For organizations seeking detailed analysis and strategies to mitigate application security risks, downloading the full report is highly encouraged.

The 2025 State of Application Risk report reveals critical insights into application security risks observed over the past 18 months, emphasizing the urgent need for enhanced AppSec efforts in the coming year.

As application security evolves, it encompasses more than just vulnerabilities in source code, particularly highlighted by recent high-profile breaches involving companies like Codecov, LastPass, and Kaseya.

A staggering 89% of organizations are grappling with pipeline misconfiguration issues, with 64% of these problems occurring in active development environments.

The report highlights a concerning trend of permissions sprawl, with 85% of organizations failing to implement least-privilege access effectively, which increases their exposure to risks if credentials are compromised.

Alarmingly, 100% of organizations reported having exposed secrets in their environments, with 53% of these secrets found in public assets and 35% in cloud deployments.

Secrets are not only prevalent in source code but are also commonly found in yaml files, build logs, containers, and collaboration tools like Jira and Slack, with 36% of secrets located outside the source code.

The report identifies 'toxic combinations' of risks, such as the 53% of organizations with exposed secrets in repositories involving external collaborators, underscoring areas that require prioritization for remediation.

Significant inefficiencies in application security testing are uncovered, with 78% of organizations utilizing duplicate Software Composition Analysis (SCA) scanners and 39% employing duplicate Static Application Security Testing (SAST) scanners.

The introduction of generative AI (GenAI) presents new risks, particularly as developers may use AI without secure configurations, potentially leading to legal complications from licensed code integration.