Security leader’s new research highlights where the greatest application risks live and how organizations can prioritize their application security efforts
Legit Security, the definitive application security posture management (ASPM) leader providing end-to-end visibility and protection across the entire software factory, today announced its latest research report, The 2025 State of Application Risk: An ASPM View of the Security of Software Factories. The report found significant risk in both applications and the factories that produce them, with many organizations challenged by inefficient AppSec testing, plus a lack of visibility into secrets exposure, AI risks, SDLC misconfigurations, and software supply chain security.
The 2025 State of Application Risk report, based on data from the Legit platform, reveals that, as software development has evolved, vulnerabilities in code are now only the tip of the iceberg, with risks in development pipelines, build servers, libraries, tools, and processes lurking beneath. The research also highlights that all application risk is not created equal, and with the right context, teams can better identify the highest risk areas that deserve their focus, such as toxic combinations that compound security issues.
Leveraging its powerful ASPM and visibility capabilities, Legit Security delivers data in this report that highlights the previous year’s risk findings and uncovers where application security risk lives in the modern development environment.
The report’s key findings include:
- There is significant risk throughout the application development infrastructure and processes, with 100% of organizations found to have high or critical risks in their development environments.
- Application security scanning is inefficient, with 78% of organizations having duplicate SCA scanners and 39% with duplicate SAST scanners that can result in the same vulnerability findings and equivalent or contradictory remediation advice.
- Secrets exposure is pervasive, with 100% of organizations having high or critical secrets exposed in their code, and 36% of secrets found outside of source code.
- GenAI is an emerging threat, with 46% of organizations using AI models in source code in a risky way, such as low-reputation LLMs, which could contain malicious code or payloads or exfiltrate data sent to them.
- Misconfigurations are rampant, with 89% of organizations having pipeline misconfiguration issues that could lead to breaches like the one CodeCov suffered.
- Developer permissions sprawl is a significant issue, with 85% of organizations showing least-privilege violations that could lead to an attack like the one LastPass recently experienced.
- Toxic combinations of risk – such as developers using GenAI without human code review enforced through branch protection, or secrets in repositories with external collaborators – are prevalent, and highlight where security teams should focus their energy.
“Our research uncovered great risks everywhere throughout the development process,” said Liav Caspi, Legit CTO and co-founder. “These results highlight that teams are overlooking risks in their development environments and CI/CD pipelines, and are inviting the next supply chain attack by neglecting critical security hygiene. To make an analogy, it’s as if they are preparing delicious, innovative dishes, in a kitchen with rusty, dirty, malfunctioning equipment. Most security teams today don’t have the visibility or the context they need to identify risk outside of source code or to effectively triage AppSec findings.”
From GenAI code to overly permissioned developers to secrets exposed in Jira tickets, organizations must protect their development environments from end-to-end. Legit Security’s report provides organizations with the insights they need to understand the risks embedded and enmeshed across the software factory, well beyond vulnerabilities in code, and steps they can take to reduce this risk.
Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!