A comprehensive study by Legit Security has uncovered alarming vulnerabilities in enterprise software development environments, with 100% of organizations harboring high or critical security risks. The 2025 State of Application Risk report, analyzing data from the past 18 months, highlights how traditional application security approaches fail to address modern threats

Key Security Vulnerabilities:

Secrets exposure emerged as a pervasive issue, with all organizations having highly or critically exposed secrets, and 36% of secrets found outside source code in tickets, logs and artifacts. The research revealed that GenAI poses an emerging threat, with 46% of organizations using AI models in source code in potentially risky ways, including low-reputation language models that could contain malicious code.

Pipeline misconfigurations affect 89% of organizations, while 85% show least-privilege violations that could enable attackers to gain broader system access. The study found that 78% of organizations have duplicate Software Composition Analysis (SCA) scanners, and 39% have duplicate Static Application Security Testing (SAST) scanners, leading to redundant or contradictory security findings.

Development team permissions present significant risks, with 85% of organizations having stale collaborators – inactive accounts retaining active permissions. More concerning, 23% of repositories allow external collaborators with admin privileges to access pipelines with critical misconfigurations.

Essential Security Recommendations:

1. Implement comprehensive secrets management:

• Avoid committing secrets to Git repositories
• Use password managers and environment variables
• Encrypt necessary repository secrets
• Prevent secrets sharing via messaging services

2. Strengthen AI security controls:

• Monitor AI usage across development environments
• Conduct AI-specific threat modeling
• Evaluate security when selecting AI models

3. Enhance access management:

• Implement role-based access control
• Enforce least-privilege principles
• Automate permissions management
• Conduct regular permission audits

4. Improve pipeline security:

• Create standardized, secure pipelines
• Implement continuous configuration monitoring
• Establish secure-by-design defaults
• Validate security controls regularly

The report emphasizes that while these risks are serious, organizations can significantly reduce their exposure through improved visibility, stronger developer-security collaboration and consistent application of security best practices. As software development evolves rapidly, security teams must adapt their approaches to protect the entire software factory, not just the code itself.

Legit Security’s findings underscore the critical need for organizations to modernize their application security posture management (ASPM) strategies to address the expanding attack surface in modern software development environments.