Cybersecurity News in Asia

87% of organizations running software with known, exploitable vulnerabilities

By CybersecAsia editors | Saturday, February 28, 2026, 8:41 AM Asia/Singapore

Across ASEAN, digital transformation is surging ahead, but patchy execution and limited visibility are leaving known vulnerabilities exposed.

Datadog’s State of DevSecOps Report 2026 identifies a clear industry shift. As development speeds up and relies more on automation and third-party components, security risk is spreading across the entire delivery lifecycle. It’s increasingly driven by the software supply chain and the tools used to build and deploy applications, not just the code in production.

With 87% of organizations carrying at least one known exploitable vulnerability in deployed services, “the organisations that will build lasting resilience are those that move beyond compliance and tool sprawl to focus on contextual, exploitability-driven risk reduction across their entire digital estate,” said Datadog CTO for APJ, Yadi Narayana.

Key findings at a glance

87% of organizations have at least one known exploitable vulnerability in deployed services
42% of services rely on libraries that are no longer actively maintained
Services using end-of-life language versions face exploitable vulnerabilities in 50 per cent of cases, compared to 31% for supported versions
50% of organizations adopt new library versions within 24 hours of release, increasing the risk of installing malicious or compromised software
Only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes

Security risk increasing at both ends of the lifecycle

On one end, software is aging faster than teams can keep it up to date. The median software dependency is now 278 days out of date – 63 days further behind than last year.

At the same time, third-party software accelerates development but introduces risk when implicitly trusted. Datadog researchers found that half of organizations adopt new library versions within 24 hours of release, and only 4% pin all public GitHub Actions to a specific version using commit hashes.

As a result, build and deployment pipelines are increasingly exposed to silent changes in third-party code, making CI/CD systems a critical supply-chain risk.

“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, Head of Security Advocacy, Datadog. “DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code. The real challenge, though, isn’t speed – it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”

Alert volume obscuring real risk

While vulnerability alerts continue to rise, the report also finds that most do not represent immediate business risk. Only 18% of vulnerabilities labeled “critical” remain critical once runtime context is applied.

“When almost everything is labeled ‘critical’, nothing is,” Krug added. “Teams get paged for noise while threats that poserealrisk slip through. Without context, prioritization becomes harder – leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”

“Across ASEAN, digital transformation is accelerating, but execution is uneven. While awareness of vulnerability risk is rising, known exploited vulnerabilities are still routinely found in internet-facing systems, legacy infrastructure, and fast-moving cloud environments,” said Yadi Narayana. “Rapid growth in e-commerce, fintech, and super-app ecosystems has created complex hybrid estates powered by containers, open-source software, and automated pipelines – often without full visibility or consistently enforced controls.”

He added: “Meanwhile, overstretched security teams battle skills shortages and alert fatigue, prioritising by severity scores rather than real-world exploitability. The organizations that will build lasting resilience are those that move beyond compliance and tool sprawl to focus on contextual, exploitability-driven risk reduction across their entire digital estate.”

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

CybersecAsia Voting Placement

Gamification listing or Participate Now

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

Closing the Gap in Email Security:How To Stop The 7 Most SinisterAI-Powered Phishing Threats
Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
2024 Insider Threat Report: Trends, Challenges, and Solutions
Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
AI-Powered Cyber Ops: Redefining Cloud Security for 2025
The future of cybersecurity is a perfect storm: AI-driven attacks, cloud expansion, and the convergence …Download Whitepaper
Data Management in the Age of Cloud and AI
In today’s Asia Pacific business environment, organizations are leaning on hybrid multi-cloud infrastructures and advanced …Download Whitepaper

Middle-sidebar-banner

Case Studies

India’s WazirX strengthens governance and digital asset security
Revamping its custody infrastructure using multi‑party computation tools has improved operational resilience and institutional‑grade safeguardsRead more
Bangladesh LGED modernizes communication while addressing data security concerns
To meet emerging data localization/privacy regulations, the government engineering agency deploys a secure, unified digital …Read more
What AI worries keep members of the Association of Certified Fraud Examiners sleepless?
This case study examines how many anti-fraud professionals reported feeling underprepared to counter rising AI-driven …Read more
Meeting the business resilience challenges of digital transformation
Data proves to be key to driving secure and sustainable digital transformation in Southeast Asia.Read more

Bottom sidebar

Other News

DoveRunner Expands Presence in Southeast Asia with New Office in Jakarta
Thursday, February 26, 2026
JAKARTA, Indonesia, Feb. 25, 2026 …Read More »
Proofpoint partners with Concentrix to strengthen human- and agent-centric cybersecurity across Asia Pacific
Tuesday, February 24, 2026
Partnership integrates Proofpoint’s collaboration and …Read More »
Indonesia’s MDI Ventures Doubles Down on Execution and Trust to Unlock Regional Portfolio Value
Friday, February 20, 2026
The Telkom-backed VC reinforces cross-sector …Read More »
Blackpanda Japan Announces Strategic Partnership with SoftBank to Strengthen Cyber Incident Response in Japan
Wednesday, February 11, 2026
SINGAPORE, Feb. 10, 2026 /PRNewswire/ …Read More »
Cohesity Collaborates with Google Cloud to Deliver Secure Sandbox Capabilities and Comprehensive Threat Insights Designed to Eliminate Hidden Malware
Saturday, February 7, 2026
Embedded Google Threat Intelligence capabilities, …Read More »

Featured

Where are financial fraud and AML regulations heading in S E Asia?

Featured

How AI is reshaping dating in Asia

Featured