While organisations have mastered high-velocity development, DevSecOps is at risk as security practices lag dangerously behind. This is creating a fragile foundation with a hidden “security debt” accumulating with every release.
According to application security specialists Black Duck – which surveyed over 1,000 software and security professionals worldwide – the industry is dealing with the unintended consequences of its own success. The relentless demand for speed, coupled with a chaotic proliferation of security tools and the disruptive force of AI, has created a climate of friction and risk.
The ‘security’ part of DevSecOps is being left behind
Shipping software fast is now the industry standard. The research shows that nearly 60 percent of organisations now deploy code to production for their critical applications on a daily basis, or even multiple times a day. Yet this impressive speed is undermined by dangerously immature security processes.
45 percent of companies still depend on manual methods to bring new code into their security testing programmes. This automation maturity gap has led to a serious failure in security coverage. The report found that over 61 percent of organisations are testing less than 60 percent of their own applications, meaning a huge and largely unknown portion of their software is released without proper security vetting.
This disparity, where the “Dev” and “Ops” parts of DevSecOps have outpaced the “Sec,” is creating a system where development speed consistently outruns security’s ability to keep pace. The result is a growing security debt that compounds with every single release, leaving businesses exposed to vulnerabilities they are simply unaware of.
Tool sprawl and the crisis of noise
In an attempt to manage a complex threat landscape, organisations have invested heavily in a diverse arsenal of Application Security Testing (AST) tools. However, the report suggests this strategy has backfired. Instead of a safety net, the modern toolchain has become a primary source of inefficiency and friction. The top five most common tool types – including software composition analysis (SCA) and static application security testing (SAST) – are used in nearly equal measure, creating a fragmented and disconnected ecosystem.
The single biggest problem this “tool sprawl” creates is an overwhelming volume of alerts. Over 71 percent of professionals surveyed state that a chunk of their security alerts is just “‘noise’,” comprising false positives or duplicate findings from different tools. This flood of useless information destroys the return on investment in security spending and leads directly to alert fatigue, where developers begin to ignore warnings altogether.
This operational drag has a direct impact on development velocity. 81 percent of respondents say that security testing slows down their development and delivery lifecycle. The data shows a clear correlation, with 49 percent of those who rely entirely on manual processes feeling that security testing severely slows down development.
AI is a double-edged sword for DevSecOps of security risk and reward
AI has become the most disruptive force in software development, but the report reveals a huge paradox surrounding its use. AI is perceived simultaneously as a powerful DevSecOps ally for improving security, while also being a major new source of complex risk.
Adoption has been swift and deep. Over 43 percent of professionals now use AI coding assistants frequently or constantly. Even more widespread is the use of open-source AI models, with nearly 97 percent of organisations incorporating them into the software they build. This adoption has outpaced governance, leading to a “shadow AI” problem. Over 10 percent of respondents admitted to using AI assistants without official permission in an unmonitored way, exposing their companies to unmanaged security and compliance risks.
The central conflict is clear. A majority of 56 percent agree that AI coding assistants have introduced new security risks. At the same time, an even larger majority of 63 percent believe AI has “tangibly improved our ability to write more-secure code.”
This confusion is compounded by a potentially dangerous disconnect between perception and reality. Despite admitting their existing tools suffer from noise and poor coverage, 88 percent of organisations are confident they can handle the complex risks introduced by AI.
The unifying priority: developer workflow integration
When asked to name their single most important priority for improving application security, the answer from survey participants was decisive. The number one priority, chosen by over a quarter of respondents, is “better development workflow integration.”
This finding is a clear mandate for a new, developer-centric approach to security. The root cause of the friction is not the tools themselves, but the inefficient and painful way developers are forced to interact with them. The future of DevSecOps, the report argues, must be about “embedding security seamlessly into the way developers already work”. This means moving security checks from a late-stage gate to a continuous feedback loop directly within the developer’s native environment, such as their IDE and CI/CD pipeline.
To move forward, the report recommends that technical leaders establish AI governance frameworks and rationalise their sprawling toolchains to eliminate noise and improve ROI. For practitioners on the ground, the advice is to champion integrated tooling and quantify the cost of noise to build a business case for change.
DevSecOps is at a crossroads. The industry has achieved remarkable speed, but it has come at the cost of security debt and developer burnout. The path forward is not paved with more tools, but with a fundamental shift towards an integrated, automated, and intelligent approach that builds security into the very fabric of software development.
See also: IBM and Anthropic kick off Claude AI pact with IDE for developers
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.