Report shows the threat of supply chain vulnerabilities from third-party products
Some of the most notable vulnerabilities have links to third-party software
- CyCognito report shows the risks posed by supply chain vulnerabilities
- Third-party products are putting businesses at risk with undetected vulnerabilities
- Web servers, cryptographic protocols, and web interfaces suffer the most
Critical vulnerabilities often go unnoticed in many digital systems, exposing businesses to significant security risks, new research has claimed.
With organizations increasingly reliant on third-party software and complex supply chains, cyber threats are no longer confined to internal assets alone, as many of the most dangerous vulnerabilities come from external sources.
The 2024 State of External Exposure Management Report from CyCognito provides an analysis of the risks organizations face today, particularly around web servers, cryptographic protocols, and PII-handling web interfaces.
Supply chain risk remains a growing concern
Third-party vendors play a crucial role in the operations of many companies, providing essential hardware and software. However, their involvement may introduce significant risks, particularly concerning misconfigurations and vulnerabilities in the entire supply chain.
Many of the most severe vulnerabilities like MOVEit Transfer flaw, Apache Log4J, and Polyfill were revealed to have links to third-party software.
Web servers are consistently among the most vulnerable assets in an organization’s IT infrastructure. CyCognito’s findings reveal web server environments account for one in three (34%) of all severe issues across surveyed assets. Platforms such as Apache, NGINX, Microsoft IIS, and Google Web Server are at the center of these concerns, hosting more severe issues than 54 other environments combined.
Beyond web servers, vulnerabilities in cryptographic protocols like TLS (Transport Layer Security) and HTTPS are also driving concern. The report indicates that 15% of all severe issues on the attack surface affect platforms using TLS or HTTPS protocols. Web applications that lack proper encryption are especially at risk, ranking #2 on the OWASP Top 10 list of security risks.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
CyCognito's report also hightlighted the insufficiency of Web Application Firewall (WAF) protections, especially for web interfaces handling personally identifiable information (PII).
The report shows only half of surveyed web interfaces that process PII were protected by a WAF, leaving sensitive information vulnerable to attacks. Even more concerning is the fact that 60% of the interfaces that expose PII also lack WAF protection.
Unfortunately, outdated approaches to vulnerability management often leaves assets exposed, amplifying the risks. Organizations must adopt a more proactive and comprehensive approach to managing external exposures.
You might also like
- These are the best antivirus solutions around today
- Take a look at the best endpoint protection
- It's official — FBI, CISA, and NSA reveal the most exploited vulnerabilities
Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com