State of DevSecOps Report: Java Services Vulnerable to Third-Party Library Vulnerabilities
The latest “State of DevSecOps 2024” report by Datadog, a prominent cloud security provider, reveals concerning findings regarding vulnerabilities in Java services compared to other languages.
Released on April 17, the report underscores that Java services are disproportionately affected by third-party vulnerabilities. Specifically, it found that a staggering 90% of Java services analyzed were vulnerable to critical or high-severity issues originating from third-party libraries. In contrast, the average vulnerability rate for other programming languages stood at 47%.
The analysis, based on tens of thousands of applications, container images, and cloud environments, highlights Java’s vulnerability landscape relative to other major languages. Following Java, JavaScript exhibited vulnerabilities in approximately 70% of services, followed by Python at 62%, .NET at 50%, PHP at 35%, and both Go (golang) and Ruby at around 32%.
Moreover, Java services were identified as particularly susceptible to real-world exploits documented by attackers. According to data from the US Cybersecurity and Infrastructure Security Agency, 55% of Java services analyzed were affected by vulnerabilities actively exploited in the wild. In contrast, only 7% of services using other languages faced such documented risks.
These findings underscore the critical importance of robust security practices and vigilant monitoring within Java development environments. The report’s insights serve as a call to action for organizations to prioritize vulnerability management, adopt secure coding practices, and implement timely updates to mitigate potential risks associated with third-party libraries and emerging threats.
Released on April 17, the report found that 90% of Java services were susceptible to one or more critical or high-severity vulnerabilities introduced by a third-party library. The average for other languages was 47%.
Datadog’s report analyzed tens of thousands of applications and container images and thousands of cloud environments to assess application security. Following Java in the vulnerabilities assessment were JavaScript, at roughly 70%; Python, at 62%; .NET, at 50%; PHP, at 35%; and Go (golang) and Ruby, both at about 32%.