Update Dependencies and Secure Pipelines: Essential Steps for Efficient Development

Post Views: 19

The State of DevSecOps 2026: Outdated Dependencies and Unprotected Pipelines Expose Cloud Native Environments

A recent report by Datadog has shed light on the persistent security risks faced by cloud native environments due to outdated dependencies and unprotected pipelines.

Security Risks in Cloud Native Environments

The study reveals that 87% of organizations are running at least one exploitable vulnerability in production services, affecting 40% of those services. This alarming statistic highlights the accumulation of security debt in deployed software stacks.

Outdated Dependencies and Security Drift

The report found that third-party libraries are a primary source of security drift, with the median dependency trailing its latest major version by 278 days. This delay has increased by 63 days compared to the previous year, indicating a widening gap between development velocity and security posture.

Risks of Fast Adoption

Furthermore, organizations are introducing new risks by adopting new releases too quickly. Half of the organizations surveyed use third-party libraries within one day of release, increasing the likelihood of introducing malicious code that has not yet been identified by the broader ecosystem.

Risks Associated with Build Systems

The report also highlights the risks associated with build systems, particularly with the widespread use of GitHub Actions. However, most organizations are not implementing available safeguards to limit supply chain risk.

According to the report, 80% of organizations use at least one marketplace action that is neither managed by GitHub nor pinned to a commit hash, creating a direct path for malicious updates to enter production pipelines.

Contextual Scoring in Vulnerability Management

The study emphasizes the importance of contextual scoring in vulnerability management. By applying runtime context, the severity of vulnerabilities can change, and only 18% of critical dependency vulnerabilities remain critical after adjustment.

Best Practices for DevSecOps

According to the report, organizations that strike the right balance between update speed and verification discipline treat dependency updates as a continuous engineering practice, rather than an occasional security task.

By doing so, organizations can focus on truly important issues and remediate them faster, and CISOs should measure the effectiveness of reprioritization by tracking the mean time to remediate (MTTR) and using historical incident data to measure risk reduction.

Conclusion

Despite some progress in vulnerability management practices, exposure remains widespread. The report highlights the need for organizations to adopt a more balanced approach to DevSecOps, one that emphasizes both speed and security.