Organizations vulnerable to software supply chain attacks

According to Gartner, 60 percent of organizations work with over 1,000 third parties, and a new report shows many of these supply misconfigured or vulnerable hardware and software, putting customers at risk.

The study from CyCognito finds web server environments, including platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, were the host of 34 percent of all severe issues across surveyed assets. They accounted for more severe issues than 54 other environments combined (out of 60 environments surveyed),

Over half of assets related to eCommerce store or collect PII and 26 percent of PII assets are unprotected by a web application firewall (WAF). Plus only half of surveyed web interfaces that handle personally identifiable information (PII) are protected by a WAF.

Only 20 percent of eCommerce assets ask for cookie consent, potentially putting them in violation of the European Union's General Data Protection Regulation (GDPR).

Between July 2023 and June 2024, the survey finds that the majority (64 percent) of the average attack surface is made up of domains. About a fifth of all assets (20 percent) are IP addresses, 14 percent are web interfaces, and just two percent are certificates.

Part of the problem is that world isn't standing still, organizations' attack surfaces changed by 4.5 percent each month over the study period. This can lead to unchecked or unnoticed growth in the attack surface.

The report's authors conclude, "Managing the ceaseless fluctuation of the modern external attack surface remains a challenge for organizations. In this report, we’ve identified traits that can signal that assets are under- or unprotected and demonstrated the tangible benefits of going beyond CVSS and EPSS when it comes to prioritizing your teams’ work. Organizations must go beyond simply indexing their assets and engage in true exposure management practices by identifying, testing, and prioritizing the remediation of high value assets."

You can get the full report from the CyCognito site.

Image credit: Acnalesky/Dreamstime.com

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.