Java services are the most-impacted by third-party vulnerabilities, according to the “State of DevSecOps 2024” report just released by cloud security provider Datadog.
Released on April 17, the report found that 90% of Java services were susceptible to one or more critical or high-severity vulnerabilities introduced by a third-party library. The average for other languages was 47%.
Datadog’s report analyzed tens of thousands of applications and container images and thousands of cloud environments to assess application security. Following Java in the vulnerabilities assessment were JavaScript, at roughly 70%; Python, at 62%; .NET, at 50%; PHP, at 35%; and Go (golang) and Ruby, both at about 32%.
Java services also were most likely to be vulnerable to real-world exploits with documented use by attackers. From a vulnerabilities list maintained by the US Cybersecurity and Infrastructure Security Agency, 55% of Java services were affected, as opposed to 7% of those of those built using other languages.
Additional findings from the report include:
- At least 38% of organizations leveraging Amazon Web Services (AWS) had deployed workloads or completed sensitive actions manually through the AWS console in a production environment within a 14-day period, meaning they were relying on risky click operations instead of automation.
- 63% of organizations continue to rely on long-lived credentials—one of the most common causes of data breaches—in CI/CD pipelines, even in cases where short-lived ones would be more practical and secure.
- Only a small portion of identified vulnerabilities were worth prioritizing.
- Adoption of infrastructure as code was high, but varied across cloud providers.
- The vast majority of attacks performed by automated security scanners were harmless and only generated noise for defenders.
- Lightweight container images lead to fewer vulnerabilities.
Datadog said its findings demonstrate that modern devops practices go hand in hand with strong security measures. Security itself helps drive operational excellence, the company said. But security is only realistic when practitioners are given enough context and prioritization to focus on what matters.