Securing non-human identities: automated revocation, OAuth, and scoped permissions

Agents in software development enable faster creation of applications, but securing these environments against mistakes and malicious activity is crucial, as outlined by the Open Web Application Security Project (OWASP), which highlights risks like credential leaks and user impersonation in agentic AI systems. These risks, if realized, can lead to significant damage, including denial of service or data leaks. Ensuring security involves managing the lifecycle of non-human identities, such as agents and scripts, by protecting credentials, ensuring visibility through OAuth, and applying granular role-based access control (RBAC). Cloudflare introduces updates to manage these aspects, including scannable tokens for credential protection, OAuth improvements for managing third-party access, and resource-scoped RBAC for precise permission allocation. With partnerships like GitHub's Secret Scanning program, Cloudflare enhances its ability to detect leaked tokens and prevent unauthorized use. Additionally, the introduction of resource-level permissions and new roles allows for finer control over access, adhering to the principle of least privilege. These measures collectively aim to bolster security by ensuring that only necessary permissions are granted, thereby minimizing potential risks in an increasingly autonomous digital environment.