INFOGRAPHIC
Another key finding from the report was that vulnerabilities are particularly prevalent among Java services – with 44 % of applications containing a known-exploited vulnerability. The average number of applications with a known-exploited vulnerability among the other services in the report – Go, Python,. NET, PHP, Ruby and JavaScript – was only 2 %.
The report says that, in addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems.
The report found that applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes compared to 46 days for those in the. NETbased ecosystem and 19 days for applications built using npm packages, which are JavaScript-based.
Other key findings from the report include:
Attackers continue to target the software supply chain: Datadog’ s report identified thousands of malicious PyPI and npm libraries – some of these packages were malicious by nature and attempted to mimic a legitimate package( for instance, passportsjs mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies( such as Ultralytics, Solana web3. js, and lottie-player).
These techniques are used both by state-sponsored actors and cybercriminals.
Credential management is improving, but slowly: One of the most common causes of data breaches is long-lived credentials. Last year, 63 % of organisations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to 58 % – a positive sign that organisations are slowly improving their credential management processes.
Outdated libraries are a challenge for all developers: Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries – dependencies in services that are deployed less than once a month are 47 % more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities.
For the report, Datadog analysed tens of thousands of applications and container images within thousands of cloud environments in order to assess the types of risks defenders need to be aware of and what practices they can adopt to improve their security posture. p
www. intelligentcio. com INTELLIGENTCIO NORTH AMERICA 29