Across ASEAN, digital transformation is surging ahead, but patchy execution and limited visibility are leaving known vulnerabilities exposed.
Datadog’s State of DevSecOps Report 2026 identifies a clear industry shift. As development speeds up and relies more on automation and third-party components, security risk is spreading across the entire delivery lifecycle. It’s increasingly driven by the software supply chain and the tools used to build and deploy applications, not just the code in production.
With 87% of organizations carrying at least one known exploitable vulnerability in deployed services, “the organisations that will build lasting resilience are those that move beyond compliance and tool sprawl to focus on contextual, exploitability-driven risk reduction across their entire digital estate,” said Datadog CTO for APJ, Yadi Narayana.
Key findings at a glance
- 87% of organizations have at least one known exploitable vulnerability in deployed services
- 42% of services rely on libraries that are no longer actively maintained
- Services using end-of-life language versions face exploitable vulnerabilities in 50 per cent of cases, compared to 31% for supported versions
- 50% of organizations adopt new library versions within 24 hours of release, increasing the risk of installing malicious or compromised software
- Only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes, leaving CI/CD pipelines vulnerable to silent code changes
Security risk increasing at both ends of the lifecycle
On one end, software is aging faster than teams can keep it up to date. The median software dependency is now 278 days out of date – 63 days further behind than last year.
At the same time, third-party software accelerates development but introduces risk when implicitly trusted. Datadog researchers found that half of organizations adopt new library versions within 24 hours of release, and only 4% pin all public GitHub Actions to a specific version using commit hashes.
As a result, build and deployment pipelines are increasingly exposed to silent changes in third-party code, making CI/CD systems a critical supply-chain risk.
“The way software is built has fundamentally changed, but security practices haven’t kept up,” said Andrew Krug, Head of Security Advocacy, Datadog. “DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code. The real challenge, though, isn’t speed – it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”
Alert volume obscuring real risk
While vulnerability alerts continue to rise, the report also finds that most do not represent immediate business risk. Only 18% of vulnerabilities labeled “critical” remain critical once runtime context is applied.
“When almost everything is labeled ‘critical’, nothing is,” Krug added. “Teams get paged for noise while threats that poserealrisk slip through. Without context, prioritization becomes harder – leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”
“Across ASEAN, digital transformation is accelerating, but execution is uneven. While awareness of vulnerability risk is rising, known exploited vulnerabilities are still routinely found in internet-facing systems, legacy infrastructure, and fast-moving cloud environments,” said Yadi Narayana. “Rapid growth in e-commerce, fintech, and super-app ecosystems has created complex hybrid estates powered by containers, open-source software, and automated pipelines – often without full visibility or consistently enforced controls.”
He added: “Meanwhile, overstretched security teams battle skills shortages and alert fatigue, prioritising by severity scores rather than real-world exploitability. The organizations that will build lasting resilience are those that move beyond compliance and tool sprawl to focus on contextual, exploitability-driven risk reduction across their entire digital estate.”
