Web Applications Face Pressing Security Risks, According to Datadog’s State of DevSecOps Report
Web applications today are confronted with a multitude of security threats, as highlighted in the recently released Datadog State of DevSecOps 2025 report. This report outlines various vulnerabilities, primarily known-exploitable weaknesses, supply chain attacks, and insecurities stemming from identity configurations in Continuous Integration/Continuous Deployment (CI/CD) pipelines. These vulnerabilities represent a substantial risk to organizations aiming to secure their digital environments.
Alarming Vulnerability Rates in Java Services
Findings from the report indicate that approximately 15% of web services are susceptible to known-exploited vulnerabilities, translating to vulnerabilities affecting nearly one-third of organizations surveyed. The prevalence of these vulnerabilities is particularly alarming in Java services, where an astonishing 44% of applications have at least one known-exploited vulnerability. This stark contrast is even more pronounced when compared to other programming languages like Go, Python, .NET, PHP, Ruby, and JavaScript, where the average vulnerability rate is merely 2%.
Deep diving into Java services reveals that around 14% still harbor at least one high-impact vulnerability, specifically those related to critical threats such as remote code execution (RCE) issues. Some notorious examples include vulnerabilities like Log4Shell and Spring4Shell, both of which have proven to be attractive targets for cybercriminals. The report further shows that Java applications not only contain these vulnerabilities at a higher rate but also exhibit slower patching times compared to other programming ecosystems. For instance, library fixes for Java-based applications within the Apache Maven ecosystem averaged a lengthy 62 days, contrasting sharply with 46 days for .NET applications and just 19 days for JavaScript-based npm packages.
A Surge in Untargeted Malicious Requests
Moreover, the report sheds light on the nature of attacks targeting organizations. A significant 88% of surveyed organizations reported receiving untargeted malicious HTTP requests. These requests often aim to uncover sensitive files or API routes, exploiting potential gaps in security measures. The aspect of knowing what to prioritize becomes ever more crucial in determining how organizations respond to these threats.
Datadog has developed a prioritization algorithm designed to improve vulnerability assessment. By incorporating runtime context into its Common Vulnerability Scoring System (CVSS), the report significantly enhances the understanding of each vulnerability’s impact. This additional context evaluates whether a vulnerability is active in a production environment or if the application is publicly exposed, factors that CVSS traditionally overlooked. Ultimately, the introduction of runtime context indicated that only 18% of vulnerabilities classified as critical by CVSS retain that critical status after a thorough assessment, marking a crucial shift in how organizations should prioritize their security measures.
Ongoing Supply Chain Vulnerabilities
The report also emphasizes the continued focus of attackers on software supply chains. Researchers were able to identify thousands of malicious libraries across package managers like PyPI and npm. Many of these libraries employed malicious strategies such as typosquatting, wherein a malicious package masquerades as a legitimate package, or active takeovers of well-known dependencies like Ultralytics, Solana web3.js, and lottie-player. Both state-sponsored actors and cybercriminals use these tactics for their nefarious purposes, exacerbating the already fraught landscape of digital security.
A critical factor in the prevalence of breaches stems from the use of long-lived credentials. A year ago, 63% of organizations acknowledged utilizing some form of long-lived credentials for authenticating GitHub Actions pipelines. The current year has shown a positive trend, with this figure declining to 58%, indicating a gradual improvement in organizations’ approach to credential management.
The report also highlights that dependencies across all programming languages are lagging significantly behind their latest updates. Particularly in services that are infrequently deployed, the chance of using outdated libraries rises dramatically. In fact, services deployed less often than once a month are 47% more likely to employ outdated dependencies compared to those deployed daily. Using these outdated libraries heightens the risk of unpatched and exploitable vulnerabilities, creating additional security challenges for developers.
The Importance of Streamlined Security
Andrew Krug, Head of Security Advocacy at Datadog, provided insight into the issues at hand, emphasizing that security teams often find themselves preoccupied with vulnerabilities that aren’t particularly severe. This excess of "noise" in vulnerability management can detract from the urgency of addressing truly critical vulnerabilities. Krug indicated that by refining the focus on easily exploitable vulnerabilities present in production environments, organizations can achieve significant enhancements in their security postures.
In conclusion, as web applications continue to evolve, organizations must stay vigilant against these persistent threats. The Datadog report serves as a clarion call for enhanced security practices, prioritization strategies, and improved credential management to navigate the complex landscape of modern cybersecurity risks.