Advancing DevSecOps for Cloud-Native Readiness and Security at Scale

/ Application Development, Application Security, DevSecOps, Platform Engineering
Advancing DevSecOps for Cloud-Native Readiness and Security at Scale

Overview

As organizations accelerate cloud-native delivery, security teams are under pressure to move faster without increasing risk. The DevSecOps Survey Research Report examines how enterprises are advancing DevSecOps practices to improve cloud-native readiness, strengthen application security, and support developer productivity. The research benchmarks adoption of automation, tooling, collaboration practices, and investment priorities across modern DevSecOps programs. Findings reveal a clear trend toward embedding security directly into CI/CD pipelines, with automated scanning now the most common practice and third-party validation widely relied upon for assurance and compliance.

However, the report also highlights meaningful gaps in maturity. Critical practices such as static code analysis, compliance automation, and SBOM adoption remain underdeveloped, leaving organizations exposed to supply chain and governance risks. Cultural challenges further complicate progress, with developers citing fear of breaking production, lack of training, and unclear accountability as key barriers to shifting security left. High-performing organizations are differentiating themselves by balancing automation with education, collaboration, and clearly defined ownership models, enabling faster delivery without compromising security.

Key Takeaways

  • Automation leads, but full-stack security maturity still lags: Nearly half of organizations rely on automated security scanning, yet adoption of SAST, compliance as code, and SBOM practices remains low.
  • Third-party validation is now standard practice: Over 90% of organizations engage external penetration testing or consulting services at least occasionally, signaling that independent validation is now a strategic necessity.
  • Culture is a bigger barrier than tooling: Developers are more constrained by fear, lack of training, and unclear expectations than by time or capacity, highlighting the importance of leadership, education, and psychological safety.
  • Security investment momentum is strong: Nearly 90% of organizations plan to invest in external security expertise in the coming year, reinforcing the urgency of strengthening DevSecOps maturity.

Authors

  • Efficiently Connected

    View all posts
  • Paul Nashawaty

    Paul Nashawaty, Practice Leader and Lead Principal Analyst, specializes in application modernization across build, release and operations. With a wealth of expertise in digital transformation initiatives spanning front-end and back-end systems, he also possesses comprehensive knowledge of the underlying infrastructure ecosystem crucial for supporting modernization endeavors. With over 25 years of experience, Paul has a proven track record in implementing effective go-to-market strategies, including the identification of new market channels, the growth and cultivation of partner ecosystems, and the successful execution of strategic plans resulting in positive business outcomes for his clients.

    View all posts

  • With over 15 years of hands-on experience in operations roles across legal, financial, and technology sectors, Sam Weston brings deep expertise in the systems that power modern enterprises such as ERP, CRM, HCM, CX, and beyond. Her career has spanned the full spectrum of enterprise applications, from optimizing business processes and managing platforms to leading digital transformation initiatives.

    Sam has transitioned her expertise into the analyst arena, focusing on enterprise applications and the evolving role they play in business productivity and transformation. She provides independent insights that bridge technology capabilities with business outcomes, helping organizations and vendors alike navigate a changing enterprise software landscape.

    View all posts