Key learnings from the 2026 State of DevSecOps study

The 2026 State of DevSecOps study, analyzing thousands of applications, uncovers trends and best practices in software security, highlighting prevalent vulnerabilities in deployed services and challenges in keeping libraries updated. The report emphasizes the need to secure GitHub Actions against supply chain attacks by pinning actions to specific commit SHAs and using tools like Datadog's Security features for CI/CD pipelines. It also advocates for using DORA metrics to enhance security by aligning deployment velocity with security goals, thereby reducing exposure to vulnerabilities. While upgrading software quickly is important, the study warns against automatic upgrades without safeguards due to risks demonstrated by recent supply chain incidents involving malicious packages. The use of tools like GuardDog and Supply-Chain Firewall is recommended for identifying and blocking malicious dependencies. Additionally, the study highlights the risk of name-confusion attacks on Amazon Machine Images (AMIs) and suggests using AWS's "Allowed AMIs" feature for security. The report calls for improved prioritization of vulnerabilities by using application and vulnerability context, as only a fraction of "critical" vulnerabilities are genuinely critical when evaluated in context. Datadog's updated severity scoring model incorporates runtime context and exploit intelligence to refine vulnerability prioritization, helping organizations focus on exploitable threats. Overall, the study emphasizes the integration of security and observability through platforms like Datadog to drive DevSecOps adoption and security improvements.