Findings reveal escalating risks in the software supply chain, highlighting vulnerabilities in web servers, cryptographic protocols, and web interfaces that handle PII

• In today’s digital world, all organizations are at risk. Vulnerabilities in supply chains and third-party software are prime targets for attackers. Understanding your most vulnerable assets is critical. But it’s not just about identifying risks—it’s about prioritizing them effectively.

• The 2024 State of External Exposure Management Report from CyCognito provides an in-depth look at the most common critical exposures and how outdated prioritization can leave your most vulnerable assets unprotected.

CyCognito recently announced the release of its second annual "State of External Exposure Management 2024," providing critical insights into the threats targeting external assets and the software supply chain.

Gartner reports that 60 percent of organizations work with over 1,000 third parties, many of which supply misconfigured or vulnerable hardware and software, putting customers at risk. High-profile vulnerabilities like MOVEit Transfer, Apache Log4J, and Polyfill underscore these risks—a concern further emphasized by CyCognito's report revealing that many vulnerabilities increasingly stem from third-party software.

To create this report, CyCognito's research team aggregated and analyzed over 39 million anonymized and normalized data points from its global customer base of small, medium, and large Fortune 500 companies. Key findings:

• Web Servers Dominate Severe Issues: Web server environments, including platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, were the host of one in three (34%) of all severe issues across surveyed assets. They accounted for more severe issues than 54 other environments combined (out of 60 total environments surveyed).

• Impact of TLS and HTTPS Protocol Vulnerabilities: 15% of all severe issues on the attack surface affect platforms using TLS or HTTPS protocols. TLS issues are significant for all network-delivered data, but web apps especially so; web apps lacking encryption are currently ranked #2 of the OWASP Top 10.

• Insufficient WAF Protection for PII-Handling Web Interfaces: Only half of surveyed web interfaces that handle personally identifiable information (PII) were protected by a WAF.

• Web Interfaces Lacking HTTPS and WAF Leave PII Exposed: Despite HTTPS celebrating its 30th birthday this year, almost one in three (31%) of surveyed web interfaces failed to implement it. More than 60% of these interfaces that expose PII also lack a WAF.

About CyCognito

CyCognito gartner-5-steps-in-cycly-of-continous-threat-exposure-management

CyCognito solves one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure.

Founded by national intelligence agency veterans, CyCognito has a deep understanding of how attackers exploit blind spots and a path of least resistance. Based in Palo Alto, CyCognito serves a number of large enterprises and Fortune 500 organizations, including Colgate-Palmolive, Tesco and many others.