The report shows the threat of supply chain vulnerabilities from third-party products
- The CyCognito report shows the risks of supply chain vulnerabilities
- Third-party products put businesses at risk with undetected vulnerabilities
- Web servers, cryptographic protocols and web interfaces are most affected by this
Critical vulnerabilities often go unnoticed in many digital systems, exposing companies to significant security risks, new research shows.
As organizations become increasingly dependent on third-party software and complex supply chains, cyber threats are no longer limited to internal assets, as many of the most dangerous vulnerabilities come from external sources.
The 2024 State of the external exposure management report from CyCognito provides an analysis of the risks organizations face today, specifically around web servers, cryptographic protocols, and web interfaces for processing PII.
Supply chain risk remains a growing problem
Third-party vendors play a crucial role in the operations of many companies, providing essential hardware and software. However, their involvement can pose significant risks, especially in terms of misconfigurations and vulnerabilities throughout the supply chain.
Many of the most serious vulnerabilities, such as the MOVEit Transfer flaw, Apache Log4J, and Polyfill, were found to contain links to third-party software.
Web servers are consistently among the most vulnerable assets in an organization’s IT infrastructure. CyCognito’s findings show that web server environments are responsible for one in three (34%) of all serious issues on the assets surveyed. Platforms such as Apache, NGINX, Microsoft IIS, and Google Web Server are at the center of these concerns, hosting more severe issues than 54 other environments combined.
In addition to web servers, there are also vulnerabilities in cryptographic protocols such as TLS (Transport Layer Security) And HTTPS is also a concern. The report indicates that 15% of all serious attack surface issues impact platforms that use TLS or HTTPS protocols. Web applications that do not have proper encryption are especially at risk, ranking #2 on the OWASP Top 10 list of security risks.
CyCognito’s report also highlighted the inadequacy of the Web Application Firewall (WAF) protections, especially for web interfaces that interact personally identifiable information (PII).
The report found that only half of surveyed web interfaces that handle PII were protected by a WAF, leaving sensitive information vulnerable to attack. Even more concerning is the fact that 60% of interfaces that expose PII also lack WAF protection.
Unfortunately, outdated approaches to vulnerability management often leave assets exposed, increasing risk. Organizations must take a more proactive and comprehensive approach to managing external exposure.
