Google unveiled a significant wave of advancements designed to supercharge how developers build and scale AI applications – from early-stage experimentation right through to large-scale deployment.
Development and security teams are making strides in the evolution to DevSecOps but are still working toward alignment on workflows and metrics, according to DevSecOps Evolution: from DevEx to DevSecOps, a report from Checkmarx.
"The massive increase in the number of development teams and DevOps pipelines within large organizations shows how critical it is for DevOps and security teams to build a shared culture for successful collaboration," said Martin Lindsay, Vice President of Regional Marketing at Checkmarx. "With the ultimate goal of delivering high-performing code — which, by definition is secure code — these two teams are finding that improving the developer experience with application security is just the first step and that security must find a way to match the pace of agile development."
Source: Checkmarx(link is external)
Key findings from the research showed increasing confidence among developers at large organizations with regards to knowledge gained from security training, and that they are spending a considerable amount of time on security-related tasks:
■ 21% of developers surveyed say that security is their top priority when coding.
■ 99.6% of developers have access to security training.
■ Of those, 90% of them rank the effectiveness of the training they receive as medium or high.
■ 41.53% of responding developers reported that they understand the vulnerability tickets they receive, as well as how the vulnerability manifests during runtime, from 41-60% of the time.
■ 72% of developers spend more than 17 hours each week on security-related tasks and one in four spends more than 25 hours.
The Checkmarx DevSecOps Maturity Model tracks the process of organizations moving from traditional DevOps to DevSecOps, with four stages:
■ Stage 0 — Reactive Security: AppSec is "bolted onto" development, creating a bottleneck and acting as a brake on deployment.
■ Stage 1 — Security-focused: AppSec finds and funnels vulnerabilities to developers, who are bombarded with alerts and provided no remediation guidance.
■ Stage 2 — DevEx-focused: Tools are integrated into the integrated development environment (IDE), enabling developers to fix vulnerabilities using remediation guidance without disrupting their workflow.
■ Stage 3 — Mature DevSecOps: DevSecOps culture is well-established; security and development teams agree on policies, governance and collaboration; training is provided at point of need and within the IDE; goals and metrics are established and aligned.
The study found that most large organizations are working towards and committed to achieving mature DevSecOps:
■ 30% have moved beyond focusing only on the developer experience to building more sophisticated processes.
■ 28.3% of organizations are tracking mean time to remediate as a metric.
■ 45% are measuring code security.
■ 46.27% are tracking ability to meet deadlines.
With overall market maturity in its early stages, the Checkmarx study reveals that there is not yet wide adherence to established best practices for operation and measurement of effective DevSecOps. While organizations have made forward strides, there is still more progress to be made.
Methodology: Survey respondents consisted of 1500 heads of development, platform engineers and developers/software engineers in large organizations with annual revenues greater than $750,000,000 across North America (USA), Europe (UK, France, Germany, Austria, Switzerland) and APAC (Australia, New Zealand, Singapore). The field research was conducted by Censuswide during the month of December 2024.
Industry News
Red Hat announced Red Hat Advanced Developer Suite, a new addition to Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes, designed to improve developer productivity and application security with enhancements to speed the adoption of Red Hat AI technologies.
Perforce Software announced Perforce Intelligence, a blueprint to embed AI across its product lines and connect its AI with platforms and tools across the DevOps lifecycle.
CloudBees announced CloudBees Unify, a strategic leap forward in how enterprises manage software delivery at scale, shifting from offering standalone DevOps tools to delivering a comprehensive, modular solution for today’s most complex, hybrid software environments.
Azul and JetBrains announced a strategic technical collaboration to enhance the runtime performance and scalability of web and server-side Kotlin applications.
Docker, Inc.® announced Docker Hardened Images (DHI), a curated catalog of security-hardened, enterprise-grade container images designed to meet today’s toughest software supply chain challenges.
GitHub announced that GitHub Copilot now includes an asynchronous coding agent, embedded directly in GitHub and accessible from VS Code—creating a powerful Agentic DevOps loop across coding environments.
Red Hat announced its integration with the newly announced NVIDIA Enterprise AI Factory validated design, helping to power a new wave of agentic AI innovation.
JFrog announced the integration of its foundational DevSecOps tools with the NVIDIA Enterprise AI Factory validated design.
GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.
Perforce Software is partnering with Siemens Digital Industries Software to transform how smart, connected products are designed and developed.
Reply launched Silicon Shoring, a new software delivery model powered by Artificial Intelligence.
CIQ announced the tech preview launch of Rocky Linux from CIQ for AI (RLC-AI), an operating system engineered and optimized for artificial intelligence workloads.
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.
CodeRabbit is now available on the Visual Studio Code editor.
The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.