The journey toward integrating security into the fast-paced world of DevOps has seen significant strides, largely thanks to a much-needed focus on the developer experience (DevEx).
Collectively, the AppSec community and industry have moved mountains in making security tools less intrusive, integrating them into developer workflows, and acknowledging that developers need security as a help, not a hindrance. A focus on DevEx has been crucial, acting as the bridge to bring security considerations earlier into the development lifecycle while simultaneously enhancing the developers’ daily work.
The numbers don’t lie: Checkmarx’ recent DevSecOps Evolution 2025 report reveals that a majority of the organizations we surveyed—58% to be exact—are at Stage 2 maturity, a transition stage primarily focused on DevEx: They’ve integrated tools into IDEs, offer formal training, and the relationship between security and development teams is generally positive. While these developments signify important progress, this DevEx-focused stage represents a critical foundation rather than the ultimate destination in achieving mature DevSecOps.
DevEx Isn’t the Destination
Organizations haven’t yet achieved true DevSecOps maturity. They haven’t yet embedded security through shared culture, governance and aligned goals.
And while developer experience is essential, it’s just one brick of the DevSecOps foundation. To achieve the ultimate goal—high-performing, secure code delivered at the pace of business—organizations need to move beyond DevEx to a true culture of shared responsibility and trust.
Despite better tools and training, developers still report spending a significant chunk of their week—often over 17 hours—on security tasks. Trust in tool results is often hampered by false positives impacting velocity, and a lack of shared goals that align development and AppSec priorities means security can still feel like a separate concern rather than a shared objective. We’ve improved the experience; but haven’t fully embedded security seamlessly and at scale.
The Scale – and Stakes – Are Growing
The need to mature beyond DevEx is especially urgent given the accelerating complexity and scale of modern application development. Enterprises are managing sprawling codebases and adopting tools that increase both speed and risk. Checkmarx alone scans over 450 billion lines of code every month, and that figure is only rising.
At the same time, the software supply chain is expanding at an unprecedented pace: approximately 700,000 new NPM package versions are introduced monthly, each one a potential point of exposure.
Add to this the growing adoption of AI-assisted coding tools and agentic AI systems that generate or modify code autonomously, and the attack surface multiplies further.
On the other hand, development productivity requirements have never been higher, with organizations tracking DORA metrics and looking for AppSec solutions like Checkmarx’ that deliver on security while optimizing MTTR and other DORA metrics.
Achieving truly mature DevSecOps—Stage 3, where only 30% of organizations currently reside—requires moving beyond just making security palatable for developers. It demands a deeper, more strategic integration built on shared culture, robust governance, trusted automation, and aligned success metrics.
Checkmarx’ Five Pillars of DevSecOps Maturity
At its heart, DevSecOps is a cultural evolution. It’s about merging the “move fast” ethos of development with the “protect everything” mandate of security to achieve a common goal of delivering secure, high-performance code at the speed the business requires. To progress from Stage 2 (DevEx-focused) to Stage 3 (Mature DevSecOps), organizations need to build on their DevEx foundation with five key elements:
1. Shared Metrics
You can’t improve what you don’t measure, yet our research shows a surprising lack of consensus on DevSecOps metrics. While many organizations we surveyed track top vulnerable applications (52.1%) and mean time to detect vulnerabilities (51%), only 28.3% measure mean time to remediate—arguably the most critical metric for balancing security and velocity.
True DevSecOps maturity requires security and development teams to align shared metrics that measure how effectively they work together, not just how many vulnerabilities they find.
2. Collaborative Governance
In mature DevSecOps, security and development teams jointly establish policies, standards and processes. Our data shows this remains rare—when asked to describe the relationship between security and development in one word, respondents most frequently chose “trust,” “policy,” and “risk,” indicating an evolving but not yet fully collaborative relationship.
For 88% of organizations, the absence of shared metrics, policies and governance suggests security and development teams are aligning but are still struggling to form a fully collaborative governance.
3. Advanced Security Education
While essentially all developers have access to training according to our study, the model needs to evolve. Traditional formal training programs still have value, but the premium on developer time makes standalone training challenging.
Mature DevSecOps organizations are pivoting toward just-in-time training that delivers contextual guidance when and where developers need it. Providing a step further is in-the-moment training with inline feedback from within the IDE, allowing developers to learn while maintaining their workflow.
4. Trusted Automation
Our study showed that one in five (20%) of the organizations we surveyed have no AppSec automation in place. Even among the remaining 80%, adoption of key automation capabilities remains low—only 32% have automated security testing during change management, and just 30% auto-populate security tickets with remediation guidance.
The far-from-optimal adoption rate of automation cannot be attributed to a lack of technological solutions but rather appears as a matter of trust and culture gaps between security and development teams. Without shared governance and metrics, attempts to “automate everything” typically fail because there’s no foundation of trust on which to build automations that both teams will embrace.
5. Velocity-Security Balance
The ultimate goal of DevSecOps is to deliver high-performing, secure code quickly. Yet 66% of developers report that false positives impede their velocity, and 28% say their AppSec teams lack the tools or resources to help them fix security issues efficiently.
Mature DevSecOps organizations recognize that speed isn’t just about how quickly tools scan—it’s about how quickly developers can remediate issues without disrupting their workflow. This requires prioritized, actionable results with clear remediation guidance, not just faster scanning.
The Role of Leadership
Making the transition to DevSecOps takes more than just good tooling—it requires strong leadership. Security leaders must be willing to trade control for collaboration and build systems based on partnership, not policing. Engineering leaders must recognize that security is essential to velocity, not an obstacle.
This shift requires executive buy-in and strategic commitment. It means moving beyond budget conversations centered on compliance and instead investing in the long-term health of your codebase and your teams.
The Road Ahead
As the DevSecOps Evolution 2025 report shows, most organizations are still in the middle of the journey. That’s not a failure. It’s an opportunity. DevEx helped bridge the gap between developers and security, and now it’s time to build the foundation that inspires them to run together. By moving beyond DevEx as the sole focus and embracing these pillars of mature DevSecOps, we can finally embed security seamlessly at scale, achieving the ultimate objective of delivering high-performing, secure code without compromising speed.
The transformation won’t happen overnight. It requires sustained investment in building trust between security and development teams. But organizations that successfully make this journey will gain the significant competitive advantage of more secure and advanced applications built with less friction and lower costs.
As we look to 2026 and beyond, the most successful organizations will be those that move beyond seeing security as just another feature of the development process. Instead, they’ll embrace it as an integral, collaborative aspect of delivering high-quality software in a digital world with ever-rising security risks.
At Checkmarx, we believe the future of software development is secure by design—and it starts with mature DevSecOps. Let’s keep moving forward.
