Developers can't get a handle on application security risks
A Legit Security report found critical risks across every company it looked at


Application development infrastructure is full of significant security risks, with research by Legit Security finding high or critical risks in the developer environments of every company it examined.
The security company's report into the state of application risk found flaws in applications but also the "software factories" that make them. The report is based on data from its own platform, looking at a range of organizations from large to small, across various industries.
Legit said application security is no longer simply about spotting flaws in source code, noting that the attack surface for applications has grown and diversified.
"With software development that is faster, more automated, more dynamic, and highly reliant on third parties, new opportunities to introduce risk abound."
According to the report, 89% of companies have pipeline misconfiguration issues and 46% are using AI models in source code in a risky way. Notably, security teams are actually unaware where AI is in use, making the booming technology an emerging threat for application security.
"Our research uncovered great risks everywhere throughout the development process," said Liav Caspi, Legit CTO and co-founder.
"These results highlight that teams are overlooking risks in their development environments and CI/CD pipelines, and are inviting the next supply chain attack by neglecting critical security hygiene."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Leaking secrets
The report found that all organizations on its platform had three or more application risks, but only two-thirds had public repositories with two or more risks. Those included exposed information that should have been secret, like cloud keys, GitHub personal access tokens, and even personal information such as credit card numbers.
Such data was often found in source code that could be accessed by any user with access to a repository, such as an external supplier or anyone if it was made public.
But a third of that information was actually outside source code and found in documentation and collaboration tools like Confluence or in ticketing systems.
RELATED WHITEPAPER
Legit advised companies not to hard-code "secrets" into source code by using a password manager or environment variable.
"To prevent exposed secrets, focus first on SaaS services keys (e.g., AWS access keys), since if code is leaked, credentials to SaaS services are immediately usable if they are valid, whereas internal credentials require attackers to also have network connectivity," the report added.
Another challenge is giving too much access: the report found 85% of development teams are over-permissioned, while 23% of repositories across organisations have external suppliers or collaborators with admin privileges in places they shouldn't.
The wrong tools
The study also found that most companies use inefficient application security scanning, with 78% using duplicate software composition analysis scanners that would produce the exact same results, and 39% having duplicate static application security testing scanners.
Legit pinned this on developers working in different parts of the business using free versions of scanners, noting that would be exacerbated by mergers and acquisitions.
"To make an analogy, it’s as if they are preparing delicious, innovative dishes, in a kitchen with rusty, dirty, malfunctioning equipment," Caspi added.
"Most security teams today don’t have the visibility or the context they need to identify risk outside of source code or to effectively triage AppSec findings."
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
-
Geekom Mini IT13 Review
Reviews It may only be a mild update for the Mini IT13, but a more potent CPU has made a good mini PC just that little bit better
By Alun Taylor
-
Why AI researchers are turning to nature for inspiration
In-depth From ant colonies to neural networks, researchers are looking to nature to build more efficient, adaptable, and resilient systems
By David Howell
-
Simplifying Password Management eBook
By ITPro
-
Living off the Land eBook
By ITPro
-
The Public Sector's Guide to Privilege and Password Management
By ITPro
-
Zero Standing Privilege: Automating Cybersecurity Without Disrupting Productivity
whitepaper
By ITPro
-
‘We are now a full-fledged powerhouse’: Two years on from its Series B round, Hack the Box targets further growth with AI-powered cyber training programs and new market opportunities
News Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
By Ross Kelly
-
Cyber attacks against UK firms dropped by 10% last year, but experts say don't get complacent
News More than four-in-ten UK businesses were hit by a cyber attack last year, marking a decrease on the year prior – but security experts have warned enterprises to still remain vigilant.
By Emma Woollacott
-
Law enforcement needs to fight fire with fire on AI threats
News UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
By Emma Woollacott
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion