Azul’s 2025 State of Java Survey & Report confirms that organizations are struggling with challenges to DevOps productivity. Dead and unused code, false-positive security alerts, and security issues all play a role in interfering with the progress of technology groups.
Azul’s 2025 State of Java Survey & Report, a study of more than 2,000 Java professionals, unveils the challenges organizations face in maintaining DevOps productivity. DevOps teams produce features, applications, and services for customers, and many are measured on time to market. As these survey results show, however, Java estates with unused and dead code and security vulnerabilities are preventing organizations from being their most productive and efficient.
Let’s examine some of the results in detail and examine important trends in the report.
Dead and unused code is prevalent in DevOps organizations
Organizations are always looking for faster development cycles to maintain a competitive edge, but they face significant challenges that impact DevOps efficiency. Over time, companies lose track of what code runs in production across all their Java workloads. If companies don’t address this issue, maintaining and testing unused code can significantly impact developer productivity. This survey confirms that unused code is a major challenge, with 62% of survey participants reporting it hampers their DevOps teams’ effectiveness.
By leveraging technologies and processes to improve DevOps productivity, organizations can focus on driving innovation, growth, system resilience, customer experience, and ultimately company growth.
Azul Code Inventory®, a feature of Azul Intelligence Cloud, is the only solution that precisely catalogs what code runs in production across all of an enterprise’s Java workloads. It slashes the time and burden of maintaining and testing unused code, significantly improving developer productivity and ultimately saving money.
Security issues impact DevOps productivity
Security is another culprit taking a toll on DevOps productivity. Responding to security events can be disruptive. Chasing alerts that turn out to be false positives can waste time and pull workers away from their core jobs, and this report says that’s what’s happening to an alarming degree. 33% of respondents say their DevOps teams waste more than half their time addressing false positives from Java-related security vulnerabilities.
Based on these figures, 1/6 of DevOps engineers’ time is spent on chasing false positives. DevOps organizations are losing at least 17% of their productivity potential to chasing security false positives. Add the time lost to working around and maintaining unused code, and the problem gets worse. Imagine what they could do with those extra resources!
It’s easy to understand why teams respond to false positives. Survey participants report that they find legitimate critical security issues in production all too often. In fact, 41% of participants report that they encounter critical production security issues within their Java ecosystem weekly or even daily.
Companies that have Critical Patch Updates (CPUs) available from their Java providers can apply updates quickly when they discover known vulnerabilities in production. Those that have only Patch Set Updates (PSUs) have a more difficult path, as they have to apply the entire Java version. This process requires time, effort, and risk of regressions. Only Oracle and Azul provide CPUs.
Log4Shell, the most famous Java-based vulnerability of them all, was publicly disclosed in December 2021, along with a patch. Unfortunately, organizations struggled to identify the vulnerable versions of the Log4j library that houses it. They also had difficulty ensuring those instances were consistently and effectively patched.
Here we are, three years later, and almost half the participants in this survey are still uncovering security vulnerabilities from Log4j in production.
When vulnerable versions of Log4j were revealed in December 2021, companies scrambled to find and patch them. Since then, they have tried to keep them patched. Azul Vulnerability Detection®, a feature of Azul Intelligence Cloud, makes it seamless by monitoring Java estates in production.
The State of Java Survey & Report is available now
This report shows organizations are actively seeking ways to optimize their Java deployments to drive operational efficiency and cost predictability. As Java continues to be the backbone for business-critical applications in the enterprise, we’re seeing important trends — from the growing interest in Oracle Java alternatives to cloud optimization strategies, improvements in DevOps productivity, and innovation with AI. Read Azul’s full 2025 State of Java Survey & Report today.
