Latest news with #StateofDevSecOps2025
Scoop
24-04-2025
- Scoop
Only 18% Of Critical Vulnerabilities Truly Worth Prioritising According To Datadog Report
Press Release – Datadog The report also found that exploitable vulnerabilities are especially prevalent in Java applications. To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common … Datadog today released its new report, the State of DevSecOps 2025, which found that only a fraction of critical vulnerabilities are truly worth prioritising. To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common Vulnerability Scoring System (CVSS) base score. Adding in runtime context provided factors about a vulnerability—for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet—that CVSS did not take into account. This helped to reduce noise and identify the issues that are most urgent. After runtime context was applied, Datadog found that only 18% of vulnerabilities with a critical CVSS score—less than one in five—were still considered critical. 'The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe,' said Andrew Krug, Head of Security Advocacy at Datadog. 'The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture.' Another key finding from the report was that vulnerabilities are particularly prevalent among Java services, with 44% of applications containing a known-exploited vulnerability. The average number of applications with a known-exploited vulnerability among the other services in the report—Go, Python, .NET, PHP, Ruby and JavaScript—was only 2%. In addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems. The report found that applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes, compared to 46 days for those in the .NET-based ecosystem and 19 days for applications built using npm packages, which are JavaScript-based. Other key findings from the report include: Attackers continue to target the software supply chain: Datadog's report identified thousands of malicious PyPI and npm libraries—some of these packages were malicious by nature and attempted to mimic a legitimate package (for instance, passports-js mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies (such as Ultralytics, Solana and lottie-player). These techniques are used both by state-sponsored actors and cybercriminals. Credential management is improving, but slowly: One of the most common causes of data breaches is long-lived credentials. Last year, 63% of organisations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to 58%, a positive sign that organisations are slowly improving their credential management processes. Outdated libraries are a challenge for all developers: Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries—dependencies in services that are deployed less than once a month are 47% more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities. For the report, Datadog analysed tens of thousands of applications and container images within thousands of cloud environments in order to assess the types of risks defenders need to be aware of and what practices they can adopt to improve their security posture.
Scoop
24-04-2025
- Scoop
Only 18% Of Critical Vulnerabilities Truly Worth Prioritising According To Datadog Report
Datadog today released its new report, the State of DevSecOps 2025, which found that only a fraction of critical vulnerabilities are truly worth prioritising. To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common Vulnerability Scoring System (CVSS) base score. Adding in runtime context provided factors about a vulnerability—for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet—that CVSS did not take into account. This helped to reduce noise and identify the issues that are most urgent. After runtime context was applied, Datadog found that only 18% of vulnerabilities with a critical CVSS score—less than one in five—were still considered critical. 'The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe,' said Andrew Krug, Head of Security Advocacy at Datadog. 'The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture.' Another key finding from the report was that vulnerabilities are particularly prevalent among Java services, with 44% of applications containing a known-exploited vulnerability. The average number of applications with a known-exploited vulnerability among the other services in the report—Go, Python, .NET, PHP, Ruby and JavaScript—was only 2%. In addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems. The report found that applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes, compared to 46 days for those in the .NET-based ecosystem and 19 days for applications built using npm packages, which are JavaScript-based. Other key findings from the report include: Attackers continue to target the software supply chain: Datadog's report identified thousands of malicious PyPI and npm libraries—some of these packages were malicious by nature and attempted to mimic a legitimate package (for instance, passports-js mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies (such as Ultralytics, Solana and lottie-player). These techniques are used both by state-sponsored actors and cybercriminals. Credential management is improving, but slowly: One of the most common causes of data breaches is long-lived credentials. Last year, 63% of organisations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to 58%, a positive sign that organisations are slowly improving their credential management processes. Outdated libraries are a challenge for all developers: Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries—dependencies in services that are deployed less than once a month are 47% more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities. For the report, Datadog analysed tens of thousands of applications and container images within thousands of cloud environments in order to assess the types of risks defenders need to be aware of and what practices they can adopt to improve their security posture.
Techday NZ
24-04-2025
- Business
- Techday NZ
Datadog acquires Metaplane to boost AI & data observability
Datadog has published findings from its latest State of DevSecOps report and revealed the acquisition of data observability firm Metaplane. The State of DevSecOps 2025 report details that Datadog developed a vulnerability prioritisation algorithm incorporating runtime context—measuring factors such as whether a vulnerability is present in a production environment or exposed to the internet. This additional context filtered out issues of less immediate concern, resulting in only 18% of vulnerabilities with a critical Common Vulnerability Scoring System (CVSS) rating being classified as truly critical. Andrew Krug, Head of Security Advocacy at Datadog, commented: "The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe. The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture." One significant insight from the report is that Java applications have an especially high prevalence of known-exploited vulnerabilities, with 44% of Java services affected. In contrast, applications built with Go, Python, .NET, PHP, Ruby, and JavaScript collectively averaged only 2% of applications with such vulnerabilities. On patching speed, the report observed that Java-based Apache Maven ecosystems took an average of 62 days to implement library fixes, compared with 46 days for .NET-based ecosystems and 19 days for JavaScript-based npm packages. The report also highlights ongoing risks to the software supply chain. The analysis identified thousands of malicious libraries on PyPI and npm, with some employing typosquatting such as 'passports-js' mimicking the legitimate 'passport' library. Other threats included active takeovers of popular dependencies, as seen with Ultralytics, Solana and lottie-player. Both state-sponsored and criminal actors were found exploiting these supply chain vulnerabilities. The research notes a slow improvement in credential management. In the previous year, 63% of organisations used long-lived credentials at least once to authenticate GitHub Actions pipelines. This year's figure dropped to 58%. Outdated libraries also remain an industry challenge. Dependencies across all programming languages lag months behind their most recent major updates. Services deployed less than once a month were observed to have dependencies 47% more outdated than those in services updated daily, contributing to greater potential exposure to unpatched vulnerabilities. Datadog's report was compiled through the analysis of tens of thousands of applications and container images distributed across thousands of cloud environments to assess contemporary risk factors and security practices. Separately, Datadog announced its acquisition of Metaplane, a platform specialising in end-to-end data observability using machine learning-powered monitoring and column-level lineage. With businesses increasingly turning to AI and adopting platforms including Snowflake and Databricks, Datadog stated the integration of Metaplane technologies will speed its move from cloud observability into full data observability. This is expected to enhance its set of data-centric monitoring tools, such as Data Jobs Monitoring and Data Streams Monitoring. Michael Whetten, VP of Product at Datadog, stated: "Observability is no longer just for developers and IT teams; it's now an essential part of data teams' day-to-day responsibilities as they manage increasingly complex and business-critical workflows. This complexity will become even more pronounced as more businesses deploy AI applications. By unifying observability across applications and data, Datadog will help organisations build reliable AI systems." Kevin Hu, co-founder and CEO of Metaplane, said: "Our mission at Metaplane is to help companies ensure trust in the data that powers their business. Joining forces with Datadog enables us to bring data observability to tens of thousands more companies, while bringing data teams and software teams closer together." Following the acquisition, Metaplane will continue to support both existing and new customers as part of the Metaplane by Datadog offering.
