#USA #Boston #Legit Security #Application Risk #ASPM

Understanding the 2025 State of Application Risk Report

On January 23, 2025, Legit Security unveiled its latest research report, titled The 2025 State of Application Risk: An ASPM View of the Security of Software Factories. This report underscores an alarming trend in application security: 100% of organizations have identified high or critical risks in their development environments.

Key Findings

The findings reveal that the vulnerabilities associated with code represent only the surface of the issue. Much deeper, within development pipelines, build servers, libraries, tools, and processes, lie even greater risks. This highlights a profound challenge that organizations face today, making it increasingly difficult for security teams to adequately safeguard their applications without the right tools and data.

Inefficient Application Security Scanning

The report notes that scanning for application security vulnerabilities is highly inefficient. A staggering 78% of organizations have duplicate Software Composition Analysis (SCA) scanners, while 39% utilize duplicate Static Application Security Testing (SAST) scanners. This redundancy leads to conclusions based on overlapping data, which can ultimately result in contradictory remediation advice, thus further complicating the security landscape.

Secrets Exposure as a Pervasive Issue

Legit Security's research identified a worrying trend regarding the exposure of secrets. All surveyed organizations reported high or critical secrets exposed within their code. Alarmingly, 36% of these secrets are located outside of the source code—a critical oversight that could have severe repercussions if left unaddressed.

Emergence of GenAI Risks

The rise of intelligent algorithms and AI models poses a new challenge. Approximately 46% of organizations using AI models in their source code are doing so in a risky manner. Relying on low-reputation Language Learning Models (LLMs) can lead to the introduction of malicious code or risk data exfiltration, showcasing a new frontier in application security threats.

Rampant Misconfigurations

Misconfigurations are an ongoing concern, affecting 89% of organizations. These issues highlight potential pathways to breaches, paralleling incidents like CodeCov—where configuration errors led to major security compromises.

Developer Permissions and Toxic Combinations

Another significant risk identified is the violation of least-privilege permissions, as 85% of organizations exhibit this concerning trend. This sprawl can lead to targeted attacks, similar to the recent security issues experienced by LastPass.

Moreover, toxic risk combinations abound, such as developers using GenAI without proper human oversight or the presence of secrets in repositories shared with external collaborators.

A Call for Enhanced Security Practices

Liav Caspi, CTO and co-founder of Legit Security, remarked on the report's findings, stating, "Our research uncovered great risks everywhere throughout the development process." He emphasizes that organizations must not overlook the vulnerabilities inherent in their development environments and CI/CD pipelines, citing that neglecting these can lead to severe supply chain attacks. In a culinary analogy, he compares this situation to preparing innovative dishes in a kitchen equipped with malfunctioning tools.

The implications of the report are profound, as it not only highlights the increasing complexity of security risks but also provides organizations with insights necessary to address them holistically. Legit Security aims to empower enterprises to protect their development environments end-to-end by accurately identifying and managing these various risks embedded within the software factory.

Conclusion

The findings of Legit Security’s report serve as a wake-up call for organizations to prioritize application security in their development practices. By downloading and analyzing the full report here, stakeholders can gain deeper insights into protecting their software production to mitigate potential risks effectively.