Global Checkmarx Study Reveals Developers are Growing More Confident in Application Security Knowledge, Still Hampered by Time Spent on Security

PARAMUS, N.J.--(BUSINESS WIRE)--Checkmarx today released its global research report, “DevSecOps Evolution: from DevEx to DevSecOps,” which studied the current practices of development teams in large enterprises as they work toward more mature states of development, security and operations (DevSecOps). The survey found that development and security teams are making strides in the evolution to DevSecOps but are still working toward alignment on workflows and metrics.

72% of developers spend more than 17 hours each week on security-related tasks and one in four spends more than 25 hours. --Checkmarx DevSecOps Evolution Report

Share

“The massive increase in the number of development teams and DevOps pipelines within large organizations shows how critical it is for DevOps and security teams to build a shared culture for successful collaboration,” said Martin Lindsay, Vice President of Regional Marketing at Checkmarx. “With the ultimate goal of delivering high-performing code – which, by definition is secure code – these two teams are finding that improving the developer experience with application security is just the first step and that security must find a way to match the pace of agile development.”

Key findings from the DevSecOps Evolution research showed increasing confidence among developers at large organizations with regards to knowledge gained from security training, and that they are spending a considerable amount of time on security-related tasks:

• 21% of developers surveyed say that security is their top priority when coding.
• 99.6% of developers have access to security training
  • Of those, 90% of them rank the effectiveness of the training they receive as medium or high.
• 41.53% of responding developers reported that they understand the vulnerability tickets they receive, as well as how the vulnerability manifests during runtime, from 41-60% of the time.
• 72% of developers spend more than 17 hours each week on security-related tasks and one in four spends more than 25 hours.

The Checkmarx DevSecOps Maturity Model tracks the process of organizations moving from traditional DevOps to DevSecOps, with four stages:

• Stage 0 – Reactive Security: AppSec is “bolted onto” development, creating a bottleneck and acting as a brake on deployment.
• Stage 1 – Security-focused: AppSec finds and funnels vulnerabilities to developers, who are bombarded with alerts and provided no remediation guidance.
• Stage 2 – DevEx-focused: Tools are integrated into the integrated development environment (IDE), enabling developers to fix vulnerabilities using remediation guidance without disrupting their workflow.
• Stage 3 – Mature DevSecOps: DevSecOps culture is well-established; security and development teams agree on policies, governance and collaboration; training is provided at point of need and within the IDE; goals and metrics are established and aligned.

The Checkmarx study found that most large organizations are working towards and committed to achieving mature DevSecOps:

• 30% have moved beyond focusing only on the developer experience to building more sophisticated processes.
• 28.3% of organizations are tracking mean time to remediate as a metric.
• 45% are measuring code security.
• 46.27% are tracking ability to meet deadlines.

With overall market maturity in its early stages, the Checkmarx study reveals that there is not yet wide adherence to established best practices for operation and measurement of effective DevSecOps. While organizations have made forward strides, there is still more progress to be made.

Methodology

The research cohort consisted of 1500 heads of development, platform engineers and developers/software engineers in large organizations with annual revenues greater than $750,000,000 across North America (USA), Europe (UK, France, Germany, Austria, Switzerland) and APAC (Australia, New Zealand, Singapore). The field research was conducted by Censuswide during the month of December 2024. Censuswide abides by and employs members of the Market Research Society, which is based on the ESOMAR principles.

To download the DevSecOps Evolution report, visit this page.

About Checkmarx

Checkmarx helps the world’s largest enterprises get ahead of application risk without slowing down development. More applications, faster pipelines and growing threats are all contributing to skyrocketing risk. Checkmarx helps end the guesswork in identifying the most critical issues to fix. Giving AppSec the tools they need while letting developers work the way they want, from DevOps pipelines to developer experience, Checkmarx helps security and development teams work better together – all on a unified application security platform. That’s why so many enterprises rely on Checkmarx to scan over one trillion lines of code each year, see 2X ROI, and improve developer productivity on security tasks by 50%. Checkmarx. Always Ready to Run.

Follow Checkmarx on LinkedIn, YouTube and X.