DEVOPSdigest

As part of DEVOPSdigest's annual list of DevOps predictions, DevSecOps experts — from analysts and consultants to the top vendors — offer thoughtful, insightful, and often controversial predictions on how DevSecOps and related risks and tools will evolve in 2025.

AI AUTOMATES DEVSECOPS IN 2025

DevSecOps teams have seen little to no direct benefit from Generative AI for their day to day responsibilities. That all changes in 2025 because DevSecOps teams will use agentic behavior and automation utilizing GenAI to manage their core responsibilities: security, reliability, and managing the increasing wealth of challenges that this incredibly valuable but frequently understaffed segment of the enterprise faces on a daily basis.
Andy Manoske
VP of Product, Kindo(link is external)

By 2025, AI and DevSecOps are set to transform how we approach software delivery, making it much faster, smarter, and more secure. Generative AI and large language models will become the backbone of automation, helping teams test more efficiently, deliver higher-quality products, and zero in on potential risks. These are the steppingstones for a broader future shift into autonomous delivery. DevSecOps will take center stage, embedding security seamlessly into every step of development, from initial design to delivery.
Tal Levi-Joseph
VP, Software Engineering, OpenText(link is external)

AI will help scale security within DevOps. In a recent survey, 58% of developers feel some degree of responsibility for application security, though the demand for security skills in DevOps still eclipses the number of developers who are security literate. In the coming year, AI will continue democratizing security expertise within DevOps teams by automating routine tasks, providing intelligent recommendations, and bridging the skills gap. Specifically, we will see security integrated throughout the build pipeline. This includes proactively identifying potential vulnerabilities at the design stage by utilizing reusable templates that seamlessly integrate into developers' workflows. Automation will be an accelerant for improving authentication and authorization by dynamically assigning roles and permissions as services are deployed across cloud environments. This will improve security outcomes, reduce risk, and enhance collaboration between development and security teams.
Josh Lemos
CISO, GitLab(link is external)

Development and Security Teams Will Redirect Their Secure Coding Training Budget Toward Auto-Remediation: Developers will learn less about secure coding because they'll rely more on generative AI to remediate flaws automatically. This progression is analogous to the task of calling someone on the phone. While a few decades ago, we all needed to remember someone's number to reach them, today all we need to do is tap a contact on our phone. For developers, the equivalent will be to produce secure code without learning how to code securely from scratch. Instead, they will adopt processes to find, test, and fix vulnerabilities automatically, meaning it won't be as important to know about secure coding — or even to know if generative AI has learned how to write secure code.
Chris Wysopal
Co-Founder and Chief Security Evangelist, Veracode(link is external)

A New Era of Security Automation – AI Agents in Cyber Defense: In cybersecurity, AI agents hold the potential for transformative change by automating critical defense tasks and enhancing overall application security. By autonomously detecting and patching common vulnerabilities — such as SQL injection — AI agents offer a level of consistent vigilance that human teams alone cannot match. This kind of proactive, scalable security solution enables development teams to shift from reactive patching to ongoing, automated protection across entire codebases. However, for organizations to truly benefit from this shift, they'll need to build strong strategies for balancing AI automation with human oversight. The next few years will see AI agents becoming essential partners in security, but managing these tools responsibly will be crucial to reaping the rewards without introducing new risks.
Randall Degges
Head of Developer & Security Relations, Snyk(link is external)

AI-AIDED THREAT MONITORING

AI-Aided Threat Monitoring Will Become the Norm: SOC managers have the unenviable job of searching mountains of data for actionable information. AI-aided threat monitoring, such as pattern recognition, anomaly detection, and general classification of data, will become necessary for security teams to surface the most urgent threats so that proper mitigation steps can be taken in a timely manner.
Mike Woodard
VP of Product Management for Application Security, Digital.ai(link is external)

AI-DRIVEN VULNERABILITY REMEDIATION

AI-Driven Vulnerability Remediation in 2025: In 2025, DevSecOps will harness complementary AI models to analyze, generate, and test code against policy guidelines, driving more efficient vulnerability remediation. While GenAI accelerates development, it risks creating workflow bottlenecks as fixes lag. Advanced techniques like symbolic regression and insights from open-source release notes will enhance data flow understanding and vulnerability tracking. Leaders must implement processes and guardrails to seamlessly integrate AI capabilities into DevSecOps systems, ensuring efficiency without added pressure.
Danny Allan
CTO, Snyk(link is external)

TURNING RIGHT TO GO LEFT

Disillusionment with shift left will become widespread, and people will start talking about "turning right to go left" with runtime security in production. This is because it's possible to shift too far left or to do so too fast without a large proportion of vulnerabilities sneaking their way into the production code. People will begin to see that "turning right to go left" is a smarter strategy that helps to prevent this.”
Jeff Williams
Co-Founder and CTO, Contrast Security(link is external)

SHIFT EVERYWHERE

In 2025, DevSecOps will continue evolving beyond the shift-left paradigm, embracing a more mature "shift everywhere" approach. This shift calls on organizations to apply the right tools at the right stages of the DevSecOps cycle, improving efficiency and effectiveness in security practices. Lightweight analysis in IDEs will help developers catch issues early, while automation integrated into pull requests and CI/CD pipelines will ensure a cohesive 'integrate once' approach for core functions such as SAST, SCA, and increasingly DAST, particularly for API security testing.
Dylan Thomas
Senior Director of Product Engineering, OpenText Cybersecurity(link is external)

CONVERGENCE OF DEVSECOPS AND OBSERVABILITY

Organizations will rely on observability tools to protect against supply chain threats: In response to the devastating supply chain attacks that led to industry-wide outages in 2024, organizations must prioritize the adoption of observability tools to secure their software supply chains. These tools provide real-time monitoring of an organization’s system, including third-party services and dependencies, to detect potential vulnerabilities or compromises. In 2025, observability will become essential to help protect against evolving supply chain attacks.
John Visneski
CISO, Sumo Logic(link is external)

DevSecOps will evolve into an integrated model, where capabilities in observability and security will be embedded across the development lifecycle: DevSecOps has been more of a vision than a reality as budgetary pressures and office politics regarding tooling and technologies prevented teams from collaborating. In 2025, technology advancements and the unifying of ecosystems will relieve this pressure as DevSecOps evolves into an integrated model where Observability and Security capabilities become shared and embedded into the development lifecycle. Organizations will leverage AI-powered platforms that not only automate steps like security checks, compliance assessments and vulnerability scannings, but also pre-tagging context for Observability purposes directly into log files as a critical component of a well-functioning CI/CD pipeline. This approach will streamline processes and ensure quality, performance and security remain a shared responsibility across all teams.
Joe Kim
CEO, Sumo Logic(link is external)

CONVERGENCE OF AIOPS AND DEVSECOPS

The progression of AI for IT Operations (AIOps) has accelerated significantly since the COVID-19 pandemic. Initially focused on enhancing Day 2 operations like monitoring and maintenance, the scope of AIOps has now expanded to encompass development, security, and operations (DevSecOps). Modern CIOs are now looking to enhance this AI-driven DevSecOps approach with generative AI, aiming to link IT operations with business operations to create an observable, end-to-end value stream. In 2025 we'll see the emergence of autonomous AI agents, capable of performing tasks without human intervention — this will create a paradigm shift in IT and business processes, evolving how companies approach AIOps.
Raghava Venkat
Partner and Offering Leader DevSecOps/AIOps, IBM Consulting(link is external)

CONVERGENCE OF SECURITY AND DEVSECOPS

Security teams will take the lead in applying DevSecOps to enterprise application security: In 2025, security teams will actively support developers to drive DevSecOps practices, breaking down silos between security and development teams to foster improved collaboration and vulnerability detection. The sophistication of modern threats requires enterprises to integrate security practices earlier within the software development cycle to prevent catastrophic losses. Security teams will play a key role in this shift by helping developers adopt security practices in a way that supports their workflow rather than hindering it. The friction between security and development teams will decrease next year, fostering the positive collaboration envisioned by implementing DevSecOps principles.
John Visneski
CISO, Sumo Logic(link is external)

SECURITY AND PRODUCTIVITY

Software is eating the world, but software developers are well past the realization of this well known phenomenon. In 2025, teams will begin to understand that productivity and security aren't two separate silos meant to be joined together; they are symbiotic. Systems, updates and software itself are moving at breakneck speeds, and through advances in AI, data center capacity and expansion of talent within each team, that speed is accelerating. Symbiosis of the SSC and its security processes, introduced through the deployment of flexible software systems, compatible security applications and empowered security teams, will be the necessary glue for the future of software delivery in 2025.
Paul Davis
Field CISO, JFrog(link is external)

SECURITY AND BRAND REPUTATION

As we enter 2025, security teams will recognize that striking a balance between developing software securely and focusing on protecting the technologies, while necessary, is no longer sufficient; they must also prioritize business metrics such as brand reputation, productivity, and security resilience as success factors ... Discussions around building brand reputation and security resilience in tandem will become more prevalent as teams seek to address overarching security issues rather than individual symptoms, such as fixing a singular vulnerability.
Paul Davis
Field CISO, JFrog(link is external)

INCREASED REGULATION

Increased scrutiny of software by governments: The world runs on software. Its repeated exploitation — and sometimes subversion — has made governments increasingly interested in doing something to change that. I expect the US to continue to gradually develop tighter requirements, especially for critical infrastructure and government use, through continuous dialogue with developers. The EU has passed the Cyber Resilience Act (CRA), but while it's lengthy, important questions remain. I hope that the EU will clarify the meaning of the CRA by working with experts to create practical and fair requirements.
David A. Wheeler
Director of Open Source Supply Chain Security, OpenSSF(link is external)

In the new year, the United States will progress toward establishing stronger and more robust regulatory frameworks for software security. The current regulatory landscape in the United States is fragmented with many legislators trying to strike the delicate balance between prioritizing security and encouraging innovation. In contrast, the European Union has already established cohesive and effective regulations with initiatives like the Digital Operational Resilience Act (DORA), CRA, the AI Act, and General Data Protection Regulation (GDPR), which carry significant enforcement measures.
Paul Davis
Field CISO, JFrog(link is external)

EU CYBER RESILIENCE ACT

The EU Cyber Resilience Act (CRA) and its potential impact on DevSecOps could reshape how organizations approach software development, particularly in terms of security integration and compliance. One of the key vulnerabilities in modern applications is the accidental exposure of secrets, such as API keys, credentials, and tokens, within source code. The CRA will likely push organizations to further integrate secret detection into their continuous integration/continuous deployment (CI/CD) pipelines.
Guillaume Valadon
Cybersecurity Researcher, GitGuardian(link is external)

PENALTIES FOR BAD SOFTWARE DEVELOPMENT

There will be increasing penalties for egregiously bad software development practices: Meta recently paid a non-trivial penalty for failing to encrypt passwords. Delta is suing CrowdStrike for failing to test an update fully before releasing it. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have posted a document listing bad practices. It's impossible to develop large-scale software without making mistakes, but some practices will be considered so unacceptable that we'll start to see more penalties for some egregiously bad practices.
David A. Wheeler
Director of Open Source Supply Chain Security, OpenSSF(link is external)

Go to: 2025 DevSecOps Predictions - Part 2