Application development infrastructure is full of significant security risks, with research by Legit Security finding high or critical risks in the developer environments of every company it examined.
The security company's report into the state of application risk found flaws in applications but also the "software factories" that make them. The report is based on data from its own platform, looking at a range of organizations from large to small, across various industries.
Legit said application security is no longer simply about spotting flaws in source code, noting that the attack surface for applications has grown and diversified.
"With software development that is faster, more automated, more dynamic, and highly reliant on third parties, new opportunities to introduce risk abound."
According to the report, 89% of companies have pipeline misconfiguration issues and 46% are using AI models in source code in a risky way. Notably, security teams are actually unaware where AI is in use, making the booming technology an emerging threat for application security.
"Our research uncovered great risks everywhere throughout the development process," said Liav Caspi, Legit CTO and co-founder.
"These results highlight that teams are overlooking risks in their development environments and CI/CD pipelines, and are inviting the next supply chain attack by neglecting critical security hygiene."
Leaking secrets
The report found that all organizations on its platform had three or more application risks, but only two-thirds had public repositories with two or more risks. Those included exposed information that should have been secret, like cloud keys, GitHub personal access tokens, and even personal information such as credit card numbers.
Such data was often found in source code that could be accessed by any user with access to a repository, such as an external supplier or anyone if it was made public.
But a third of that information was actually outside source code and found in documentation and collaboration tools like Confluence or in ticketing systems.
RELATED WHITEPAPER
Legit advised companies not to hard-code "secrets" into source code by using a password manager or environment variable.
"To prevent exposed secrets, focus first on SaaS services keys (e.g., AWS access keys), since if code is leaked, credentials to SaaS services are immediately usable if they are valid, whereas internal credentials require attackers to also have network connectivity," the report added.
Another challenge is giving too much access: the report found 85% of development teams are over-permissioned, while 23% of repositories across organisations have external suppliers or collaborators with admin privileges in places they shouldn't.
The wrong tools
The study also found that most companies use inefficient application security scanning, with 78% using duplicate software composition analysis scanners that would produce the exact same results, and 39% having duplicate static application security testing scanners.
Legit pinned this on developers working in different parts of the business using free versions of scanners, noting that would be exacerbated by mergers and acquisitions.
"To make an analogy, it’s as if they are preparing delicious, innovative dishes, in a kitchen with rusty, dirty, malfunctioning equipment," Caspi added.
"Most security teams today don’t have the visibility or the context they need to identify risk outside of source code or to effectively triage AppSec findings."
-
Security experts issue warning over the rise of 'gray bot' AI web scrapersNews While not malicious, the bots can overwhelm web applications in a way similar to bad actors
-
Does speech recognition have a future in business tech?Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
-
Law enforcement needs to fight fire with fire on AI threatsNews UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
300 days under the radar: How Volt Typhoon eluded detection in the US electric grid for nearly a yearAnalysis Lengthy OT lifespans give attackers time to penetrate networks underpinning critical infrastructure and plan future disruption
-
Cybersecurity teams face unparalleled pressure, but they’re stepping up to the plateNews While cybersecurity teams are contending with rising workloads and chronic staffing issues, new research shows practitioners are still charging ahead and meeting targets.
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
-
Unlock profitability with Cove Data ProtectionWhitepaper Agile risk management starts with a common language
-
Ransomware missteps that can cost youWhitepaper Agile risk management starts with a common language
-
The big book of selling data protectionWhitepaper Agile risk management starts with a common language
