Key Takeaways
- Development velocity is high, with ~60% of organizations releasing code daily or more, yet security practices lag, leaving a significant portion of applications untested.
- Tool sprawl creates excessive noise; over 70% of security alerts are false positives or duplicates, eroding ROI and slowing development.
- The “speed vs. security” tension persists: >80% of DevSecOps professionals say application security testing impedes release speed.
- AI is viewed both as a risk source (56%) and a security aid (63%), leading to widespread adoption but also governance challenges, especially with “shadow AI.”
- Priorities for improvement include better workflow integration, AI governance, toolchain rationalization, and developer‑centric security metrics.
- Market demand is shifting toward integrated security platforms, AI‑governance tools, and solutions that embed security directly into developer pipelines.
Introduction: The DevSecOps Landscape in 2025
The DevSecOps environment is at a crossroads, pushed by relentless pressure to deliver software faster while simultaneously safeguarding it against ever‑evolving threats. Black Duck’s “Balancing AI Usage and Risk in 2025: The Global State of DevSecOps” report, based on a survey of more than 1,000 global software and security professionals, illuminates the core tensions shaping today’s practices. The findings reveal that organizations have achieved impressive release cadences but have done so on a foundation where security processes remain immature, toolchains are fragmented, and artificial intelligence introduces both promise and peril. Understanding these dynamics is essential for leaders who wish to transform security from a perceived bottleneck into a strategic enabler.
Accelerated Development Speed and Its Security Gaps
One of the report’s most striking observations is the sheer speed of modern code deployment: nearly 60% of organizations push code to production daily or multiple times per day. This rapid cadence, however, rests on a fragile security baseline. Almost half (46%) of companies still rely on manual processes to move new code into the security testing queue, creating an automation gap that leaves many vulnerabilities undetected. Consequently, 62% of organizations test less than 60% of their applications, allowing security debt to accumulate with each release. The implication is clear—without embedding security earlier and automating its execution, high velocity will continue to come at the cost of increased risk.
Tool Sprawl and the Noise Problem
In an attempt to cover a widening threat landscape, many teams have adopted a multitude of application security testing (AST) tools. Yet this strategy has backfired: over 71% of respondents report that a significant share of their security alerts is “noise”—false positives, unclear messages, or duplicate findings from different tools. This flood of irrelevant information not only diminishes the return on security investments but also creates operational drag that hampers development. The AST ecosystem is highly fragmented, with the top five tool types used in nearly equal proportion, each bringing its own overhead, APIs, and alert formats. The resulting complexity forces DevOps teams to spend valuable time triaging alerts rather than delivering features.
The Persistent Speed vs. Security Dilemma
The combination of tool sprawl, noisy alerts, and manual testing queues directly undermines the core DevOps objective of speed. More than 81% of DevSecOps professionals acknowledge that application security testing slows down development. For organizations that remain heavily dependent on manual hand‑offs, the promise of secure, high‑velocity DevOps stays unfulfilled, causing security to be viewed as a roadblock rather than an enabler. This perception fuels a vicious cycle: teams purchase additional tools to cope with gaps, generate even more noise, and then require more manual triage, further eroding velocity. Breaking this cycle demands a shift from bolt‑on security to tightly integrated, developer‑friendly solutions.
AI as a Double‑Edged Sword in DevSecOps
Artificial intelligence has become ubiquitous in the developer’s toolkit, appearing in coding assistants, open‑source models, and various automation scripts. The report uncovers a paradox: while 56% of respondents believe AI introduces novel security risks, a larger majority (63%) think it helps them write more secure code. This overlap indicates a willingness to accept the downsides of AI in pursuit of its benefits. Adding to the complexity is the prevalence of “shadow AI”—AI tools used without formal approval—which creates governance blind spots. Despite these concerns, 89% of respondents express confidence in their ability to manage AI‑related security issues, a confidence that may be misplaced given the current state of fragmented toolchains and lingering manual processes.
Recommendations for Future‑Proofing DevSecOps
To navigate these challenges, the report advises a fundamental reorientation of application security practices. The top priority is “better development workflow integration,” which means moving away from isolated security tools toward platforms that are natively embedded in the developer’s pipeline. Specific actions include: establishing a robust AI governance framework that defines clear policies on usage, data privacy, and intellectual property; rationalizing and optimizing the AST toolchain by auditing for redundancies, consolidating around solutions that feed into AI‑enabled build pipelines; and investing in the developer experience of security by tracking metrics such as mean time to remediate (MTTR) rather than relying solely on traditional security counts. Practitioners are encouraged to champion integrated tooling, quantify the cost of noise from false positives, and lead initiatives for secure AI enablement.
Market Implications and Strategic Shifts
The insights from the Black Duck report have tangible repercussions for the DevSecOps market. Organizations are increasingly gravitating toward integrated security platforms that can consolidate risk management across the entire application portfolio, reducing the need for multiple point solutions. Simultaneously, the rise of AI in development is fueling demand for AI‑governance tools that provide visibility, policy enforcement, and security scanning for AI‑generated code. Finally, there is a clear market shift toward developer‑centric security solutions—tools that sit inside IDEs, CI/CD pipelines, and collaboration platforms, thereby improving the developer experience while maintaining rigorous security standards. Vendors that can deliver these combined capabilities are poised to capture growing spend as enterprises seek to balance speed with safety.
Conclusion: Turning Security into an Enabler
The DevSecOps landscape of 2025 is defined by high release frequencies, a sprawling and noisy tool ecosystem, and the dual‑edged impact of artificial intelligence. While speed has surged, security practices have not kept pace, resulting in accumulating vulnerabilities and frustrated teams. To reverse this trend, organizations must prioritize deep integration of security into developer workflows, streamline and rationalize their toolchains, and institute rigorous AI governance. By doing so, security can transition from a perceived bottleneck to a strategic asset that enables rapid, reliable innovation—fulfilling the original promise of DevSecOps.