one access key older than 90 days</li>
 </ul>
+</li>
+</ul>
 
 
 

404.html

@@ -695,7 +695,7 @@ <h2>Corporate Supporters</h2>
       </ul>
     </nav>
     <p class="disclaimer">
-      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.
+      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2025, OWASP Foundation, Inc.
     </p>
   </section>
 </footer>

index.html

@@ -617,23 +617,6 @@ <h2 id="nhi-top-10---2025----a-sneak-peak">NHI Top 10 - 2025 -  A sneak peak</h2
 
 <p>During application development and maintenance, developers or administrators may misuse NHIs for manual tasks that should be performed using individual human identities with appropriate privileges. This practice introduces significant security risks such as elevated privileges for NHIs, lack of auditing and accountability due to indistinguishable activity between humans and automation.
 <a href="/www-project-non-human-identities-top-10/2025/10-human-use-of-nhi/">Read More »</a></p>
-
-<h2 id="project-road-map">Project Road Map</h2>
-<ol>
-  <li>Submission of project proposal ✓</li>
-  <li>Reaching out to prominent contributors of the identity security space ✓</li>
-  <li>Mapping out top risks ✓</li>
-  <li>Data collection on chosen risks ✓
-    <ul>
-      <li>A public survey co-operated with Cloud Security Alliance (CSA)</li>
-      <li>Data assessment on real-life environments and platforms</li>
-      <li>Public data collection of zero-day vulnerabilities</li>
-    </ul>
-  </li>
-  <li>Aggregation of data and risk scoring ✓</li>
-  <li>Final draft of the top 10 risks alongside above Documentation efforts ✓</li>
-  <li>Round-table together with contributors and leaders to construct roadmap towards project review and graduation to a Lab project. (ongoing)</li>
-</ol>
 
           </section>
 
@@ -781,6 +764,11 @@ <h2 id="contributors">Contributors</h2>
       <td>Orca Security</td>
       <td><a href="https://www.linkedin.com/in/bar-kaduri">LinkedIn</a></td>
     </tr>
+    <tr>
+      <td>Yonatan Yosef</td>
+      <td>Orca Security</td>
+      <td><a href="https://www.linkedin.com/in/yonatan-yosef-93a028188/">LinkedIn</a></td>
+    </tr>
   </tbody>
 </table>
 
@@ -1091,7 +1079,7 @@ <h2>Corporate Supporters</h2>
       </ul>
     </nav>
     <p class="disclaimer">
-      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.
+      OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2025, OWASP Foundation, Inc.
     </p>
   </section>
 </footer>

tab_contributors.html

@@ -61,5 +61,10 @@ <h2 id="contributors">Contributors</h2>
       <td>Orca Security</td>
       <td><a href="https://www.linkedin.com/in/bar-kaduri">LinkedIn</a></td>
     </tr>
+    <tr>
+      <td>Yonatan Yosef</td>
+      <td>Orca Security</td>
+      <td><a href="https://www.linkedin.com/in/yonatan-yosef-93a028188/">LinkedIn</a></td>
+    </tr>
   </tbody>
 </table>