A new report from Datadog finds that 87 percent of organizations have at least one known exploitable vulnerability in their deployed services.
In addition 42 percent of services rely on libraries that are no longer actively maintained. Services using end-of-life language versions face exploitable vulnerabilities in 50 percent of cases, compared to 31 percent for supported versions.
Only 50 percent of organizations adopt new library versions within 24 hours of release, increasing the risk of installing malicious or compromised software. A mere four percent of organizations say they pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes.
“The way software is built has fundamentally changed, but security practices haven’t kept up,” says Andrew Krug, head of security advocacy at Datadog. “DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code. The real challenge, though, isn’t speed — it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”
While vulnerability alerts continue to rise, the report also finds that most do not represent immediate business risk. Only 18 percent of vulnerabilities labeled ‘critical’ remain critical once runtime context is applied.
“When almost everything is labeled ‘critical’, nothing is,” Krug adds. “Teams get paged for noise while threats that pose real risk slip through. Without context, prioritization becomes harder — leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”
The full State of DevSecOps Report is available from the Datadog site.
Image credit: billiondigital/depositphotos.com
