Developers can't get a handle on application security risks
A Legit Security report found critical risks across every company it looked at


Application development infrastructure is full of significant security risks, with research by Legit Security finding high or critical risks in the developer environments of every company it examined.
The security company's report into the state of application risk found flaws in applications but also the "software factories" that make them. The report is based on data from its own platform, looking at a range of organizations from large to small, across various industries.
Legit said application security is no longer simply about spotting flaws in source code, noting that the attack surface for applications has grown and diversified.
"With software development that is faster, more automated, more dynamic, and highly reliant on third parties, new opportunities to introduce risk abound."
According to the report, 89% of companies have pipeline misconfiguration issues and 46% are using AI models in source code in a risky way. Notably, security teams are actually unaware where AI is in use, making the booming technology an emerging threat for application security.
"Our research uncovered great risks everywhere throughout the development process," said Liav Caspi, Legit CTO and co-founder.
"These results highlight that teams are overlooking risks in their development environments and CI/CD pipelines, and are inviting the next supply chain attack by neglecting critical security hygiene."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Leaking secrets
The report found that all organizations on its platform had three or more application risks, but only two-thirds had public repositories with two or more risks. Those included exposed information that should have been secret, like cloud keys, GitHub personal access tokens, and even personal information such as credit card numbers.
Such data was often found in source code that could be accessed by any user with access to a repository, such as an external supplier or anyone if it was made public.
But a third of that information was actually outside source code and found in documentation and collaboration tools like Confluence or in ticketing systems.
RELATED WHITEPAPER
Legit advised companies not to hard-code "secrets" into source code by using a password manager or environment variable.
"To prevent exposed secrets, focus first on SaaS services keys (e.g., AWS access keys), since if code is leaked, credentials to SaaS services are immediately usable if they are valid, whereas internal credentials require attackers to also have network connectivity," the report added.
Another challenge is giving too much access: the report found 85% of development teams are over-permissioned, while 23% of repositories across organisations have external suppliers or collaborators with admin privileges in places they shouldn't.
The wrong tools
The study also found that most companies use inefficient application security scanning, with 78% using duplicate software composition analysis scanners that would produce the exact same results, and 39% having duplicate static application security testing scanners.
Legit pinned this on developers working in different parts of the business using free versions of scanners, noting that would be exacerbated by mergers and acquisitions.
"To make an analogy, it’s as if they are preparing delicious, innovative dishes, in a kitchen with rusty, dirty, malfunctioning equipment," Caspi added.
"Most security teams today don’t have the visibility or the context they need to identify risk outside of source code or to effectively triage AppSec findings."
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
Law enforcement needs to fight fire with fire on AI threats
News UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
By Emma Woollacott Published
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion Published
-
300 days under the radar: How Volt Typhoon eluded detection in the US electric grid for nearly a year
Analysis Lengthy OT lifespans give attackers time to penetrate networks underpinning critical infrastructure and plan future disruption
By Solomon Klappholz Published
-
Cybersecurity teams face unparalleled pressure, but they’re stepping up to the plate
News While cybersecurity teams are contending with rising workloads and chronic staffing issues, new research shows practitioners are still charging ahead and meeting targets.
By Emma Woollacott Published
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victims
News Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
By Solomon Klappholz Published
-
Unlock profitability with Cove Data Protection
Whitepaper Agile risk management starts with a common language
By ITPro Published
-
Ransomware missteps that can cost you
Whitepaper Agile risk management starts with a common language
By ITPro Published
-
The big book of selling data protection
Whitepaper Agile risk management starts with a common language
By ITPro Published