- CyCognito Report Shows Risks Posed by Supply Chain Vulnerabilities
- Third-party products are putting companies at risk with undetected vulnerabilities
- Web servers, cryptographic protocols and web interfaces suffer the most
Critical vulnerabilities often go undetected in many digital systems, exposing businesses to significant security risks, new research claims.
As organizations increasingly rely on third-party software and complex supply chains, cyber threats are no longer limited solely to internal assets, with many of the most dangerous vulnerabilities coming from external sources.
CyCognito's 2024 State of External Exposure Management Report provides an analysis of the risks facing organizations today, particularly around web servers, cryptographic protocols, and PII management web interfaces.
Supply chain risk remains a growing concern
Third-party vendors play a crucial role in many companies' operations, providing essential hardware and software. However, their participation can introduce significant risks, particularly regarding misconfigurations and vulnerabilities throughout the supply chain.
Many of the most serious vulnerabilities, such as the MOVEit Transfer flaw, Apache Log4J, and Polyfill, were revealed to have links to third-party software.
Web servers are consistently among the most vulnerable assets in an organization's IT infrastructure. CyCognito's findings reveal that web server environments account for one in three (34%) of all serious issues on assets surveyed. Platforms like Apache, NGINX, Microsoft IIS, and Google Web Server are at the center of these concerns, harboring more serious problems than 54 other environments combined.
Beyond web servers, vulnerabilities in cryptographic protocols such as TLS (Transport Layer Security) and HTTPS also raises concerns. The report indicates that 15% of all serious attack surface issues affect platforms that use TLS or HTTPS protocols. Web applications that lack proper encryption are at particular risk, ranking #2 on OWASP's Top 10 Security Risks list.
The CyCognito report also highlighted the inadequacy of the Web Application Firewall (WAF), especially for web interfaces that you personally handle identifiable information (PII).
The report shows that only half of surveyed web interfaces that process PII were protected by a WAF, leaving sensitive information vulnerable to attacks. Even more concerning is the fact that 60% of interfaces that expose PII also lack WAF protection.
Unfortunately, outdated approaches to vulnerability management often leave assets exposed, amplifying risks. Organizations must take a more proactive and comprehensive approach to managing external exposures.