Application security (AppSec) teams are facing increased strain as organizations ramp up their adoption of DevSecOps practices, according to a report from ESG.

The shift toward integrating development, security and operations teams is growing rapidly, with DevSecOps adoption expected to rise from 38% today to 48% over the next two years.

However, this accelerated pace creates significant pressure on already overburdened and under-resourced security teams.

The report also indicated that the rise of generative AI (GenAI) is adding another layer of complexity, with integration posing challenges for security.

The majority (97%) of organizations surveyed said they are either using or planning to implement generative AI in their software development processes yet security teams are expressing deep concerns about safeguarding AI usage.

Lack of Visibility

A key issue exacerbating these challenges is the lack of visibility between security and development teams.

The survey found that 42% of respondents can test and fix their code independently, without engaging security teams, leading to security gaps and underscoring the urgent need for better integration.

Melinda Marks, practice director of cybersecurity for ESG, encouraged AppSec teams to talk to developers and DevOps teams to find out about their workflows, processes, security awareness and any security testing they have in place, and align on goals to secure their applications.

“These should overlap in areas such as application uptime, ensuring customer service and protecting company and customer data,” she said.

Second, consider ways to incorporate security tools and processes into how developers are working, including setting policies and automating testing early in development processes.

“Third, ensure security has control and visibility to roll out security tools and processes that support development so they can efficiently manage risk and remediate security issues,” Marks said.

Karthik Swarnam, chief security and trust officer of ArmorCode, said to manage the increasing pace and scale of DevSecOps effectively, even with limited resources, AppSec teams should leverage AI capabilities for enhanced security testing.

“Automating the DevSecOps pipeline is crucial for maintaining efficiency without sacrificing security,” he said. “Teams should also prioritize the use of tools that provide visibility into security risks and help with the prioritization of remediation efforts.”

He said it is essential for teams to remain laser-focused on critical tasks, such as identifying which vulnerabilities require immediate attention, determining specific deficiencies to be addressed, and pinpointing where developers need targeted training—avoiding the inefficiency of training on all possible topics.

Marks said security wants to help enable the usage of AI because it will help with productivity, but they need to ensure it is secure because if there is an incident, such as data being improperly shared, or the usage of AI introduces vulnerabilities, it can be a setback for AI adoption.

“We also don’t want to just see security and IT blocking usage because then it inhibits the ability for companies to use AI for its advantages,” she said.

Swarnam said to close security gaps effectively, businesses must improve visibility and communication between security and development teams.

“A key strategy is to integrate these teams into a comprehensive vulnerability management program,” he said.

Providing business and executive-level dashboards, along with visibility reports that measure the state of security, allows for clear prioritization of remediation efforts.

These reports should highlight “what matters” most, ensuring that critical security gaps are addressed promptly.

“Integrating these tools into workflow management systems, coupled with prioritization capabilities that emphasize efficacy, ensures that security and development teams are aligned in their efforts to close gaps and strengthen the organization’s overall security posture,” Swarnam said.