The overwhelming majority of organizations are running software with known, exploitable vulnerabilities, as security risk increases across the software delivery lifecycle.
Datadog's 2026 State of DevSecOps report indicates that 87% of organizations have at least one known exploitable vulnerability in deployed services - a problem that's most visible in Java services, at 59%, with .NET at 47% and Rust at 40%.
More than four-in-ten (42%) services rely on libraries that are no longer actively maintained. Notably, the median dependency is 278 days behind the latest major version, compared with 215 days behind last year.
Java and Ruby were 492 days behind and 357 days behind, respectively.
Services using end-of-life language versions face exploitable vulnerabilities in 50% of cases, Datadog noted, compared with 31% for supported versions.
Half of organizations adopt new library versions within 24 hours of release, but while this might seem like a good thing, that's not always the case.
"When factoring in supply chain compromises, updating to a new version within a day of release can have a negative impact on the overall security of an application due to the potential to unknowingly install malicious software," the researchers warned.
Meanwhile, only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes.
“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, head of security advocacy at Datadog.
“DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code," Krug added.
"The real challenge, though, isn’t speed - it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”
Alert fatigue is rising
Researchers warned the volume of alerts is obscuring real risk: while vulnerability alerts continue to rise, most don't represent immediate business risk, with only 18% of vulnerabilities labeled “critical” remaining critical once runtime context is applied.
“When almost everything is labeled ‘critical’, nothing is,” said Krug. “Teams get paged for noise while threats that pose real risk slip through. Without context, prioritization becomes harder - leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”
Just last week, Veracode released research indicating that 82% of organizations are struggling with high levels of security debt, up by 11% compared with last year.
Of these, 60% have security debt defined as “critical” - representing accumulated vulnerabilities that would be severe enough to cause catastrophic damage to an organization if exploited.
Third-party libraries and open source dependencies were behind 66% of the most dangerous, longest-lived vulnerabilities, the researchers said.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
"If it would go away tomorrow, I wouldn't even notice it": is there a future for Stack Overflow in software engineering?
Scalper bots are running riot as memory shortages continue
