close
close

CyCognito report reveals growing threats to software supply chain​

Posted on by darion

CyCognito today announced the publication of its second annual State of External Exposure Management 2024 report, providing key insights into threats to external assets and the software supply chain.

Gartner reports that 60 percent of organizations work with more than 1,000 third parties, many of which provide misconfigured or vulnerable hardware and software, leaving customers at risk. Known vulnerabilities like MOVEit Transfer, Apache Log4J, and Polyfill highlight these risks—concerns that are further underscored by a CyCognito report that reveals that many vulnerabilities are increasingly coming from third-party software.

To create this report, CyCognito’s research team collected and analyzed over 39 million anonymized and normalized data points from a global customer base of small, medium, and large Fortune 500 companies. Key findings include:

  • Network Servers dominate serious problems: Web server environments, including platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, hosted one in three (34%) of all major issues across the resources studied. They accounted for more major issues than the other 54 environments combined (out of 60 environments studied).​
  • Hit TLS and HTTPS protocol vulnerabilities: 15% of all major attack surface issues occur on platforms using TLS or HTTPS. TLS issues are relevant to all data delivered over the network, but web applications are particularly important; unencrypted web applications are currently #2 in the OWASP Top 10.
  • Insufficient WAF protection for web interfaces handling personal data: Only half of the surveyed web interfaces that process personally identifiable information were protected by a WAF.
  • Network Non-HTTPS and non-WAF interfaces expose personal data: Even though HTTPS is celebrating its 30th birthday this year, nearly one in three (31%) surveyed web interfaces have not implemented it. More than 60% of those interfaces that expose PII also do not have a WAF.

To download the full report, click this link.