Software Vulnerabilities Surge Amid Rising Third-Party Risks

The landscape of software security is changing rapidly, with a new report revealing that a significant number of organizations are grappling with known vulnerabilities in their deployed services. According to Datadog’s 2026 State of DevSecOps report, a staggering 87% of organizations are using software with at least one known exploitable vulnerability. This issue is particularly prominent among Java services, where the figure reaches 59%, followed by .NET at 47% and Rust at 40%.

The findings also highlight a concerning trend regarding the maintenance of third-party libraries. More than 42% of services rely on libraries that are no longer actively maintained. The report notes that the median dependency is now 278 days behind the latest major version—up from 215 days last year. For instance, Java and Ruby services are lagging even further, with versions 492 days and 357 days behind, respectively.

As organizations adopt new library versions, timing can be a double-edged sword. Although half of the organizations implement new library versions within 24 hours of release, this rapid adoption can inadvertently introduce security risks. Andrew Krug, head of security advocacy at Datadog, cautions, “When factoring in supply chain compromises, updating to a new version within a day of release can have a negative impact on the overall security of an application due to the potential to unknowingly install malicious software.”

The report further reveals that only 4% of organizations ensure the security of their continuous integration and continuous deployment (CI/CD) pipelines by pinning all public GitHub Actions to specific versions using commit hashes, leaving them susceptible to unnoticed code changes.

Critical Security Debt and Alert Fatigue

The challenges do not stop at vulnerabilities. Researchers also noted a rise in alert fatigue, where the volume of alerts obscures the real risks. Despite the increasing number of vulnerability alerts, only 18% of these are labeled “critical” once runtime context is applied. Krug explains, “When almost everything is labeled ‘critical’, nothing is. Teams get paged for noise while threats that pose real risk slip through. Without context, prioritization becomes harder—leading to burnout, slower response times, and accumulated risk. Teams need better visibility into what actually requires action.”

Supporting these findings, a recent study by Veracode indicates that 82% of organizations are struggling with high levels of security debt, an increase of 11% from the previous year. Alarmingly, 60% of these organizations have classified their security debt as “critical,” signifying accumulated vulnerabilities that could lead to significant damage if exploited. The report highlights that third-party libraries and open-source dependencies account for 66% of the most dangerous and longest-lived vulnerabilities.

As organizations continue to navigate this complex environment, the need for improved security practices is critical. The balance between rapid deployment and thorough vetting of code remains a significant challenge, emphasizing the importance of clarity and context in security measures.