Datadog's State of DevSecOps 2025 Report Finds Only 18% of Critical Vulnerabilities Are Truly Worth Prioritizing
Datadog (NASDAQ: DDOG) has released its State of DevSecOps 2025 report, revealing that only 18% of critical vulnerabilities actually require urgent attention when runtime context is considered alongside CVSS scores. The study highlights significant security challenges in Java applications, with 44% containing known-exploited vulnerabilities compared to just 2% in other programming languages.
The report found that Java applications take longer to patch, averaging 62 days for library fixes, versus 46 days for .NET and 19 days for JavaScript-based applications. Additional findings include ongoing software supply chain attacks through malicious PyPI and npm libraries, a slight improvement in credential management with long-lived credential usage dropping from 63% to 58%, and challenges with outdated dependencies across all programming languages.
Datadog (NASDAQ: DDOG) ha pubblicato il suo rapporto State of DevSecOps 2025, rivelando che solo il 18% delle vulnerabilità critiche richiede effettivamente un intervento urgente quando il contesto di runtime viene considerato insieme ai punteggi CVSS. Lo studio evidenzia significative sfide di sicurezza nelle applicazioni Java, con il 44% che contiene vulnerabilità note ed effettivamente sfruttate, rispetto al solo 2% in altri linguaggi di programmazione.
Il rapporto ha rilevato che le applicazioni Java impiegano più tempo per essere corrette, con una media di 62 giorni per le patch delle librerie, rispetto ai 46 giorni per .NET e 19 giorni per le applicazioni basate su JavaScript. Altri risultati includono attacchi continui alla catena di fornitura software tramite librerie PyPI e npm dannose, un leggero miglioramento nella gestione delle credenziali con l'uso di credenziali a lunga durata che scende dal 63% al 58%, e difficoltà legate a dipendenze obsolete in tutti i linguaggi di programmazione.
Datadog (NASDAQ: DDOG) ha publicado su informe State of DevSecOps 2025, revelando que solo el 18% de las vulnerabilidades críticas requieren atención urgente cuando se considera el contexto de ejecución junto con las puntuaciones CVSS. El estudio destaca desafíos importantes de seguridad en las aplicaciones Java, con un 44% que contiene vulnerabilidades conocidas y explotadas, en comparación con solo el 2% en otros lenguajes de programación.
El informe encontró que las aplicaciones Java tardan más en parchearse, con un promedio de 62 días para corregir bibliotecas, frente a 46 días para .NET y 19 días para aplicaciones basadas en JavaScript. Otros hallazgos incluyen ataques continuos a la cadena de suministro de software a través de bibliotecas maliciosas de PyPI y npm, una ligera mejora en la gestión de credenciales con el uso de credenciales de larga duración que disminuye del 63% al 58%, y desafíos con dependencias obsoletas en todos los lenguajes de programación.
Datadog (NASDAQ: DDOG)가 2025년 DevSecOps 현황 보고서를 발표했으며, 실행 시점의 맥락과 CVSS 점수를 함께 고려할 때 실제로 긴급한 주의가 필요한 심각한 취약점은 18%에 불과하다는 사실을 밝혔습니다. 연구에서는 Java 애플리케이션에서 보안 문제가 특히 심각한데, 44%가 이미 알려져 있고 악용된 취약점을 포함하고 있는 반면, 다른 프로그래밍 언어에서는 2%에 불과하다고 지적했습니다.
보고서에 따르면 Java 애플리케이션은 패치하는 데 시간이 더 오래 걸리며, 라이브러리 수정에 평균 62일이 소요되어 .NET(46일)과 JavaScript 기반 애플리케이션(19일)보다 훨씬 깁니다. 추가적으로 악성 PyPI 및 npm 라이브러리를 통한 소프트웨어 공급망 공격이 계속되고 있으며, 장기 사용 자격 증명 사용률이 63%에서 58%로 약간 개선되는 등 자격 증명 관리가 일부 개선되었고, 모든 프로그래밍 언어에서 구식 의존성 문제도 여전한 과제로 남아 있습니다.
Datadog (NASDAQ : DDOG) a publié son rapport State of DevSecOps 2025, révélant que seulement 18% des vulnérabilités critiques nécessitent réellement une attention urgente lorsque le contexte d'exécution est pris en compte avec les scores CVSS. L'étude met en lumière des défis de sécurité importants dans les applications Java, avec 44% contenant des vulnérabilités connues et exploitées, contre seulement 2% dans d'autres langages de programmation.
Le rapport indique que les applications Java mettent plus de temps à être corrigées, avec une moyenne de 62 jours pour les correctifs de bibliothèques, contre 46 jours pour .NET et 19 jours pour les applications basées sur JavaScript. Parmi les autres constats, on note des attaques continues sur la chaîne d'approvisionnement logicielle via des bibliothèques PyPI et npm malveillantes, une légère amélioration dans la gestion des identifiants avec une baisse de l'utilisation des identifiants à longue durée de 63% à 58%, ainsi que des difficultés liées aux dépendances obsolètes dans tous les langages de programmation.
Datadog (NASDAQ: DDOG) hat seinen Bericht State of DevSecOps 2025 veröffentlicht und zeigt auf, dass nur 18% der kritischen Schwachstellen tatsächlich dringende Aufmerksamkeit erfordern, wenn der Laufzeitkontext zusammen mit den CVSS-Werten berücksichtigt wird. Die Studie hebt erhebliche Sicherheitsprobleme bei Java-Anwendungen hervor, von denen 44% bekannte und ausgenutzte Schwachstellen enthalten, verglichen mit nur 2% bei anderen Programmiersprachen.
Der Bericht stellt fest, dass Java-Anwendungen länger zum Patchen benötigen, im Durchschnitt 62 Tage für Bibliotheksupdates, gegenüber 46 Tagen bei .NET und 19 Tagen bei JavaScript-basierten Anwendungen. Weitere Erkenntnisse umfassen anhaltende Angriffe auf die Software-Lieferkette durch bösartige PyPI- und npm-Bibliotheken, eine leichte Verbesserung im Umgang mit Zugangsdaten, da die Nutzung von langfristigen Zugangsdaten von 63% auf 58% gesunken ist, sowie Herausforderungen durch veraltete Abhängigkeiten in allen Programmiersprachen.
- Improved security assessment methodology through runtime context analysis
- Reduction in long-lived credential usage from 63% to 58%
- 44% of Java applications contain known-exploited vulnerabilities
- Slow patching times for Java applications (62 days average)
- Widespread presence of malicious PyPI and npm libraries in software supply chain
- Dependencies across all programming languages months behind latest major updates
The report also found that exploitable vulnerabilities are especially prevalent in Java applications
New York, New York--(Newsfile Corp. - April 23, 2025) - Datadog, Inc. (NASDAQ: DDOG), the monitoring and security platform for cloud applications, today released its new report, the State of DevSecOps 2025, which found that only a fraction of critical vulnerabilities are truly worth prioritizing.
To better understand the severity of a vulnerability, Datadog developed a prioritization algorithm that factored in runtime context to its Common Vulnerability Scoring System (CVSS) base score. Adding in runtime context provided factors about a vulnerability—for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet—that CVSS did not take into account. This helped to reduce noise and identify the issues that are most urgent. After runtime context was applied, Datadog found that only
"The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe," said Andrew Krug, Head of Security Advocacy at Datadog. "The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritizing the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organizations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture."
Another key finding from the report was that vulnerabilities are particularly prevalent among Java services, with
In addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems. The report found that applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes, compared to 46 days for those in the .NET-based ecosystem and 19 days for applications built using npm packages, which are JavaScript-based.
Other key findings from the report include:
- Attackers continue to target the software supply chain: Datadog's report identified thousands of malicious PyPI and npm libraries—some of these packages were malicious by nature and attempted to mimic a legitimate package (for instance, passports-js mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies (such as Ultralytics, Solana web3.js, and lottie-player). These techniques are used both by state-sponsored actors and cybercriminals.
- Credential management is improving, but slowly: One of the most common causes of data breaches is long-lived credentials. Last year,
63% of organizations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to58% , a positive sign that organizations are slowly improving their credential management processes. - Outdated libraries are a challenge for all developers: Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries—dependencies in services that are deployed less than once a month are
47% more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities.
For the report, Datadog analyzed tens of thousands of applications and container images within thousands of cloud environments in order to assess the types of risks defenders need to be aware of and what practices they can adopt to improve their security posture.
Datadog's State of DevSecOps 2025 is available now. For the full results, please visit: https://www.datadoghq.com/state-of-devsecops/. To learn how Datadog helps companies secure their cloud environments, visit: https://www.datadoghq.com/product/cloud-security-management/.
About Datadog
Datadog is the observability and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring, log management, user experience monitoring, cloud security and many other capabilities to provide unified, real-time observability and security for our customers' entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior and track key business metrics.
Forward-Looking Statements
This press release may include certain "forward-looking statements" within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended including statements on the benefits of new products and features. These forward-looking statements reflect our current views about our plans, intentions, expectations, strategies and prospects, which are based on the information currently available to us and on assumptions we have made. Actual results may differ materially from those described in the forward-looking statements and are subject to a variety of assumptions, uncertainties, risks and factors that are beyond our control, including those risks detailed under the caption "Risk Factors" and elsewhere in our Securities and Exchange Commission filings and reports, including the Annual Report on Form 10-K filed with the Securities and Exchange Commission on February 20, 2025, as well as future filings and reports by us. Except as required by law, we undertake no duty or obligation to update any forward-looking statements contained in this release as a result of new information, future events, changes in expectations or otherwise.
Contact
Dan Haggerty
press@datadoghq.com
To view the source version of this press release, please visit https://www.newsfilecorp.com/release/249413
FAQ
What percentage of critical vulnerabilities are truly critical according to Datadog's 2025 DevSecOps report?
How long do Java applications take to patch vulnerabilities compared to other languages in DDOG's study?
What percentage of Java applications contain known-exploited vulnerabilities according to Datadog's 2025 report?
How has the use of long-lived credentials changed in GitHub Actions pipelines according to DDOG's report?
