Datadog Report Examines DevSecOps Best Practices

By

Learn how to mitigate common risks.

The recently released State of DevSecOps report from Datadog analyzed thousands of applications and container images to “evaluate the adoption of best practices that are at the core of DevSecOps — infrastructure as code, automated cloud deployments, secure application development practices, and the usage of short-lived credentials in CI/CD pipelines.”

Key takeaways from the report include:

  • 90 percent of Java services are vulnerable to one or more critical or high-severity vulnerabilities introduced by a third-party library, versus an average of 47% for other technologies.
  • The smaller a container image is, the fewer vulnerabilities it is likely to have. According to the report, container images smaller than 100 MB had 4.4 high or critical vulnerabilities, versus 42.2 for images between 250 and 500 MB, and almost 80 for larger images.
  • Leaks of long-lived credentials are a common cause of data breaches, making the use of short-lived credentials for CI/CD pipelines critical to securing a cloud environment. However, the report states that “a substantial number of organizations continue to rely on long-lived credentials in their AWS environments.”

See more information at Datadog.
 
 
 

 
 
 

05/09/2024
automation , cloud , containers , data , development , DevSecOps , vulnerabilities

Related content

  • News for Admins
    In the news: DHS Releases New Guidelines for Securing Critical Infrastructure; Datadog Report Examines DevSecOps Best Practices; Upskilling Key to Tech Staffing Challenges, Says LF Survey; 2024 Open Source Pros Job Survey Report Released; OpenSSF Issues Guidance to Help Prevent Social Engineering Attacks; Black Duck Supply Chain Edition Released by Synopsys; Spectra Logic Announces New Tape Libraries and Management Software; LPI Launches Open Source Essentials Program; Apache Software Foundation Celebrates 25 Years; SUSE Announces Rancher Prime 3.0; NSA Issues Zero Trust Guidelines for Network Security; and NIST Releases Major New Version of Cybersecurity Framework.
    more »
  • Photo by Félix Prado on Unsplash
    Build a secure development and production pipeline
    We investigate best practices to secure CI/CD pipelines with DevSecOps.
    more »
  • Lead Image © Aleksey Mnogosmyslov, 123RF.com
    DevSecOps with DefectDojo
    The DefectDojo vulnerability management tool helps development teams and admins identify, track, and fix vulnerabilities early in the software development process.
    more »
  • News for Admins
    CIQ, the company behind CentOS alternative Rocky Linux, focuses on enterprise tool suite.
    more »
  • News for Admins
    In the news: Red Hat Announces Ansible Lightspeed with IBM watsonx Code Assistant; Dell APEX Cloud Platform for Red Hat OpenShift Announced; NSA Offers Best Practices for OSS in Operational Technology Environments; Civil Infrastructure Platform Adds New Super-Long-Term Linux Kernel; HTTP/2 Protocol Exploited in Largest DDoS Attack Ever; Docker Announces Three New Products for Secure App Delivery; CloudBees Updates Jenkins and Offers New DevSecOps Platform; Linkerd 2.14 Released with Improved Multi-Cluster Support; NIST Releases Draft of Cybersecurity Framework v2.0; CISA and MITRE Announce Open Source Caldera for OT
    more »
comments powered by Disqus