502 incidents, including 48 at the highest risk level, resulting in a total of 955 hours of major and critical disruptions – that’s 120 business days… These are the conclusions of The DevOps Threats Unwrapped report prepared by the GitProtect research team, which analyzed all GitHub, GitLab, Atlassian, and Azure DevOps incidents over the past year.
2024 was a wake-up call for the world of data protection with the Crowdstrike-Microsoft incident serving as a stark reminder of the growing severity of security breaches. This event underscored the vulnerability of even the most robust organizations, leaving a trail of devastation: $5.4 billion in damages and 8.5 million affected Windows devices worldwide.
However, these headline-grabbing figures are just the tip of the iceberg. The year marked a surge in attacks targeting SaaS applications and DevOps tools, a trend that will accelerate in 2025.
GitProtect.io, the world’s most trusted DevOps backup and disaster recovery vendor, launched its new edition of The DevOps Threats Unwrapped study. The research reveals the most severe flaws, prolonged outages, devastating human errors, data breaches, and other incidents that shaped the DevOps cybersecurity landscape last year. The study focuses on GitHub, GitLab, Bitbucket, Jira, and Azure DevOps data protection.
According to research, in 2024 DevOps had to handle 502 incidents impacting those tools, including 48 with the highest level of risk. Also, according to statistics, they struggled with interruptions in availability – 955 hours of major and critical disruptions in total. It gives… nearly 120 working days a year(!). Add to this the incidents that caused temporary interruptions in availability or degraded performance and the scale becomes enormous.
To give this a perspective, 955 hours is enough to cross the Atlantic Ocean from Europe by small yacht, with a short break in the Caribbean, reach the East Coast, and… go back to Portugal.
Breaking these numbers down by platform, GitHub users suffered 124 incidents including 26 with major impact that caused 134 hours of disruptions. Bitbucket noted 38 incidents with 4 critical, responsible for 4 hours of disruption. Jira – 132 incidents, 10 critical ones resulting in 17 hours of outage. Azure DevOps – 111 incidents, 1 with unhealthy status that lasted almost 2 hours. Finally, GitLab with 97 issues, 7 service disruption incidents, and a record amount of 798 hours of disruption.
Beyond Vendor Outages: A Growing Threat Landscape
Service disruptions are only part of the challenge. Among the most pervasive threats to DevOps continuity and data integrity are hardcoded secrets, unsecured databases, repo jacking, intruders in the software supply chain, the growing scale of AI-generated threats, and unchanged – various types of human errors.
According to the GitProtect.io study, last year alone, brands such as, among others, Mercedes, New York Times, Schneider Electric, Cisco, the Chinese Ministry of Public Security, and Cloudflare have announced incidents involving hacking or breaches of their GitHub, GitLab, Atlassian stack or AzureDevOps data. Descriptions of these incidents are available on The DevOps Threats Unwrapped report page.
The top 3 impacted industries were Technology and Software, Fintech/Banking, Media, and Entertainment. Healthcare, government entities, telecommunications, and manufacturing also made the shortlist.
Shared Responsibility Models and Growing Compliance Requirements
In defense of SaaS vendors, the Shared Responsibility model, which is used by virtually all SaaS and cloud providers, operates. It assumes shared responsibility in many areas of cybersecurity. GitHub, GitLab, Atlassian, and Microsoft all inform their customers about the need to fulfill security obligations, including mandatory DevOps data backup on the account level.
What they must focus on this year, is greater and more intensive education on user responsibilities and the need to take care of data security and backup.
Fortunately, this growing scale of threats is already making SaaS customers aware of the need to secure their data. According to Gartner, by 2028 75% of enterprises will prioritize backup of SaaS apps as a critical requirement, compared to 15% in 2024.
This trend also does not escape the attention of legislation and government institutions. 2024 also saw a rising interest in compliance and regulatory issues. Just to mention Digital Operational Resilience Act (DORA) that came into force on the 17th of February, NIS 2, SOC 2, HIPAA, and more security acts dedicated to the most critical and at the same time, vulnerable sectors. These frameworks mandate robust data protection measures, including backups of git repositories, Jira projects, and other DevOps tools.
Looking Ahead: Predictions and Best Practices for 2025
As cyber threats continue to evolve, organizations must remain vigilant. The 2024 DevSecOps Threats Unwrapped report by GitProtect.io provides actionable insights and forecasts for 2025, empowering enterprises to bolster their data security strategies.
For a deeper dive into these findings and expert recommendations, visit the official report page.
__
Author – about us
GitProtect.io by Xopero Software is a world-leading automated and manageable backup and Disaster Recovery solution for all Jira, Bitbucket, GitHub, GitLab, Azure DevOps and more stack data. It ensures DevOps with data accessibility and seamless workflow, even during service downtime. Trusted by Security Teams, it helps to meet the Cloud Shared Responsibility Model, comply with security standards (i.e. ISO 27001 or SOC 2) and empower them with audit-ready governance, advanced reporting, and best-in-class security controls.
More information: https://gitprotect.io/
