{"id":207671,"date":"2026-05-01T02:33:00","date_gmt":"2026-05-01T06:33:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/01\/the-state-of-devsecops-navigating-speed-friction-and-ai\/"},"modified":"2026-05-01T05:10:08","modified_gmt":"2026-05-01T09:10:08","slug":"the-state-of-devsecops-navigating-speed-friction-and-ai","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/01\/the-state-of-devsecops-navigating-speed-friction-and-ai\/","title":{"rendered":"The State of DevSecOps: Navigating Speed, Friction, and AI"},"content":{"rendered":"

The State of DevSecOps: Navigating Speed, Friction, and AI<\/a><\/p>\n

https:\/\/www.cybersecurity-insiders.com\/the-state-of-devsecops-navigating-speed-friction-and-ai\/<\/a><\/p>\n

Publish Date: 2026-05-01 02:33:00<\/a><\/p>\n

Source Domain: www.cybersecurity-insiders.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

The DevSecOps landscape is undergoing significant transformation as organizations strive to balance development speed with security and operational efficiency. The research from Black Duck\u2019s \u201cBalancing AI Usage and Risk in 2025: The Global State of DevSecOps\u201d report provides critical insights into the challenges and opportunities facing DevSecOps teams today.
\nBased on a comprehensive survey of over 1,000 global software and security professionals, this report sheds light on the ongoing tension between development speed and security, the issue of tool sprawl, and the double-edged nature of artificial intelligence (AI) in DevSecOps.
\nAchieving Speed at the Cost of Security?
\nOne of the most striking findings from the report is the incredible speed at which organizations are now deploying code. Nearly 60% of organizations are deploying code daily or even multiple times a day. However, this speed is built on a fragile foundation. Security practices remain immature, with 46% of companies still relying on manual processes to get new code into the security testing queue. This automation gap means many businesses are unaware of their vulnerabilities, with 62% of organizations testing less than 60% of their applications.
\nThe result is a growing security debt that accumulates with every release. As organizations continue to prioritize speed, they risk leaving their software vulnerable to potential threats. This highlights the need for better integration of security practices into the development lifecycle.
\nThe Tool Sprawl Crisis
\nIn an attempt to address complex threats, many organizations have adopted a multi-tool approach to application security testing (AST). However, this strategy has led to unintended consequences. Over 71% of respondents reported that a significant portion of their security alerts is \u201cnoise\u201d \u2013 false positives, unclear, or duplicate findings from different tools. This flood of useless information is not only destroying the ROI of security investments but also creating operational drag that slows down development.
\nThe report highlights that the top five most common AST tool types are used in nearly equal proportion, creating a fragmented AST ecosystem. Each disconnected system comes with its own overhead, APIs, and alert formats, making it challenging for DevOps teams to navigate.
\nA natural consideration, given the alleged prevalence of noisy results and emphasis on manual testing queues, is whether perceived noise is exacerbated by greater inconvenience from manual effort or whether noisy results are hidden by greater automation. The conclusion, here, is determined by an organization\u2019s balance of informed policy creation and deliberate automation for issue triage.
\nThe Persistent \u201cSpeed vs. Security\u201d Dilemma
\nThe operational drag from tool sprawl and noise, combined with a reliance on manual processes, directly impacts the main goal of DevOps: speed. Over 81% of DevSecOps professionals say that application security testing slows down development. For organizations relying heavily on manual processes, the promise of secure, high-velocity DevOps remains unfulfilled. The \u201cSec\u201d part of DevSecOps is seen as a roadblock rather than an enabler, creating a vicious cycle of buying more tools, generating more noise, and requiring more manual triage.
\nAI: A Double-Edged Sword
\nAI-powered coding assistants and open-source AI models are now deeply embedded in developers\u2019 daily lives. The report reveals a paradox around AI usage: it is seen as both a powerful tool for improving security and a significant new source of complex, scalable risk. While 56% of respondents believe AI introduces novel security risks, an even larger majority (63%) think it helps them write more secure code. The significant overlap implies a great willingness to \u201caccept the bad\u201d in order to \u201crealize the good.\u201d
\nThe widespread adoption of AI, including \u201cshadow AI\u201d (AI used without official permission), poses governance challenges. Despite concerns about AI-generated code, 89% of respondents are confident in their ability to handle new security issues introduced by AI. This confidence may be misplaced, given the current state of toolchains and manual processes.
\nRecommendations for the Future
\nThe report emphasizes the need for a fundamental shift in how organizations approach application security. The top priority for improving application security testing capabilities is \u201cbetter development workflow integration.\u201d This involves moving away from standalone security tools and towards integrated platforms that are built for deep, native integration into developer workflows.
\nTo address the challenges highlighted in the report, organizations should:<\/p>\n

Establish a Robust AI Governance Framework: Clear policies on AI usage, data privacy, and IP protection are essential.
\nRationalize and Optimize the AST Toolchain: Conduct a thorough audit to eliminate redundancies and noise, consolidating around solutions that integrate into AI-enabled build pipelines.
\nInvest in the Developer Experience of Security: Focus on developer-centric metrics like mean time to remediate, rather than just security metrics.<\/p>\n

For hands-on practitioners, the report suggests championing integrated tooling, quantifying the cost of noise from false positives, and leading the charge on secure AI enablement.
\nMarket Impact
\nThe findings from the Black Duck report have significant implications for the DevSecOps market. There\u2019s a growing need for:<\/p>\n

Integrated Security Platforms: Organizations are moving away from multiple standalone tools towards unified platforms that can manage risk across the application portfolio.
\nAI Governance Tools: The rise of AI in development will drive demand for tools that provide visibility, governance, and security for AI-generated code.
\nDeveloper-Centric Security Solutions: There\u2019s a shift towards security tools that are deeply integrated into developer workflows, improving the developer experience while maintaining security.<\/p>\n

In conclusion, the DevSecOps landscape is characterized by high development speeds, tool sprawl, and the dual-edged nature of AI. To navigate these challenges, organizations must prioritize better integration of security into development workflows, optimize their toolchains, and establish robust AI governance frameworks. By doing so, they can turn security from a bottleneck into a strategic enabler, balancing the need for speed with the imperative of security.
\n\u00a0<\/p>\n

Join our LinkedIn group Information Security Community!<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The State of DevSecOps: Navigating Speed, Friction, and AI https:\/\/www.cybersecurity-insiders.com\/the-state-of-devsecops-navigating-speed-friction-and-ai\/ Publish Date: 2026-05-01 02:33:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":207672,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cybersecurity-insiders.com\/wp-content\/uploads\/operations-control-room.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24],"class_list":["post-207671","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207671"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=207671"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207671\/revisions"}],"predecessor-version":[{"id":207673,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/207671\/revisions\/207673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/207672"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=207671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=207671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=207671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}