Security leader's new research highlights where the greatest application risks live and how organizations can prioritize their application security efforts
BOSTON, Jan. 23, 2025 -- Legit Security, the definitive application security posture management (ASPM) leader providing end-to-end visibility and protection across the entire software factory, today announced its latest research report, The 2025 State of Application Risk: An ASPM View of the Security of Software Factories. The report found significant risk in both applications and the factories that produce them, with many organizations challenged by inefficient AppSec testing, plus a lack of visibility into secrets exposure, AI risks, SDLC misconfigurations, and software supply chain security.
The 2025 State of Application Risk report, based on data from the Legit platform, reveals that, as software development has evolved, vulnerabilities in code are now only the tip of the iceberg, with risks in development pipelines, build servers, libraries, tools, and processes lurking beneath. The research also highlights that all application risk is not created equal, and with the right context, teams can better identify the highest risk areas that deserve their focus, such as toxic combinations that compound security issues.
Leveraging its powerful ASPM and visibility capabilities, Legit Security delivers data in this report that highlights the previous year's risk findings and uncovers where application security risk lives in the modern development environment.
The report's key findings include:
- There is significant risk throughout the application development infrastructure and processes, with 100% of organizations found to have high or critical risks in their development environments.
- Application security scanning is inefficient, with 78% of organizations having duplicate SCA scanners and 39% with duplicate SAST scanners that can result in the same vulnerability findings and equivalent or contradictory remediation advice.
- Secrets exposure is pervasive, with 100% of organizations having high or critical secrets exposed in their code, and 36% of secrets found outside of source code.
- GenAI is an emerging threat, with 46% of organizations using AI models in source code in a risky way, such as low-reputation LLMs, which could contain malicious code or payloads or exfiltrate data sent to them.
- Misconfigurations are rampant, with 89% of organizations having pipeline misconfiguration issues that could lead to breaches like the one CodeCov suffered.
- Developer permissions sprawl is a significant issue, with 85% of organizations showing least-privilege violations that could lead to an attack like the one LastPass recently experienced.
- Toxic combinations of risk – such as developers using GenAI without human code review enforced through branch protection, or secrets in repositories with external collaborators – are prevalent, and highlight where security teams should focus their energy.
"Our research uncovered great risks everywhere throughout the development process," said Liav Caspi, Legit CTO and co-founder. "These results highlight that teams are overlooking risks in their development environments and CI/CD pipelines, and are inviting the next supply chain attack by neglecting critical security hygiene. To make an analogy, it's as if they are preparing delicious, innovative dishes, in a kitchen with rusty, dirty, malfunctioning equipment. Most security teams today don't have the visibility or the context they need to identify risk outside of source code or to effectively triage AppSec findings."
From GenAI code to overly permissioned developers to secrets exposed in Jira tickets, organizations must protect their development environments from end-to-end. Legit Security's report provides organizations with the insights they need to understand the risks embedded and enmeshed across the software factory, well beyond vulnerabilities in code, and steps they can take to reduce this risk.
To download the full report, visit https://info.legitsecurity.com/state-of-application-risk.
Methodology
The Legit research team analyzed the data uncovered by the Legit Application Security Posture Management (ASPM) platform over the past 18 months. The data represents various industries and company sizes – from organizations with fewer than 100 developers to those with thousands. Enterprises had code repositories from hundreds to tens of thousands.
About Legit Security
Legit is a new way to manage your application security posture for security, product, and compliance teams. With Legit, enterprises get a cleaner, easier way to manage and scale application security and address risks from code to cloud. Built for the modern SDLC, Legit tackles the most challenging problems facing security teams, including GenAI usage, proliferation of secrets, and an uncontrolled dev environment. Fast to implement and easy to use, Legit lets security teams protect their software factory from end to end, gives developers guardrails that let them do their best work safely, and delivers metrics that prove the security program's success. This new approach means teams can control risk across the business – and prove it.
This News is brought to you by Qube Mark, your trusted source for the latest updates and insights in marketing technology. Stay tuned for more groundbreaking innovations in the world of technology.
