The study discovered that 97% of security flaws classified as “critical” could actually be downgraded in importance.
The 2023 State of Application Security Report was made public by Datadog, Inc., a platform for monitoring and security for cloud applications. Researchers examined actual data from thousands of Datadog customers to gain a better understanding of the threats and vulnerabilities currently affecting DevOps organisations. Only 3% of critical vulnerabilities, according to the report, are actually high-risk and deserving of prioritisation.
The burden of staying ahead of threats while maintaining release velocity and making efficient use of security budgets falls on DevOps teams due to the emergence of widespread vulnerabilities and the significance of quickly discovering vulnerable applications. Application and security teams prioritise the fixes for any vulnerabilities classified as critical by the Common Vulnerability Scoring System (CVSS). However, only 3% of CVSS critical vulnerabilities are actually worth prioritising, according to Datadog’s 2023 State of Application Security Report.
A modified severity score that takes runtime context into account was compared to the standard CVSS severity score in the research report. This method takes into account environments that are sensitive or exposed to the internet as well as evidence of suspicious traffic. As a result, 97% of vulnerabilities flagged by CVSS as critical may be downgraded and given a lower severity score.
“Cost optimisation wherever possible is crucial in the macroeconomic environment of today. According to Emilio Escobar, Chief Information Security Officer at Datadog, “this means there is increased pressure on security teams to find and fix the vulnerabilities that will most impact the business.” By giving priority to the 3% of vulnerabilities that are actually critical and will have the biggest effects on the organization’s security posture, the State of Application Security Report’s findings demonstrate a clear path to maximising the effectiveness of security budgets this year.
Other findings from the report include:
- One out of every ten attacks targeted non-production environments.
- Seven out of ten attacks failed to succeed because they targeted the wrong programming language, operating systems or vulnerabilities.
- Java services have the most critical vulnerabilities while Python services have the fewest.
English
Afrikaans
Shqip
አማርኛ
العربية
Հայերեն
Azərbaycan dili
Euskara
Беларуская мова
বাংলা
Bosanski
Български
Català
Cebuano
Chichewa
简体中文
繁體中文
Corsu
Hrvatski
Čeština
Dansk
Nederlands
Esperanto
Eesti
Filipino
Suomi
Français
Frysk
Galego
ქართული
Deutsch
Ελληνικά
ગુજરાતી
Kreyol ayisyen
Harshen Hausa
Ōlelo Hawaiʻi
עִבְרִית
हिन्दी
Hmong
Magyar
Íslenska
Igbo
Bahasa Indonesia
Gaeilge
Italiano
日本語
Basa Jawa
ಕನ್ನಡ
Қазақ тілі
ភាសាខ្មែរ
한국어
كوردی
Кыргызча
ພາສາລາວ
Latin
Latviešu valoda
Lietuvių kalba
Lëtzebuergesch
Македонски јазик
Malagasy
Bahasa Melayu
മലയാളം
Maltese
Te Reo Māori
मराठी
Монгол
ဗမာစာ
नेपाली
Norsk bokmål
پښتو
فارسی
Polski
Português
ਪੰਜਾਬੀ
Română
Русский
Samoan
Gàidhlig
Српски језик
Sesotho
Shona
سنڌي
සිංහල
Slovenčina
Slovenščina
Afsoomaali
Español
Basa Sunda
Kiswahili
Svenska
Тоҷикӣ
தமிழ்
తెలుగు
ไทย
Türkçe
Українська
اردو
O‘zbekcha
Tiếng Việt
Cymraeg
isiXhosa
יידיש
Yorùbá
Zulu