Understanding the Risks: Legit Security's Deep Dive on App Safety
Legit Security Unveils Comprehensive Application Risk Insights
Legit Security, a leader in application security posture management (ASPM), has released a compelling research report that sheds light on application risks faced by organizations today. This insightful document is a must-read for security professionals seeking to understand the current landscape of application security.
Key Findings from the 2025 State of Application Risk Report
The report, dubbed The 2025 State of Application Risk, provides a comprehensive look at where vulnerabilities exist in both applications and the software factories that produce them. With data sourced from its advanced platform, Legit Security identified significant risks that may be lurking beneath the surface of software development processes.
Widespread Risk Across the Board
One of the most alarming findings is that 100% of surveyed organizations experienced high or critical risks in their development environments. This pervasive risk indicates a serious challenge within the application development lifecycle, which organizations must address immediately.
Duplication in Application Security Scanning
The report highlighted that application security scanning is particularly inefficient. A staggering 78% of organizations were found to be using duplicate Software Composition Analysis (SCA) scanners, while 39% utilized overlapping Static Application Security Testing (SAST) scanners. This redundancy can lead to the same vulnerabilities being reported multiple times, creating confusion and inefficiency in remediation efforts.
The Threat of Secrets Exposure
Secrets exposure remains a critical issue, with every organization surveyed indicating they have high or critical secrets leaking into their codebases. Notably, 36% of these secrets were discovered outside of the source code itself, which raises additional concerns regarding security measures in place.
Emerging Risks from AI Models
The report also brought attention to the emergence of GenAI as a troubling risk factor. Specifically, 46% of organizations admitted to using AI models in risky ways, which included low-reputation large language models (LLMs) capable of harboring malicious code or inadvertently leaking sensitive information.
Addressing Pipeline Misconfigurations
Misconfigured development pipelines are another significant risk factor, as 89% of organizations reported issues that could lead to serious breaches. This finding underscores the importance of strict configuration management to avoid vulnerabilities similar to those seen in high-profile supply chain attacks.
Developer Permissions and Risks
Moreover, the report showed a concerning trend of least-privilege violations among developers. In fact, 85% of organizational setups exhibited issues that could potentially facilitate severe attacks, similar to those experienced in recent high-profile security incidents.
Focus On Toxic Combinations
The research revealed toxic combinations of risks that need immediate attention. For instance, security teams should be aware when developers use GenAI without sufficient human oversight, or when secrets are held in repositories with external collaborators. These situations present compounded security challenges that must be prioritized.
Conclusion: Enhancing Security Awareness
Liav Caspi, CTO and co-founder of Legit Security, expressed concern over the findings, emphasizing the importance of visibility into development environments and CI/CD pipelines. He noted that neglecting these aspects invites the potential for future supply chain attacks.
The insights provided in this report are not just critical for understanding current risks; they offer guidance on the importance of maintaining secure practices across all aspects of software development. From managing GenAI to mitigating secrets exposure, organizations must enhance their security protocols to safeguard their development processes.
Frequently Asked Questions
What is the main focus of the 2025 State of Application Risk report?
The report focuses on identifying significant risks faced by organizations in their application development environments and providing guidance to improve security posture.
Why is application security scanning considered inefficient?
Application security scanning is deemed inefficient due to the prevalence of duplicate scanners used by organizations, resulting in redundant and sometimes contradictory reports.
How significant is the issue of secrets exposure?
Secrets exposure is a critical security concern, with every organization surveyed indicating high-level secrets in their code, underscoring a need for improved detection and management.
What role does GenAI play in application security risks?
GenAI poses emerging risks as many organizations leverage AI models in ways that might be unsafe, potentially introducing vulnerabilities into their applications.
How can organizations mitigate the identified risks?
Organizations can mitigate risks by implementing rigorous configuration management, conducting regular security audits, and ensuring proper oversight of AI usage and developer permissions.
About Investors Hangout
Investors Hangout is a leading online stock forum for financial discussion and learning, offering a wide range of free tools and resources. It draws in traders of all levels, who exchange market knowledge, investigate trading tactics, and keep an eye on industry developments in real time. Featuring financial articles, stock message boards, quotes, charts, company profiles, and live news updates. Through cooperative learning and a wealth of informational resources, it helps users from novices creating their first portfolios to experts honing their techniques. Join Investors Hangout today: https://investorshangout.com/
Disclaimer: The content of this article is solely for general informational purposes only; it does not represent legal, financial, or investment advice. Investors Hangout does not offer financial advice; the author is not a licensed financial advisor. Consult a qualified advisor before making any financial or investment decisions based on this article. The author's interpretation of publicly available data presented here; as a result, they should not be taken as advice to purchase, sell, or hold any securities mentioned or any other investments. If any of the material offered here is inaccurate, please contact us for corrections.