The study discovered that 97% of security flaws classified as “critical” could actually be downgraded in importance.
The 2023 State of Application Security Report was made public by Datadog, Inc., a platform for monitoring and security for cloud applications. Researchers examined actual data from thousands of Datadog customers to gain a better understanding of the threats and vulnerabilities currently affecting DevOps organisations. Only 3% of critical vulnerabilities, according to the report, are actually high-risk and deserving of prioritisation.
The burden of staying ahead of threats while maintaining release velocity and making efficient use of security budgets falls on DevOps teams due to the emergence of widespread vulnerabilities and the significance of quickly discovering vulnerable applications. Application and security teams prioritise the fixes for any vulnerabilities classified as critical by the Common Vulnerability Scoring System (CVSS). However, only 3% of CVSS critical vulnerabilities are actually worth prioritising, according to Datadog’s 2023 State of Application Security Report.
A modified severity score that takes runtime context into account was compared to the standard CVSS severity score in the research report. This method takes into account environments that are sensitive or exposed to the internet as well as evidence of suspicious traffic. As a result, 97% of vulnerabilities flagged by CVSS as critical may be downgraded and given a lower severity score.
“Cost optimisation wherever possible is crucial in the macroeconomic environment of today. According to Emilio Escobar, Chief Information Security Officer at Datadog, “this means there is increased pressure on security teams to find and fix the vulnerabilities that will most impact the business.” By giving priority to the 3% of vulnerabilities that are actually critical and will have the biggest effects on the organization’s security posture, the State of Application Security Report’s findings demonstrate a clear path to maximising the effectiveness of security budgets this year.
Other findings from the report include:
- One out of every ten attacks targeted non-production environments.
- Seven out of ten attacks failed to succeed because they targeted the wrong programming language, operating systems or vulnerabilities.
- Java services have the most critical vulnerabilities while Python services have the fewest.