CyCognito today announced the release of its second annual “State of External Exposure Management 2024,” providing critical insights into the threats targeting external assets and the software supply chain.
Gartner reports that 60 percent of organizations work with over 1,000 third parties, many of which supply misconfigured or vulnerable hardware and software, putting customers at risk. High-profile vulnerabilities like MOVEit Transfer, Apache Log4J, and Polyfill underscore these risks—a concern further emphasized by CyCognito’s report revealing that many vulnerabilities increasingly stem from third-party software.
To create this report, CyCognito’s research team aggregated and analyzed over 39 million anonymized and normalized data points from its global customer base of small, medium, and large Fortune 500 companies. Key findings:
- Web Servers Dominate Severe Issues: Web server environments, including platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, were the host of one in three (34%) of all severe issues across surveyed assets. They accounted for more severe issues than 54 other environments combined (out of 60 total environments surveyed).
- Impact of TLS and HTTPS Protocol Vulnerabilities: 15% of all severe issues on the attack surface affect platforms using TLS or HTTPS protocols. TLS issues are significant for all network-delivered data, but web apps especially so; web apps lacking encryption are currently ranked #2 of the OWASP Top 10.
- Insufficient WAF Protection for PII-Handling Web Interfaces: Only half of surveyed web interfaces that handle personally identifiable information (PII) were protected by a WAF.
- Web Interfaces Lacking HTTPS and WAF Leave PII Exposed: Despite HTTPS celebrating its 30th birthday this year, almost one in three (31%) of surveyed web interfaces failed to implement it. More than 60% of these interfaces that expose PII also lack a WAF.
To download the full report, please visit this link.