The IT Nerd

Legit Security, the definitive application security posture management (ASPM) leader providing end-to-end visibility and protection across the entire software factory, today announced the launch of Legit context. By providing full context around both the application and the development environment, Legit’s ASPM platform empowers CISOs and their team to find, fix, and prevent the application vulnerabilities driving the greatest business risk.

The release of Legit context follows on the January 2025 release of root cause remediation, which enables customers to take one practical remediation step to address multiple AppSec issues.

Connecting the Dots to Drive Prioritization Based on True Business Impact

Developers and security teams spend significant time attempting to triage and fix vulnerabilities, but often lack insights into their business impact and exploitability. For instance, is a vulnerability a major problem simply because it has a high CVSS score, or are there additional factors, such as Internet exposure, presence of sensitive data, GenAI use, or external services, impacting risk? In other cases, issues can breach compliance or be part of mission-critical APIs. Organizations often miss true business-critical risk, and spend time escalating the wrong risk, which increases the strain on development teams, is costly, and slows down innovation.

Legit context provides organizations with the full picture by building an application catalog with context, such as use of sensitive data (e.g., PII, PHI), APIs, Internet exposure, GenAI use, compliance implications, and the overall role of the application for the business. As a result, security and development teams gain the insights they need to confidently prioritize – and deprioritize – remediation efforts. And all insights are delivered automatically by our AI-native, deep code-to-cloud analysis.

Key features and benefits include:

• Auto context detection: Analyze the context of an application to determine the overall business impact 
• Deep code-to-cloud scanning: Understand the full picture by bringing together hard-to-connect data points, such as Internet exposure, API exposure, cloud deployment, handling of sensitive data, use of AI/LLMs, and revenue and business impact of the application
• Application bill-of-materials: Generate a complete and continuously updating inventory of APIs, data stores, external services, AI models, services, and more application components that drive security impact. Export and manage them in a centralized tool and enrich existing CMDBs and application catalogs 
• Vulnerability risk scoring and prioritization: Focus on vulnerabilities with the greatest business impact, and access all data to customize workflows and prioritization decisions 

In addition to the new context capabilities, Legit also announced:

• Application API discovery: Benefit from a central place to see and manage all APIs and identify any changes that may create application risk. Legit can identify all APIs used by an application, plus analyze security issues such as authentication and authorization, Internet exposure, and additional controls

With Legit’s new capabilities, organizations gain a complete view of application risk, the context to both prioritize and remediate, and the ability to orchestrate DevSecOps processes to prevent issues in the future. For more information, visit the Legit blog.

Legit Security, the definitive application security posture management (ASPM) leader providing end-to-end visibility and protection across the entire software factory, today announced its latest research report, The 2025 State of Application Risk: An ASPM View of the Security of Software Factories. The report found significant risk in both applications and the factories that produce them, with many organizations challenged by inefficient AppSec testing, plus a lack of visibility into secrets exposure, AI risks, SDLC misconfigurations, and software supply chain security.

The 2025 State of Application Risk report, based on data from the Legit platform, reveals that, as software development has evolved, vulnerabilities in code are now only the tip of the iceberg, with risks in development pipelines, build servers, libraries, tools, and processes lurking beneath. The research also highlights that all application risk is not created equal, and with the right context, teams can better identify the highest risk areas that deserve their focus, such as toxic combinations that compound security issues. 

Leveraging its powerful ASPM and visibility capabilities, Legit Security delivers data in this report that highlights the previous year’s risk findings and uncovers where application security risk lives in the modern development environment.  

The report’s key findings include:

• There is significant risk throughout the application development infrastructure and processes, with 100% of organizations found to have high or critical risks in their development environments. 
• Application security scanning is inefficient, with 78% of organizations having duplicate SCA scanners and 39% with duplicate SAST scanners that can result in the same vulnerability findings and equivalent or contradictory remediation advice.
• Secrets exposure is pervasive, with 100% of organizations having high or critical secrets exposed in their code, and 36% of secrets found outside of source code.
• GenAI is an emerging threat, with 46% of organizations using AI models in source code in a risky way, such as low-reputation LLMs, which could contain malicious code or payloads or exfiltrate data sent to them.
• Misconfigurations are rampant, with 89% of organizations having pipeline misconfiguration issues that could lead to breaches like the one CodeCov suffered.
• Developer permissions sprawl is a significant issue, with 85% of organizations showing least-privilege violations that could lead to an attack like the one LastPass recently experienced.
• Toxic combinations of risk – such as developers using GenAI without human code review enforced through branch protection, or secrets in repositories with external collaborators – are prevalent, and highlight where security teams should focus their energy.

From GenAI code to overly permissioned developers to secrets exposed in Jira tickets, organizations must protect their development environments from end-to-end. Legit Security’s report provides organizations with the insights they need to understand the risks embedded and enmeshed across the software factory, well beyond vulnerabilities in code, and steps they can take to reduce this risk. 

To download the full report, visit https://info.legitsecurity.com/state-of-application-risk.

Legit Security, the definitive application security posture management (ASPM) leader providing end-to-end visibility and protection across the entire software factory, today announced enhancements to its secrets scanning product. Available as either a stand-alone product or as part of a broader ASPM platform, Legit released a new secrets dashboard for an integrated view of all findings and recovery actions taken to remediate secrets. In addition, Legit released new discovery and remediation capabilities for secrets found within developers’ personal GitHub repositories.

Secrets – from API keys and tokens to credentials and PII – play a vital role in application development. However, the high value of secrets makes them a prime target for attackers and creates risk across the organization, from security operations to cloud and platform engineering. Legit’s new capabilities greatly improve the ability to mitigate risk and reduce the attack surface associated with secrets.

The explosive growth in non-human identities (NHIs), which need credentials to manage authentication and authorization, has increased the prevalence of secrets. While security teams typically focus on secrets in source code, they are increasingly emerging in ticket systems, artifact registries, and other systems, such as Confluence, Jira, and Slack. Organizations are challenged with protecting secrets from exposure while enabling developers to build services that rely on them. This challenge is further exacerbated by compliance requirements, such as HIPPA, PCI DSS and GDPR, that direct organizations to secure secrets.

Legits’ enhancements are the latest in the company’s track record of delivering innovative capabilities to secure the modern software factory. With the earlier release of its AI-powered capabilities to detect and protect secrets across the software development pipeline, Legit was the first to apply AI/ML to significantly reduce noise associated with secrets scanning.

Legit’s new secrets dashboard gives teams: 

• Centralized visualization: Provides the most complete view of all secrets detection and prevention activities across the enterprise to prioritize remediation and ensure guardrails are in place. 

• Secrets analytics: Prioritizes secrets remediation based on factors such as severity, source, repo/product, and user.
• Secrets prevention: Provides insights into potential new secrets that have been prevented based on an organization’s policies and established guardrails, and identifies developers actively using preventative measures. 
• Secrets growth and remediation trends: Insights into new secrets, issues resolution, and backlog trends, so that organizations can measure the effectiveness of AppSec programs in preventing and remediating secrets. 

Legit’s new ability to discover secrets in personal GitHub repositories gives teams:

• Secrets discovery: Identifies and monitors secrets within a developer’s personal GitHub and the organization’s account, ensuring that developers do not expose secrets.
• Personal repository discovery: Identifies and builds an inventory of all personal repositories owned by an organization’s developers for a comprehensive list of assets used by developers.
• Consolidated triage and remediation: Integrates findings from business and personal accounts into the Legit platform to provide a single view of the risk associated with secrets, regardless of where they reside.

With Legit’s new and enhanced capabilities, organizations gain critical insights into the enterprise’s secrets posture to understand risk and remediation trends over time. They are also provided with the broadest coverage to strengthen their security posture and protect their development environment from end to end.

Legit offers a free trial of its secrets detection and prevention solution. To register, visit https://info.legitsecurity.com/secrets-detection-and-prevention-free-trial.

Legit Security, the definitive application security posture management (ASPM) leader providing end-to-end visibility and protection across the entire software factory, today launched its new “Legit Posture Score,” delivering a dynamic, comprehensive, and fully transparent ASPM rating system. Now security teams can proactively measure and manage their AppSec posture instantly with a holistic score that eliminates security scanning siloes and continuously assesses all associated risks, policies, and controls across today’s sprawling software development lifecycle (SDLC).

Security leaders today struggle simply to see, let alone act or improve on, their application security postures. They’re left with piles of security findings and unpatched vulnerabilities from disconnected application security testing (AST) tools, and no efficient way to prioritize or act on the issues that get surfaced. According to a 2024 ESG Research survey, 42% of security professionals believe that measuring and improving AppSec program efficacy is their toughest challenge today. And with increasingly complex and distributed software factories, mounting supply chain regulations, and agile development teams who continue to prioritize code builds over security checks — the prospect of manually tracking an organization’s application security posture gets less feasible by the day.

Now with the new Legit Posture Score, no longer are AppSec teams stuck piecing together slices of visibility from disparate security scanners and veiled, proprietary scores. The Legit Posture Score sets a new, universal, and fully transparent application security scoring standard for security teams to measure, operationalize, and accelerate AppSec maturity throughout the SDLC. It accounts for thousands of ASPM factors, consolidating broad CI/CD pipeline context from code to cloud, including asset criticality, security scanning findings, vulnerability severity, and more, all while dynamically mapping the mitigating controls and requirements from best-practice industry standards and regulatory frameworks into one holistic ASPM score. 

The new Legit Posture Score empowers AppSec teams to rapidly, with the glance of an eye, identify posture gaps and trends, benchmark performance, and drive continuous improvement throughout their software development environments. With a holistic posture score accounting for a wide spectrum of cybersecurity, regulatory, and operational risks, AppSec teams now intuitively—and automatically—view, prioritize, and remediate the issues most impactful to the business, first.

Key features of the new Legit Posture Score:

• Real-time AppSec posture assessment from code to cloud: The new Legit Posture Score evaluates every aspect of an organization’s application security posture, from the development pipeline to the repository level. This top-down approach allows for detailed understanding of AppSec risks to answer the same critical question asked at every level of the organization: Is my software being developed securely?
• Transparent, explainable framework — no veiled or proprietary scoring: The scoring methodology for the Legit Posture Score is completely transparent. With detailed documentation and full visibility into how every variable and calculation is made,  AppSec teams now set priorities and take action in confidence with a score they believe in and can make it their own.
• Dynamic, customizable model: Security teams can easily adjust the scoring model according to their specific security goals. They can associate new and existing controls to the intricate requirements of any number of industry standards and regulatory frameworks (e.g., FedRAMP, SOC 2 Type II, etc.), ensuring that the Legit Posture Score always remains in tight alignment with their strategic security goals and obligations.
• Intuitive, actionable insights: The Legit Posture Score is designed for all developers and security pros to quickly and intuitively glean insights, triage issues, and prioritize fixes with surgical precision throughout their SDLC. With modern dashboards and intuitive, drill-down navigation, AppSec leaders can seamlessly benchmark and compare posture performance by any number of predefined applications, asset groups, pipelines, or organizational segments.
• Broad inclusion of cross-industry best practices and standards: The Legit Posture Score incorporates application security best practices and requirements from the most important regulations and industry frameworks on the market today (including NIST SSDF, SLSA, OSSF S2C2F, ISO 27001, and more), setting a new vision for what a secure, efficient software factory looks like today.

This new feature further enhances the Legit ASPM platform, providing security and development teams with the ability to measure, compare, and improve their application security posture over time, ensuring their software factories and applications in development are being built with the highest security standards in mind.

To learn more about Legit Security and its market-leading ASPM platform, please visit www.legitsecurity.com.

Legit Security has published new research on AI platforms for security issues and potential data leakage with actual vulnerabilities as part of the investigation, with examples encountered in the wild where such attacks were possible.

Naphtali Deutsch, formerly Israeli Military Intelligence Unit 8200 and Security Researcher at Legit, discusses the risks surrounding publicly accessible AI services, exploitable by anyone with Internet access, honing in on two types: vector databases and LLM tools. 

Popular publicly exposed vector datasets involving AI models: Legit’s analysis of unprotected vector databases found that thirty servers contained corporate or private data, including company email conversations, customer PII, product serial numbers, financial records, resumes, and contact information. Three vector databases from two of the most popular platforms belonging to companies in engineering services, fashion, and the industrial equipment sector contain documents, media summaries, customer details, and purchase information.

Legit scanned the data on these servers and found dozens of secrets (passwords, API keys), including OpenAI and Pinecone (vector database SaaS) API keys, GitHub access tokens, and URLs with database passwords. It also found all the configurations and LLM prompts of these applications, which can help exploit prompt vulnerabilities down the road. 

You can read the research here.

Legit Security has released a report on development trends driving the modernization of AppSec programs and pressing challenges to underscore the need to modernize AppSec practices to support growth and mitigate risks.

The report shows that application teams face difficulties with the speed and volume of releases, and prioritizing remediation, highlighting the importance of a modernized approach and alignment with development and DevOps teams for improved collaboration. 

Most organizations reported difficulties fixing vulnerabilities after applications were deployed, reinforcing the significance of incorporating security processes and tools in the build process and challenges concerning developers’ methods, such as unsecured secrets, pipeline tools, containers, and source code repositories. 

Key findings include: 

• 60% use Infrastructure as Code (IaC) templates to simplify provisioning cloud infrastructure/quickly deploy software apps; 67% are experiencing increasing misconfigurations 
• The top challenge for AppSec teams supporting cloud-native dev processes is understanding and managing risk associated with GenAI (45%).
• 59% release new builds multiple times per week or more; faster development cycles challenges: prioritize remediation, lack of visibility and control, and software released without security testing. 
• Most use (64%) or plan to use (21%) GenAI or chatbot for code development. 83% of organizations are concerned about the visibility and discovery of developer usage of Gen AI 
• AI or gen AI (36%) is the most susceptible to compromise and concerning element in the cloud-native application stack. 
• Only 39% of organizations report that their security teams have visibility for specific applications, reinforcing the necessity for visibility into security testing in development.

You can read the report here. There’s also a blog entry regarding this here.

Legit Security has published its new State of GitHub Actions Security report, which unveils an especially concerning security posture and reveals that most workflows are insecure, overly privileged, and have risky dependencies.

Legit’s researchers explore multiple aspects of GitHub Actions security, including vulnerabilities found in GitHub Actions workflows, protection of the building blocks of GitHub Actions workflows, and security of custom GitHub Actions. Most of the Actions there are not verified, maintained by one developer, and have low-security scores based on the OpenSSF Scorecard. 

The report’s key findings include:

• Researchers uncovered interpolation of untrusted input in more than 7,000 workflows, execution of untrusted code in over 2,500 workflows, and use of untrustworthy artifacts in 3,000-plus workflows.
• Legit examined triggers, jobs, steps, runners, and permissions, uncovering significant risks: 98.4% of references do not follow the best practice of dependency pinning; 86% of workflows do not limit token permissions. 
• Of the 19,113 custom GitHub Actions in the marketplace, only 913 were created by verified GitHub users; 18% had vulnerable dependencies; 762 are archived and do not receive regular updates; the average OSSF security score was 4.23 out of 10; and a single developer maintains most. 

You can view the report here.

Legit Security, the leading platform for enabling companies to manage their application security posture across the complete developer environment, today announced extended software compliance, audit, and attestation support with the release of the industry’s first software compliance and attestation trust center.

Legit enables customers to build a repeatable and scalable software security compliance program by automating manual processes and producing the required evidence to prove compliance. By leveraging multiple frameworks, including SLSA, PCI DSS, SOC2, and ISO 27001, Legit quickly assesses the state of a software security program to identify gaps that create risk.

In addition, Legit now supports new requirements for the CISA Secure Software Development Attestation Form. CISA offers an essential set of guidelines to ensure software is secure; attestation provides a means for vendors to confirm that software was developed with these standards in mind.

Legit’s compliance and attestation trust center features include:

• Out-of-the-box controls and automated validation: Legit is pre-built with suggested controls for many key frameworks and standards to immediately provide a gap analysis that can be customized to an organization’s needs.
• Customizations to enable precise compliance reporting: Legit’s product unit and custom query capabilities allow customers to define products, lines of businesses and apps, and specific controls and policies required for compliance; Legit automatically validates and alerts on any areas that are out of compliance.
• Capture evidence and reduce exposure: Legit captures and enables users to export required data by using compliance frameworks to determine status when attesting to CISA or other security frameworks. 
• Continuous compliance and faster remediation: Legit simplifies audits and attestations, enabling organizations to upload evidence supporting requirements, validate compliance status, and automate workflows and ownership.
• New dashboard and reporting capabilities: Legit allows customers to seamlessly drill into multiple frameworks with expanded reporting capabilities to determine security gaps and demonstrate compliance status.

Legit’s software compliance and attestation capabilities are available now to new and existing customers. For more information, visit www.legitsecurity.com. 

Legit Security has disclosed that its research team has recently discovered a dependency confusion, aka dependency hijacking or substitution attack, vulnerability in an archived Apache project, underscoring the urgent need to consider third-party projects and dependencies as potential weak links in software development, especially archived open-source projects that may not receive regular updates or security patches. 

Legit’s researchers found the Apache Cordova app harness archived open-source project and explored the exploit of this misconfiguration in the wild, analyzing that the attacker could execute arbitrary code on the host machine where the vulnerable application is deployed by utilizing the privileges granted to the application, meaning the attack exploitation can result in remote code execution within the production environment. 

Legit explores the implications of this attack, provides the disclosure timeline, spotlights the importance of proper configuration for package managers, and delivers recommendations. 

You can read this disclosure here.