- Only 18% of critical vulnerabilities require urgent attention after considering runtime context.
- Java applications face significant security challenges, with 44% containing known-exploited vulnerabilities.
- The use of long-lived credentials has decreased from 63% to 58%, indicating improved credential management.
Datadog (DDOG, Financial) has unveiled its State of DevSecOps 2025 report, revealing that a mere 18% of vulnerabilities with critical CVSS scores remain truly critical when runtime context is considered. This refined prioritization assists security engineers in identifying the most urgent vulnerabilities, thereby decreasing the unnecessary workload and enhancing overall security posture.
Java applications have been identified as particularly prone to vulnerabilities, with 44% containing known-exploited security issues, significantly higher compared to just 2% across other programming languages such as Go, Python, and .NET. Furthermore, patching Java applications takes an average of 62 days, compared to 46 days for .NET and 19 days for JavaScript-based applications.
Datadog's report also highlights ongoing software supply chain threats, with thousands of malicious PyPI and npm libraries being identified. Despite these challenges, credential management has shown a slight improvement, with the usage of long-lived credentials in GitHub Actions pipelines dropping to 58% from 63% the previous year.
Additionally, the report points out that dependencies across all programming languages are often months behind their latest major updates, posing a risk due to potential unpatched vulnerabilities.
