An analysis of more than 39 million anonymized and normalized data points published today by Cycognito, a provider of platforms for discovering and testing attack surfaces, finds web servers accounted for more than a third (34%) of all the severe issues discovered.

These platforms account for more severe issues than 54 other platforms combined, the report noted.

Additionally, only 15% of all severe issues involved platforms using TLS or HTTPS protocols. Only half of the surveyed web interfaces that handle personally identifiable information (PII) were protected by a web application firewall (WAF). Just under a third (31%) of surveyed web interfaces also have bite HTTPS protocol for encrypting data and more than 60% of these interfaces that expose PII also lacked a WAF, according to the report.

Cycognito CEO Rob Gurzeev said the report makes it clear much work mastering cybersecurity fundamentals still needs to be done. In many cases organizations are focused on the wrong cybersecurity issues, he noted.

For example, while cybercriminals may be able to specifically target vulnerabilities in a software supply chain it’s a lot easier for them to compromise the underlying infrastructure. Cybercriminals in many cases are not even targeting software supply chains. Instead, they are looking to compromise web servers that when breached just happen to provide them with access to the application environment deployed on them. It’s only when they discover what that application environment is they then expand the scope of their attack, said Gurzeev.

The challenge is not enough testing is being done to detect those attacks. A previous survey conducted by Cycognito found that while 60% of organizations update web applications at least once a week, three-quarters (75%) test their web applications monthly or less. The number of web applications in their environment was too large for adequate testing, with nearly 75% leaving more than 40% of the attack surface untested.

More than one-third (35%) also noted their organization experiences a significant security event involving a web application at least once a week, with more than a quarter (26%) saying they experience a major incident involving a web application once a week. Many of those applications are simply misconfigured in a way that, for example, makes it possible for cybercriminals to launch a relatively trivial SQL injection attack, noted Gruzeev.

In addition, more than half of respondents (53%) indicated difficulties remediating vulnerabilities uncovered by web application testing. More than half (54%) also said they struggle to remediate the vulnerabilities even after their web application security tests revealed. More than a quarter (28%) strongly agree that they are not able to readily operationalize vulnerability test findings.

The simple truth is the number of applications and platforms being deployed far exceeds the current ability of organizations to adequately protect them. More troubling still, the DevSecOps processes that organizations should be employing to automate the remediation of web applications are generally still immature. In many cases, it’s not so much a question of whether a platform will be breached, but rather when.

Each organization will, of course, need to determine their overall risk appetite. However, with each new unprotected web interface added to an IT environment the odds that there will be a cybersecurity incident appear to only increase.