Ensuring that DevOps teams and operations remain secure is critical to keeping organizations running. Datadog released its 2023 State of Application Security Report analyzing the current vulnerabilities and threats targeting DevOps organizations. According to the report, three percent of critical vulnerabilities are truly high risk and worth prioritizing.
The emergence of widespread vulnerabilities and the importance of rapidly discovering vulnerable applications means the onus is on DevOps teams to stay ahead of threats while maintaining release velocity and ensuring efficient use of security budgets.
The research compared the standard CVSS severity score with a modified severity score that accounts for runtime context. This approach considers evidence of suspicious traffic, as well as internet-exposed or sensitive environments. As a result, 97% of vulnerabilities labeled as critical by CVSS could be downgraded and assigned a lower severity score.
Looking at data over a two-week period, the report saw that 74% of attacks would not succeed, based on runtime context. These attacks targeted endpoints that were not present in the services (66%), tried to exploit vulnerabilities related to databases not used by those systems (31%) or targeted languages that were not used in the application (three percent).
Other findings from the report include:
- One out of every 10 attacks targeted non-production environments.
- Seven out of 10 attacks failed to succeed because they targeted the wrong programming language, operating systems or vulnerabilities.
- Over the last year, five percent of organizations had at least one exploitable SQL injection vulnerability.