The recently released State of DevSecOps report from Datadog analyzed thousands of applications and container images to “evaluate the adoption of best practices that are at the core of DevSecOps — infrastructure as code, automated cloud deployments, secure application development practices, and the usage of short-lived credentials in CI/CD pipelines.”

Key takeaways from the report include:

• 90 percent of Java services are vulnerable to one or more critical or high-severity vulnerabilities introduced by a third-party library, versus an average of 47% for other technologies.
• The smaller a container image is, the fewer vulnerabilities it is likely to have. According to the report, container images smaller than 100 MB had 4.4 high or critical vulnerabilities, versus 42.2 for images between 250 and 500 MB, and almost 80 for larger images.
• Leaks of long-lived credentials are a common cause of data breaches, making the use of short-lived credentials for CI/CD pipelines critical to securing a cloud environment. However, the report states that “a substantial number of organizations continue to rely on long-lived credentials in their AWS environments.”

See more information at Datadog.