- CyCognito report shows the risks posed by supply chain vulnerabilities
- Third-party products are putting businesses at risk with undetected vulnerabilities
- Web servers, cryptographic protocols, and web interfaces suffer the most
Critical vulnerabilities often go unnoticed in many digital systems, exposing businesses to significant security risks, new research has claimed.
With organizations increasingly reliant on third-party software and complex supply chains, cyber threats are no longer confined to internal assets alone, as many of the most dangerous vulnerabilities come from external sources.
The 2024 State of External Exposure Management Report from CyCognito provides an analysis of the risks organizations face today, particularly around web servers, cryptographic protocols, and PII-handling web interfaces.
Supply chain risk remains a growing concern
Third-party vendors play a crucial role in the operations of many companies, providing essential hardware and software. However, their involvement may introduce significant risks, particularly concerning misconfigurations and vulnerabilities in the entire supply chain.
Many of the most severe vulnerabilities like MOVEit Transfer flaw, Apache Log4J, and Polyfill were revealed to have links to third-party software.
Web servers are consistently among the most vulnerable assets in an organization’s IT infrastructure. CyCognito’s findings reveal web server environments account for one in three (34%) of all severe issues across surveyed assets. Platforms such as Apache, NGINX, Microsoft IIS, and Google Web Server are at the center of these concerns, hosting more severe issues than 54 other environments combined.
Beyond web servers, vulnerabilities in cryptographic protocols like TLS (Transport Layer Security) and HTTPS are also driving concern. The report indicates that 15% of all severe issues on the attack surface affect platforms using TLS or HTTPS protocols. Web applications that lack proper encryption are especially at risk, ranking #2 on the OWASP Top 10 list of security risks.
CyCognito’s report also hightlighted the insufficiency of Web Application Firewall (WAF) protections, especially for web interfaces handling personally identifiable information (PII).
The report shows only half of surveyed web interfaces that process PII were protected by a WAF, leaving sensitive information vulnerable to attacks. Even more concerning is the fact that 60% of the interfaces that expose PII also lack WAF protection.
Unfortunately, outdated approaches to vulnerability management often leaves assets exposed, amplifying the risks. Organizations must adopt a more proactive and comprehensive approach to managing external exposures.