Orchid Security, the company bringing clarity to the complexity of enterprise identity security, released its inaugural State of Identity Security 2025 report. Orchid’s analysis shows nearly half of enterprise applications violate basic credential-handling guidance, 44% undermine centralized IdP policies and 40% fall short of widely accepted identity-control standards. These shortcomings expose organizations to heightened audit findings, compliance penalties and breach risk.
Complementing traditional industry research based on post-incident findings, the report presents a proactive analysis of the state of identity controls. Unlike assessments of external exposures, Orchid analyzes authentication flows and authorization practices embedded deep within enterprise applications. These insights span financial services, healthcare, manufacturing, retail, energy and other sectors – offering the first large-scale view into unseen and often overlooked identity practices, and in doing so, exposing hidden vulnerabilities and compliance gaps.
Orchid will showcase these findings and its Identity-First Security platform at Identiverse 2025, taking place June 3-6 in Las Vegas.
Cyber Technology Insights : GoTo, Acronis Partner on Integrated LogMeIn Data Protection Suite
The report’s findings come at a critical time in the industry. The recently released 2025 Verizon Data Breach Investigation Report confirms that stolen credentials are once again the most common initial access method leading to breaches. Similarly, Crowdstrike’s Threat Report observes that “every breach starts with initial access, and identity-based attacks are among the most effective entry methods.” As threat actors focus on “logging in” via stolen credentials rather than “hacking in,” understanding and eliminating identity security gaps becomes a top priority for CISOs and identity providers.
Key findings from Orchid’s research:
- Clear-text credentials found in nearly 50% of applications
Given that no code is impenetrable and weaknesses as well as their exploit, are a fact of life, masking or encrypting credentials – ideally in an identity store but certainly when coded into applications – is a security imperative. In nearly half of the binary-level assessments conducted, Orchid’s LLM-powered analysis uncovered clear-text credentials. These were normally associated with alternative access flows, often for non-human accounts, but they also present an easy target for threat actors seeking entry or lateral movement. - 44% of applications bypass Identity Providers (IdP)
While (IdPs) are very common within enterprises and a valuable tool to centralize secure authentication practices, 44% of the time no IdP was utilized by at least one authentication path offered by the application. This is often due to application-level constraints, particularly around integrating with third-party or legacy systems. While understandable, especially in support of external access scenarios, these siloed authentication paths create significant operational challenges. Because they sit outside the centralized IAM framework, these non-standard directories are frequently excluded from routine joiner, mover, and leaver (JML) processes. As a result, they can become outdated, unmanaged and ultimately represent a growing blind spot that increases organization’s exposure to identity-related cyber risk. - ~40% of apps lack identity control basics
Basic best practices to maintain identity security include monitoring and even rate controlling login attempts, implementing account lockout after a certain number of failed attempts, enforcement of password complexity, token lifetime configurations and more. Unfortunately, each of these was found to be missing roughly 40% of the time. We know that most application developers are valued for their creativity, as it spurs innovation, but that spirit can make the consistent implementation of standards across applications a challenge.
Cyber Technology Insights : DefectDojo Introduces Industry-First Unified SOC and AppSec Platform
“These identity security gaps are by no means a reflection on today’s identity and access management teams,” said Roy Katmor, CEO and co-founder of Orchid Security. “The reality is, with the average enterprise relying on more than 1,200 applications – some developed and deployed globally, others introduced by regional offices or specific lines of business – it is a huge challenge to simply know all of the apps in use. Let alone to fully understand not only the standard audited identity flows, but also all feasible authentication pathways and authorization attributes within each application. That complexity is only compounded by the fact that, until now, the process has been largely manual.”
Orchid’s recommendations for reducing identity risk
Orchid Security notes that there are a variety of common tools and methods that enterprises can use to assess their environments for identity security exposures, including:
- Static Application Security Testing (SAST): Code analysis during the development phases can easily be configured to look for hard-coded credentials, including those stored in clear text. Applications developed without a SAST tool should also be subject to code reviews looking for these practices as part of the release process.
- Architecture reviews: The use of identity providers (IdPs) should be a standard design requirement, enforced during design reviews.
- Monitoring tools: Basic log monitoring and Security Information and Event Management (SIEM) products will show you whether basic identity security hygiene is in place.
- Penetration testing: Identity is the most common way in for threat actors, as well as those acting as them for security assessment. Testing for common identity weaknesses should be included.
“Organizations can no longer afford to overlook identity as a central element of their security posture,” said Katmor. “Even without automated tools such as Orchid Security in place, there are practical steps teams can take, from manual code reviews to architecture and monitoring enhancements. Identity remains the most common attack vector, and proactive, layered assessment is key to reducing exposure.”
Cyber Technology Insights : Exabeam and Inspira Enterprise Announce Strategic Global Partnership
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: globenewswire
