Application development infrastructure is full of significant security risks, with research by Legit Security finding high or critical risks in the developer environments of every company it examined.
The security company's report into the state of application risk found flaws in applications but also the "software factories" that make them. The report is based on data from its own platform, looking at a range of organizations from large to small, across various industries.
Legit said application security is no longer simply about spotting flaws in source code, noting that the attack surface for applications has grown and diversified.
"With software development that is faster, more automated, more dynamic, and highly reliant on third parties, new opportunities to introduce risk abound."
According to the report, 89% of companies have pipeline misconfiguration issues and 46% are using AI models in source code in a risky way. Notably, security teams are actually unaware where AI is in use, making the booming technology an emerging threat for application security.
"Our research uncovered great risks everywhere throughout the development process," said Liav Caspi, Legit CTO and co-founder.
"These results highlight that teams are overlooking risks in their development environments and CI/CD pipelines, and are inviting the next supply chain attack by neglecting critical security hygiene."
Leaking secrets
The report found that all organizations on its platform had three or more application risks, but only two-thirds had public repositories with two or more risks. Those included exposed information that should have been secret, like cloud keys, GitHub personal access tokens, and even personal information such as credit card numbers.
Such data was often found in source code that could be accessed by any user with access to a repository, such as an external supplier or anyone if it was made public.
But a third of that information was actually outside source code and found in documentation and collaboration tools like Confluence or in ticketing systems.
RELATED WHITEPAPER
Legit advised companies not to hard-code "secrets" into source code by using a password manager or environment variable.
"To prevent exposed secrets, focus first on SaaS services keys (e.g., AWS access keys), since if code is leaked, credentials to SaaS services are immediately usable if they are valid, whereas internal credentials require attackers to also have network connectivity," the report added.
Another challenge is giving too much access: the report found 85% of development teams are over-permissioned, while 23% of repositories across organisations have external suppliers or collaborators with admin privileges in places they shouldn't.
The wrong tools
The study also found that most companies use inefficient application security scanning, with 78% using duplicate software composition analysis scanners that would produce the exact same results, and 39% having duplicate static application security testing scanners.
Legit pinned this on developers working in different parts of the business using free versions of scanners, noting that would be exacerbated by mergers and acquisitions.
"To make an analogy, it’s as if they are preparing delicious, innovative dishes, in a kitchen with rusty, dirty, malfunctioning equipment," Caspi added.
"Most security teams today don’t have the visibility or the context they need to identify risk outside of source code or to effectively triage AppSec findings."
-
Healthcare organizations are turning a blind eye to phishing attacksNews A survey reveals that most attacks go unreported, putting patient data at risk
-
Datatonic expands global services with Syntio acquisitionNews The move marks a “key step” in Datatonic’s efforts to expand its global reach and service capabilities
-
Simplifying Password Management eBook -
Living off the Land eBook -
The Public Sector's Guide to Privilege and Password Management -
Zero Standing Privilege: Automating Cybersecurity Without Disrupting Productivitywhitepaper
-
‘We are now a full-fledged powerhouse’: Two years on from its Series B round, Hack the Box targets further growth with AI-powered cyber training programs and new market opportunitiesNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
Cyber attacks against UK firms dropped by 10% last year, but experts say don't get complacentNews More than four-in-ten UK businesses were hit by a cyber attack last year, marking a decrease on the year prior – but security experts have warned enterprises to still remain vigilant.
-
Law enforcement needs to fight fire with fire on AI threatsNews UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
