Only 18% Of Critical Vulnerabilities Truly Worth Prioritising According To Datadog Report
To better understand the severity of a vulnerability, Datadog developed a prioritisation algorithm that factored in runtime context to its Common Vulnerability Scoring System (CVSS) base score. Adding in runtime context provided factors about a vulnerability—for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet—that CVSS did not take into account. This helped to reduce noise and identify the issues that are most urgent. After runtime context was applied, Datadog found that only 18% of vulnerabilities with a critical CVSS score—less than one in five—were still considered critical.
'The State of DevSecOps 2025 report found that security engineers are wasting a lot of time on vulnerabilities that aren't necessarily all that severe,' said Andrew Krug, Head of Security Advocacy at Datadog. 'The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritising the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organisations' attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture.'
Another key finding from the report was that vulnerabilities are particularly prevalent among Java services, with 44% of applications containing a known-exploited vulnerability. The average number of applications with a known-exploited vulnerability among the other services in the report—Go, Python, .NET, PHP, Ruby and JavaScript—was only 2%.
In addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems. The report found that applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes, compared to 46 days for those in the .NET-based ecosystem and 19 days for applications built using npm packages, which are JavaScript-based.
Other key findings from the report include:
Attackers continue to target the software supply chain: Datadog's report identified thousands of malicious PyPI and npm libraries—some of these packages were malicious by nature and attempted to mimic a legitimate package (for instance, passports-js mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies (such as Ultralytics, Solana web3.js, and lottie-player). These techniques are used both by state-sponsored actors and cybercriminals.
Credential management is improving, but slowly: One of the most common causes of data breaches is long-lived credentials. Last year, 63% of organisations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to 58%, a positive sign that organisations are slowly improving their credential management processes.
Outdated libraries are a challenge for all developers: Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries—dependencies in services that are deployed less than once a month are 47% more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities.
For the report, Datadog analysed tens of thousands of applications and container images within thousands of cloud environments in order to assess the types of risks defenders need to be aware of and what practices they can adopt to improve their security posture.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
27-06-2025
- Techday NZ
Java Independence is now a board-level priority - Driving cost savings, cloud efficiency and strategic agility
Chances are every time you stream content, buy something online or check your bank balance, you're interacting with Java-based systems. Java powers mission-critical systems across industries. Netflix runs its entire streaming infrastructure on Java-based microservices, processing millions of concurrent viewers. Global payment networks validate credit card transactions in milliseconds across hundreds of countries using Java applications. While the Java community has expanded to over 10 million developers worldwide, enterprises face mounting cost pressures from multiple directions. For the enterprises powering these essential services, 2025 represents a critical decision point: continue paying escalating costs for Oracle Java, potentially impacting profit margins or customer pricing as well as the potential for future price hikes, or seek alternatives. Java independence gives businesses control, choice, and confidence in how they build and run Java applications. Azul's recent 2025 State of Java Survey & Report reveals an enterprise Java ecosystem in transition, driven by mounting cost concerns, market preference for open-source solutions, and ongoing uncertainty around Oracle's licensing policies. This watershed moment stems from Oracle's shift to employee-based pricing in January 2023, which fundamentally disrupted enterprise Java strategy. Oracle's licensing practices have significantly increased Java-related expenditures, with the company generating billions annually from Java licensing and support. This shift isn't just about cost savings, it's about mitigating risk and enhancing agility. Java independence has become a board-level priority in an era where digital transformation drives market leadership. The oracle Java challenge The new Oracle pricing model detaches Java costs from actual usage, creating an unsustainable scenario: a 10,000-employee company running a handful of Java applications pays the same as a similarly sized organisation running thousands of Java-based services. For global businesses, this represents both a financial challenge and a strategic imperative to maintain competitive advantage. Our research reveals that two-thirds of organisations found Oracle's licensing model more expensive than alternatives, and an overwhelming majority reported successful migrations away from Oracle Java. With 25% of companies citing audit risk as a key migration driver, the urgency to transition has become a business priority rather than just an IT concern. The OpenJDK success story The success of OpenJDK adoption has shattered Oracle Java migration concerns. The data tells a compelling story: 84% of companies found the transition easier than expected or as planned, with three-quarters completing migrations within 12 months. This rapid timeline reflects both the maturity of available solutions and the robust support ecosystem around OpenJDK migrations. OpenJDK distributions have emerged as preferred alternatives to Oracle Java. These enterprise-ready solutions match Oracle Java SE's core capabilities while offering enhanced support and performance options. Successful migration hinges on three key components: Organisational momentum - Technical expertise, discovery & inventory tools and project planning assistance from a commercial OpenJDK provider can significantly help secure and maintain executive support, ultimately impacting a successful transition. Comprehensive Java mapping - Identifying all Java deployments across an organisation is essential. With 83% of organisations requiring commercially supported Java in production, this mapping phase is critical. Governance and compliance - Maintaining independence from Oracle Java licensing requires robust governance. Success means partnering with OpenJDK providers offering comprehensive protection, from IP safeguards to indemnification. The immediate financial benefits are substantial — most organisations report a 50-70% reduction in Oracle Java-related costs. Perhaps even more compelling, additional value lies in regaining control over Java technology strategy. Cloud cost optimisation Organisations are grappling with rapidly escalating cloud infrastructure costs, as annual global cloud spending is nearing a trillion dollars and continues to grow at double-digit rates. Our research reveals that 71% of organisations overpay for cloud compute capacity, highlighting an opportunity to reduce costs while improving application performance. Companies that select non-Oracle optimised Java platforms can save 20%+ on cloud computing costs. This is because high-performance Java runtimes deliver more stable Java applications and infrastructure while consuming fewer computing resources, creating compelling advantages beyond just licensing considerations. Powering AI innovation with Java Emerging technology demands amplify the need for change, particularly in AI and cloud computing. Half of the surveyed companies from our State of Java report already build AI functionality using Java — from financial institutions developing fraud detection systems to retailers leveraging machine learning for customer personalisation and inventory management. As computational demands grow, organisations require Java platforms that can deliver both performance and efficiency. These advanced workloads highlight the need for solutions that provide more scalable and stable applications while consuming fewer computing resources, enabling AI initiatives to be deployed successfully without excessive infrastructure investments. Oracle Java independence is not just a technical evolution — it's a strategic imperative that gives organisations the freedom to innovate, control costs, and build their technology future on their own terms.
Techday NZ
26-06-2025
- Techday NZ
Salesforce unveils Agentforce 3 to accelerate enterprise AI adoption
Salesforce has released Agentforce 3, an upgrade to its enterprise AI agent platform designed to address key challenges faced by organisations scaling artificial intelligence implementation. The latest version introduces features that enhance visibility and control for enterprise users, moving AI agents from experimental use to full-scale deployment. More than 100 prebuilt actions, expanded interoperability options, and a centralised suite of tools for managing hybrid workforces are among the major enhancements. Agentforce Command Centre Agentforce 3 introduces the Command Centre, marketed as the first real-time observability suite specifically for hybrid workforces. It provides business leaders with a unified interface to monitor performance metrics across both AI agents and human team members. This monitoring is integrated into business key performance indicators (KPIs), aimed at supporting data-driven management and optimisation of workflow processes. The Command Centre includes dashboards detailing agent adoption, feedback, success rates, costs, and specific topic performance, enabling teams to analyse usage trends and identify areas for improvement. The system records all agent activity in a session-tracing data model leveraging Data Cloud and is compatible with monitoring tools such as Datadog, Splunk, and Wayfound through the OpenTelemetry standard. Teams and supervisors can also receive live analytics on latency, escalation frequency, and error rates with real-time alerts for anomalies, enabling prompt interventions to maintain service levels. For contact centres, agent activity can be monitored in real time, permitting quick performance escalations. Interoperability and Prebuilt Integrations Agentforce 3 expands interoperability with native support for open standards like Model Context Protocol (MCP) and Agent-to-Agent Protocol (A2A). The platform also integrates with more than 30 partners, including services such as Stripe, Box, Atlassian, AWS, Cisco, Google Cloud, IBM, Notion, PayPal, Teradata, and WRITER via its expanded AgentExchange. Built-in interoperability is intended to allow AI agents not only to communicate with one another, but with broader enterprise applications, creating a more connected digital workplace. Deployment and Usability The update aims to reduce deployment times, with over 100 new prebuilt industry actions and flexible pricing designed to enable companies to deploy agents within days rather than months. The new architecture underlying Agentforce 3 promises improvements in accuracy, latency, resiliency, and model control, the latter of which addresses the requirements of regulated industries. Agentforce Studio is a central space for building, testing, and optimising agents with the assistance of real-time analytics. It provides tools to simulate agent behaviour at scale and generate topics or test cases using natural language, with the goal of assisting teams in developing and deploying agents more efficiently. Customer Adoption Several organisations have already adopted Agentforce, including New Zealand-based companies such as Fisher & Paykel, Urban Rest, and Farm Focus, which cite benefits including task automation, enhanced customer engagement, and the ability for staff to focus on complex, people-centred work. According to Salesforce, Engine, Grupo Globo, PepsiCo, UChicago Medicine, and 1-800Accountant have reported measurable improvements: Engine reduced its average customer case handling time by 15%, 1-800Accountant autonomously resolved 70% of administrative chat engagements during the peak tax season, and Grupo Globo saw a 22% increase in subscriber retention. Adam Evans, Executive Vice President and General Manager of Salesforce AI, commented on the platform's development trajectory: "With Agentforce, we've unified agents, data, apps, and metadata to create a digital labour platform, helping thousands of companies realise the promise of agentic AI today," said Adam Evans, EVP & GM of Salesforce AI. Evans added: "Over the past several months we've listened deeply to our customers and continued our rapid pace of technology innovation. The result is Agentforce 3, a major leap forward for our platform that brings greater intelligence, higher performance, and more trust and accountability to every Agentforce deployment. Agentforce 3 will redefine how humans and AI agents work together — driving breakthrough levels of productivity, efficiency, and business transformation." Ryan Teeples, Chief Technology Officer at 1-800Accountant, described their experience with the system: "Agentforce autonomously resolved 70% of 1-800Accountant's administrative chat engagements during the peak this past tax season, an incredible lift during one of our busiest periods. But that early success was just the beginning. We've established a strong deployment foundation and weekly are focused on launching new agentic experiences and AI automations through Agentforce's newest capabilities. With a high level of observability, we can see what's working, optimize in real time, and scale support with confidence," said Ryan Teeples, Chief Technology Officer at 1-800Accountant. AI Agent Adoption Trends Salesforce cited a soon-to-be-released Slack Workflow Index showing a 233% increase in AI agent usage in six months, with 8,000 customers signing up for Agentforce deployment during the same period. The platform is presented as a response to enterprise demands for improved governance, tooling, and observability in large-scale AI agent operations. Agentforce 3 is now available globally, with tools and integrations focused on supporting enterprise clients as they expand AI adoption within their organisations.
Scoop
25-06-2025
- Scoop
Datadog Strengthens APJ Strategy With New Senior Leadership Announcement
Industry veteran Adrian Towsey to further drive companys regional expansion as rising technology spend heightens demand for observability, security and generative AI. Datadog, Inc. (NASDAQ: DDOG), the monitoring and security platform for cloud applications, has appointed Adrian Towsey as Vice President of Commercial Sales for Asia Pacific and Japan (APJ), including India. Towsey is an industry veteran who joins Datadog with more than 25 years of sales and consulting experience in the commercial sector. The newly created role will see him leverage his deep knowledge of the APJ market and cloud software to help customers overcome increasing technological complexities, and optimise their investments into observability, security and generative AI. Commenting on his appointment, Towsey said, 'After learning about Datadog from industry peers, I quickly discovered the company combines the best of both worlds: a comprehensive platform that enables customers to observe, secure and act on their cloud migrations, security and AI projects, plus a unique culture present across all teams.' Prior to joining Datadog, Towsey spent 12 years in local and regional leadership positions at Salesforce. This was preceded by senior stints at telecommunications services providers, including Vodafone and Telstra. Towsey will report to Bill Kohut, Senior Vice President of Global Sales at Datadog, who said, 'Adrian's extensive experience in cloud software and regional go-to-market models will be instrumental in expanding our footprint across the diverse APJ commercial space. Working alongside our midmarket and enterprise teams, his understanding of the unique needs of our customers and partners in this region puts Datadog in an even stronger position to convert on expansion opportunities.' Towsey's appointment coincides with a surge in technology spend across APJ, which has spurred heightened demand for granular monitoring, analytics and security capabilities for cloud applications, data and infrastructure. Datadog continues to add technical, sales and marketing roles in A/NZ, ASEAN, India, Japan and Korea to support these requirements. Datadog also recently appointed Yadi Narayana as Chief Technology Officer for APJ, and will soon launch its first Australian data centre instance to support the data sovereignty and residency requirements of customers and partners. About Datadog Datadog is the observability and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring, log management, user experience monitoring, cloud security and many other capabilities to provide unified, real-time observability and security for our customers' entire technology stack. Datadog is used by organizations of all sizes and across a wide range of industries to enable digital transformation and cloud migration, drive collaboration among development, operations, security and business teams, accelerate time to market for applications, reduce time to problem resolution, secure applications and infrastructure, understand user behavior and track key business metrics. Forward-Looking Statements This press release may include certain 'forward-looking statements' within the meaning of Section 27A of the Securities Act of 1933, as amended, or the Securities Act, and Section 21E of the Securities Exchange Act of 1934, as amended including statements on the benefits of new products and features. These forward-looking statements reflect our current views about our plans, intentions, expectations, strategies and prospects, which are based on the information currently available to us and on assumptions we have made. Actual results may differ materially from those described in the forward-looking statements and are subject to a variety of assumptions, uncertainties, risks and factors that are beyond our control, including those risks detailed under the caption 'Risk Factors' and elsewhere in our Securities and Exchange Commission filings and reports, including the Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission on May 7, 2025, as well as future filings and reports by us. Except as required by law, we undertake no duty or obligation to update any forward-looking statements contained in this release as a result of new information, future events, changes in expectations or otherwise.
