EIGHTY-SEVEN percent of organisations have at least one exploitable software vulnerability in production, affecting 40% of all services, according to a new report from DataDog. The State of DevSecOps Report, based on telemetry from tens of thousands of applications and additional datasets, notes that vulnerabilities are most common in Java services (59%), followed by .NET (47%) and Rust (40%).
By context, only 18% of critical dependency vulnerabilities stay critical after adjusting the severity score according to runtime and CVE context, Datadog claimed. This is most common in .NET environments, with 98% of .NET dependency vulnerabilities downgraded from critical once context is considered.
The analysis emphasises that context—whether the vulnerability is in production, whether the affected service is under active attack, the availability of an exploit, and the likelihood of exploitation—drives prioritisation, Krug argued, and that security practices have not kept pace with modern software development. Update timing of dependencies is also discussed, with the median software dependency now 278 days out of date, 63 days more than last year’s figure.