We analyzed tens of thousands of applications and cloud environments to assess adoption of best practices that are at the core of DevSecOps today. We found that Java services are the most impacted by third-party vulnerabilities, attack attempts from automated security scanners are mostly unactionable noise, and only a small portion of identified vulnerabilities are worth prioritizing. Lightweight container images contain fewer vulnerabilities and infrastructure as code adoption is high but varies across cloud provider. Manual cloud deployments are still widespread, and using short-lived credentials in CI/CD pipelines is still too low. To address these challenges, we can use Datadog's Application Security Management (ASM) and Cloud Security Management (CSM) to gain visibility into third-party vulnerabilities, prioritize remediation efforts based on severity and context, package applications in minimal container images, implement "zero-touch" production environments using infrastructure-as-code, track manual cloud actions, and monitor authentication events. By leveraging these tools and practices, organizations can effectively identify and mitigate security risks in their cloud environments and improve their overall security posture.