The DevSecOps landscape is undergoing significant transformation as organizations strive to balance development speed with security and operational efficiency. The research from Black Duck’s “Balancing AI Usage and Risk in 2025: The Global State of DevSecOps” report provides critical insights into the challenges and opportunities facing DevSecOps teams today.
Based on a comprehensive survey of over 1,000 global software and security professionals, this report sheds light on the ongoing tension between development speed and security, the issue of tool sprawl, and the double-edged nature of artificial intelligence (AI) in DevSecOps.
Achieving Speed at the Cost of Security?
One of the most striking findings from the report is the incredible speed at which organizations are now deploying code. Nearly 60% of organizations are deploying code daily or even multiple times a day. However, this speed is built on a fragile foundation. Security practices remain immature, with 46% of companies still relying on manual processes to get new code into the security testing queue. This automation gap means many businesses are unaware of their vulnerabilities, with 62% of organizations testing less than 60% of their applications.
The result is a growing security debt that accumulates with every release. As organizations continue to prioritize speed, they risk leaving their software vulnerable to potential threats. This highlights the need for better integration of security practices into the development lifecycle.
The Tool Sprawl Crisis
In an attempt to address complex threats, many organizations have adopted a multi-tool approach to application security testing (AST). However, this strategy has led to unintended consequences. Over 71% of respondents reported that a significant portion of their security alerts is “noise” – false positives, unclear, or duplicate findings from different tools. This flood of useless information is not only destroying the ROI of security investments but also creating operational drag that slows down development.
The report highlights that the top five most common AST tool types are used in nearly equal proportion, creating a fragmented AST ecosystem. Each disconnected system comes with its own overhead, APIs, and alert formats, making it challenging for DevOps teams to navigate.
A natural consideration, given the alleged prevalence of noisy results and emphasis on manual testing queues, is whether perceived noise is exacerbated by greater inconvenience from manual effort or whether noisy results are hidden by greater automation. The conclusion, here, is determined by an organization’s balance of informed policy creation and deliberate automation for issue triage.
The Persistent “Speed vs. Security” Dilemma
The operational drag from tool sprawl and noise, combined with a reliance on manual processes, directly impacts the main goal of DevOps: speed. Over 81% of DevSecOps professionals say that application security testing slows down development. For organizations relying heavily on manual processes, the promise of secure, high-velocity DevOps remains unfulfilled. The “Sec” part of DevSecOps is seen as a roadblock rather than an enabler, creating a vicious cycle of buying more tools, generating more noise, and requiring more manual triage.
AI: A Double-Edged Sword
AI-powered coding assistants and open-source AI models are now deeply embedded in developers’ daily lives. The report reveals a paradox around AI usage: it is seen as both a powerful tool for improving security and a significant new source of complex, scalable risk. While 56% of respondents believe AI introduces novel security risks, an even larger majority (63%) think it helps them write more secure code. The significant overlap implies a great willingness to “accept the bad” in order to “realize the good.”
The widespread adoption of AI, including “shadow AI” (AI used without official permission), poses governance challenges. Despite concerns about AI-generated code, 89% of respondents are confident in their ability to handle new security issues introduced by AI. This confidence may be misplaced, given the current state of toolchains and manual processes.
Recommendations for the Future
The report emphasizes the need for a fundamental shift in how organizations approach application security. The top priority for improving application security testing capabilities is “better development workflow integration.” This involves moving away from standalone security tools and towards integrated platforms that are built for deep, native integration into developer workflows.
To address the challenges highlighted in the report, organizations should:
- Establish a Robust AI Governance Framework: Clear policies on AI usage, data privacy, and IP protection are essential.
- Rationalize and Optimize the AST Toolchain: Conduct a thorough audit to eliminate redundancies and noise, consolidating around solutions that integrate into AI-enabled build pipelines.
- Invest in the Developer Experience of Security: Focus on developer-centric metrics like mean time to remediate, rather than just security metrics.
For hands-on practitioners, the report suggests championing integrated tooling, quantifying the cost of noise from false positives, and leading the charge on secure AI enablement.
Market Impact
The findings from the Black Duck report have significant implications for the DevSecOps market. There’s a growing need for:
- Integrated Security Platforms: Organizations are moving away from multiple standalone tools towards unified platforms that can manage risk across the application portfolio.
- AI Governance Tools: The rise of AI in development will drive demand for tools that provide visibility, governance, and security for AI-generated code.
- Developer-Centric Security Solutions: There’s a shift towards security tools that are deeply integrated into developer workflows, improving the developer experience while maintaining security.
In conclusion, the DevSecOps landscape is characterized by high development speeds, tool sprawl, and the dual-edged nature of AI. To navigate these challenges, organizations must prioritize better integration of security into development workflows, optimize their toolchains, and establish robust AI governance frameworks. By doing so, they can turn security from a bottleneck into a strategic enabler, balancing the need for speed with the imperative of security.
Join our LinkedIn group Information Security Community!
