Rory McCune and Seth Art from Datadog released the 2025 State of DevSecOps study, analyzing tens of thousands of applications and container images across thousands of cloud environments to reveal trends in security posture and best practices. The study found that exploitable vulnerabilities are prevalent in web applications, particularly those using Java; attackers continue to target the software supply chain; usage of long-lived credentials in CI/CD pipelines is still too high but decreasing; only a fraction of critical vulnerabilities are truly worth prioritizing; keeping libraries up to date is a major challenge for developers; minimal container images improve security posture; infrastructure-as-code usage is high in AWS, while ClickOps is still used by many teams. To address these findings, Datadog outlines several best practices, including prioritizing vulnerabilities with runtime context, deploying guardrails within the software supply chain, deploying frequently to stay current on patches, adopting minimal container images, and expanding IaC usage and rein in ClickOps. Additionally, Datadog provides tools like Security Inbox, Cloud Security, Workload Protection, and Code Security to improve security posture and defend against threats.