Use the info and evaluation on this report back to prioritize your 2025 AppSec efforts.
We’re happy to announce the publication of our 2025 State of Utility Threat report. Based mostly on anonymized information collected via our platform over the previous 18 months, this report provides a transparent image of the place software safety threat lives within the trendy growth surroundings.
Additional, it presents steering on avoiding the kind of threat in your growth surroundings that results in headline-making provide chain assaults.
As a result of our platform discovers and visualizes all facets of each functions and the software program manufacturing unit producing these belongings, plus all safety controls and gaps, Legit is in a singular place to supply this detailed have a look at frequent areas of AppSec posture threat.
Utility Threat Past Supply Code
One factor made abundantly clear by current breaches – and this analysis report – software safety is now not solely about vulnerabilities in supply code.
With software program growth that’s sooner, extra automated, extra dynamic, and extremely reliant on third events, new alternatives to introduce threat abound. From vulnerabilities in functions to misconfigured construct servers, uncovered secrets and techniques in Jira tickets, and extra, the assault floor has grown and diversified.
And up to date breaches, akin to these at Codecov, LastPass, Sisense, and Kaseya, mirror the widening floor that attackers are concentrating on.
2025 Utility Threat Highlights
Under we share highlights of the dangers uncovered on this report.
AppSec testing inefficiencies
The extent of the chance we uncovered on this report ends in half from an inefficient and ineffective course of for assessing threat.
We discovered {that a} vital variety of organizations have duplicate AppSec scanners producing duplicate outcomes. As proven within the determine beneath, a whopping 78% have duplicate SCA scanners; 39% have duplicate SAST scanners.
When one scanner is telling the staff {that a} discovering isn’t price remediating, and one other scanner is giving them particulars on the way to remediate it, confusion, and certain inaction, ensue.
Secrets and techniques publicity
Secrets and techniques are extraordinarily pervasive in software program growth environments, and their publicity is likely one of the most typical dangers unearthed by the Legit platform.
Not surprisingly (however disconcerting), we discovered uncovered secrets and techniques in 100% of organizations. The numbers drop to 53% for uncovered secrets and techniques in public belongings, and 35% for uncovered secrets and techniques deployed to the cloud, however they’re nonetheless alarming numbers (see determine beneath).
We recurrently discover uncovered secrets and techniques in supply code, which may be accessed by any person with entry to the repository.
However more and more, we’re discovering uncovered secrets and techniques in lots of different locations as properly — like yaml recordsdata, construct logs, containers, bash scripts, artifacts, containers, Jira, Confluence, Slack, and extra. In reality, 36% of the secrets and techniques we discovered had been outdoors supply code.
GenAI threat
GenAI has just lately emerged as a further threat we uncover. Though it provides builders a better strategy to produce code at scale, it additionally provides threat.
We regularly uncover that safety groups first don’t know the place AI is in use, after which discover out it’s utilized in a location that isn’t configured securely (see determine beneath). For example, a developer is utilizing AI and producing code on a repository that doesn’t have a code overview step.
This might, as an illustration, enable for licensed code to enter the product, exposing the group to authorized or copyright points.
We additionally typically detect low-reputation LLMs in use, which might comprise malicious code or payloads, or exfiltrate information despatched to them.
Misconfigurations
A pipeline misconfiguration is one in a pipeline platform akin to Jenkins, GitHub Actions, and so on.
Once we first begin working with an enterprise, we regularly uncover misconfigured construct servers of their surroundings. It is a frequent downside, but in addition one which creates vital vulnerabilities.
The determine beneath highlights our findings on pipeline misconfigurations. 89% had pipeline misconfiguration points, with 64% of these in lively growth. Additionally noteworthy that 25% have the poisonous mixture of exterior collaborators in repos with pipeline misconfigurations.
Permissions sprawl
Mishandled developer permissions is a pervasive challenge. Once we first begin working with enterprises, we virtually all the time discover overly and/or incorrectly permissioned growth groups.
Our information exhibits that the majority organizations (85%) should not have least-privilege arrange correctly – which means, builders have pointless entry that might needlessly give an attacker additional entry if these credentials are compromised.
On the excellent news entrance, the odds are a lot decrease for these with least-privilege points in public belongings (25%).
Nonetheless, one-quarter have the poisonous mixture of exterior collaborators in a repo with least-privilege points, and 23% have the poisonous mixture of exterior collaborators with admin privileges in pipelines with essential and excessive misconfigurations (see determine beneath).
Poisonous combos
A “poisonous mixture” refers back to the potential to tie several types of dangers collectively in a means that creates an assault path or an elevated mixed threat.
We regularly discover poisonous combos of threat once we first begin working with an enterprise. Our potential to establish these areas of heightened threat helps groups prioritize the place to begin the remediation course of.
Our evaluation for this report revealed various prevalent poisonous combos, together with the next:
- 53% of organizations have uncovered secrets and techniques in at the least one repo with exterior collaborators
- On common, 30% of repos per group comprise secrets and techniques and now have department safety points
- 25% of organizations have exterior collaborators in repos with pipeline misconfigurations
- 57% of organizations have exterior collaborators in repos with department safety points
- 35% of organizations have exterior collaborators in repos with software program provide chain points
Get all the info and evaluation
Obtain The 2025 State of Utility Threat report to know:
- The place secrets and techniques are most frequently uncovered, and the way to cut back the chance
- The most typical poisonous combos growing enterprises’ software threat
- What varieties of SDLC misconfigurations are most typical, that are probably the most dangerous, and the way to keep away from them
- The most typical AppSec testing inefficiencies
- How GenAI is introducing threat within the growth surroundings, and the way to use it extra securely
Begin right here to know the place the best software dangers now lie, and to prioritize your personal software safety efforts.
*** It is a Safety Bloggers Community syndicated weblog from Legit Safety Weblog authored by Suzanne Ciccone. Learn the unique submit at: https://www.legitsecurity.com/weblog/announcing-2025-state-of-application-risk-report
