DevSecOps Evolution Continues but Still in Early Stages
April 01, 2025

Development and security teams are making strides in the evolution to DevSecOps but are still working toward alignment on workflows and metrics, according to DevSecOps Evolution: from DevEx to DevSecOps, a report from Checkmarx.

"The massive increase in the number of development teams and DevOps pipelines within large organizations shows how critical it is for DevOps and security teams to build a shared culture for successful collaboration," said Martin Lindsay, Vice President of Regional Marketing at Checkmarx. "With the ultimate goal of delivering high-performing code — which, by definition is secure code — these two teams are finding that improving the developer experience with application security is just the first step and that security must find a way to match the pace of agile development."


Source: Checkmarx(link is external)

Key findings from the research showed increasing confidence among developers at large organizations with regards to knowledge gained from security training, and that they are spending a considerable amount of time on security-related tasks:

■ 21% of developers surveyed say that security is their top priority when coding.

■ 99.6% of developers have access to security training.

■ Of those, 90% of them rank the effectiveness of the training they receive as medium or high.

■ 41.53% of responding developers reported that they understand the vulnerability tickets they receive, as well as how the vulnerability manifests during runtime, from 41-60% of the time.

■ 72% of developers spend more than 17 hours each week on security-related tasks and one in four spends more than 25 hours.

The Checkmarx DevSecOps Maturity Model tracks the process of organizations moving from traditional DevOps to DevSecOps, with four stages:

Stage 0 — Reactive Security: AppSec is "bolted onto" development, creating a bottleneck and acting as a brake on deployment.

Stage 1 — Security-focused: AppSec finds and funnels vulnerabilities to developers, who are bombarded with alerts and provided no remediation guidance.

Stage 2 — DevEx-focused: Tools are integrated into the integrated development environment (IDE), enabling developers to fix vulnerabilities using remediation guidance without disrupting their workflow.

Stage 3 — Mature DevSecOps: DevSecOps culture is well-established; security and development teams agree on policies, governance and collaboration; training is provided at point of need and within the IDE; goals and metrics are established and aligned.

The study found that most large organizations are working towards and committed to achieving mature DevSecOps:

■ 30% have moved beyond focusing only on the developer experience to building more sophisticated processes.

■ 28.3% of organizations are tracking mean time to remediate as a metric.

■ 45% are measuring code security.

■ 46.27% are tracking ability to meet deadlines.

With overall market maturity in its early stages, the Checkmarx study reveals that there is not yet wide adherence to established best practices for operation and measurement of effective DevSecOps. While organizations have made forward strides, there is still more progress to be made.

Methodology: Survey respondents consisted of 1500 heads of development, platform engineers and developers/software engineers in large organizations with annual revenues greater than $750,000,000 across North America (USA), Europe (UK, France, Germany, Austria, Switzerland) and APAC (Australia, New Zealand, Singapore). The field research was conducted by Censuswide during the month of December 2024.

Share this

Industry News

May 08, 2025

AWS announced the preview of the Amazon Q Developer integration in GitHub.

May 08, 2025

The OpenSearch Software Foundation, the vendor-neutral home for the OpenSearch Project, announced the general availability of OpenSearch 3.0.

May 08, 2025

Jozu raised $4 million in seed funding.

May 07, 2025

Wix.com announced the launch of the Wix Model Context Protocol (MCP) Server.

May 07, 2025

Pulumi announced Pulumi IDP, a new internal developer platform that accelerates cloud infrastructure delivery for organizations at any scale.

May 07, 2025

Qt Group announced plans for significant expansion of the Qt platform and ecosystem.

May 07, 2025

Testsigma introduced autonomous testing capabilities to its automation suite — powered by AI coworkers that collaborate with QA teams to simplify testing, speed up releases, and elevate software quality.

May 06, 2025

Google is rolling out an updated Gemini 2.5 Pro model with significantly enhanced coding capabilities.

May 06, 2025

BrowserStack announced the acquisition of Requestly, the open-source HTTP interception and API mocking tool that eliminates critical bottlenecks in modern web development.

May 06, 2025

Jitterbit announced the evolution of its unified AI-infused low-code Harmony platform to deliver accountable, layered AI technology — including enterprise-ready AI agents — across its entire product portfolio.

May 05, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, and Synadia announced that the NATS project will continue to thrive in the cloud native open source ecosystem of the CNCF with Synadia’s continued support and involvement.

May 05, 2025

RapDev announced the launch of Arlo, an AI Agent for ServiceNow designed to transform how enterprises manage operational workflows, risk, and service delivery.

May 01, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Quantum Firewall Software R82 — the latest version of Check Point’s core network security software delivering advanced threat prevention and scalable policy management — has received Common Criteria EAL4+ certification, further reinforcing its position as a trusted security foundation for critical infrastructure, government, and defense organizations worldwide.

May 01, 2025

Postman announced full support for the Model Context Protocol (MCP), helping users build better AI Agents, faster.

May 01, 2025

Opsera announced new Advanced Security Dashboard capabilities available as an extension of Opsera's Unified Insights for GitHub Copilot.