NEW YORK — Datadog, Inc. (NASDAQ: DDOG), the monitoring and security platform for cloud applications, today released its 2023 State of Application Security Report. To better understand the current vulnerabilities and threats targeting DevOps organizations, researchers evaluated real-world data from thousands of Datadog customers. According to the report, only three percent of critical vulnerabilities are truly high risk and worth prioritizing.
The emergence of widespread vulnerabilities and the importance of rapidly discovering vulnerable applications means the onus is on DevOps teams to stay ahead of threats while maintaining release velocity and ensuring efficient use of security budgets. All vulnerabilities rated critical by the Common Vulnerability Scoring System (CVSS) get prioritized for fixes by application and security teams. However, according to Datadog’s 2023 State of Application Security Report, only three percent of vulnerabilities rated as critical by the CVSS are actually worth prioritizing.
The research report compared the standard CVSS severity score with a modified severity score that accounts for runtime context. This approach considers evidence of suspicious traffic, as well as internet-exposed or sensitive environments. As a result, ninety seven percent of vulnerabilities labeled as critical by CVSS could be downgraded and assigned a lower severity score.
“In today’s macroeconomic environment, it is more important than ever to optimize costs wherever possible. For security teams, that means there is increased pressure to find and fix the vulnerabilities that will most impact the business,” said Emilio Escobar, Chief Information Security Officer at Datadog. “The findings in the State of Application Security Report show that there is a clear path to maximizing the efficiency of security budgets this year by prioritizing the three percent of vulnerabilities that are actually critical and will have the greatest impact on the organization’s security posture.”
Other findings from the report include:
- One out of every ten attacks targeted non-production environments.
- Seven out of ten attacks failed to succeed because they targeted the wrong programming language, operating systems or vulnerabilities.
- Java services have the most critical vulnerabilities while Python services have the fewest.
The 2023 State of Application Security Report is available now. Read the full report here: https://www.datadoghq.com/state-of-application-security.
Datadog is the observability and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring, log management, real-user monitoring, and many other capabilities to provide unified, real-time observability and security for our customers’ entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior, and track key business metrics.
This press release may include certain “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended including statements on the benefits of new products and features. These forward-looking statements reflect our current views about our plans, intentions, expectations, strategies and prospects, which are based on the information currently available to us and on assumptions we have made. Actual results may differ materially from those described in the forward-looking statements and are subject to a variety of assumptions, uncertainties, risks and factors that are beyond our control, including those risks detailed under the caption “Risk Factors” and elsewhere in our Securities and Exchange Commission filings and reports, including the Annual Report on Form 10-K filed with the Securities and Exchange Commission on February 24, 2023, as well as future filings and reports by us. Except as required by law, we undertake no duty or obligation to update any forward-looking statements contained in this release as a result of new information, future events, changes in expectations or otherwise.