Application development infrastructure is full of significant security risks, with research by Legit Security finding high or critical risks in the developer environments of every company it examined.
The security company's report into the state of application risk found flaws in applications but also the "software factories" that make them. The report is based on data from its own platform, looking at a range of organizations from large to small, across various industries.
Legit said application security is no longer simply about spotting flaws in source code, noting that the attack surface for applications has grown and diversified.
"With software development that is faster, more automated, more dynamic, and highly reliant on third parties, new opportunities to introduce risk abound."
According to the report, 89% of companies have pipeline misconfiguration issues and 46% are using AI models in source code in a risky way. Notably, security teams are actually unaware where AI is in use, making the booming technology an emerging threat for application security.
"Our research uncovered great risks everywhere throughout the development process," said Liav Caspi, Legit CTO and co-founder.
"These results highlight that teams are overlooking risks in their development environments and CI/CD pipelines, and are inviting the next supply chain attack by neglecting critical security hygiene."
Leaking secrets
The report found that all organizations on its platform had three or more application risks, but only two-thirds had public repositories with two or more risks. Those included exposed information that should have been secret, like cloud keys, GitHub personal access tokens, and even personal information such as credit card numbers.
Such data was often found in source code that could be accessed by any user with access to a repository, such as an external supplier or anyone if it was made public.
But a third of that information was actually outside source code and found in documentation and collaboration tools like Confluence or in ticketing systems.
Legit advised companies not to hard-code "secrets" into source code by using a password manager or environment variable.
"To prevent exposed secrets, focus first on SaaS services keys (e.g., AWS access keys), since if code is leaked, credentials to SaaS services are immediately usable if they are valid, whereas internal credentials require attackers to also have network connectivity," the report added.
Another challenge is giving too much access: the report found 85% of development teams are over-permissioned, while 23% of repositories across organisations have external suppliers or collaborators with admin privileges in places they shouldn't.
The wrong tools
The study also found that most companies use inefficient application security scanning, with 78% using duplicate software composition analysis scanners that would produce the exact same results, and 39% having duplicate static application security testing scanners.
Legit pinned this on developers working in different parts of the business using free versions of scanners, noting that would be exacerbated by mergers and acquisitions.
"To make an analogy, it’s as if they are preparing delicious, innovative dishes, in a kitchen with rusty, dirty, malfunctioning equipment," Caspi added.
"Most security teams today don’t have the visibility or the context they need to identify risk outside of source code or to effectively triage AppSec findings."
