DevSecOps Statistics 2026

Last updated on Apr. 10, 2026

The average global data breach cost fell 9% to $4.44 million in 2025 — the first decline in five years — while organizations using security AI and automation saved $1.9 million per breach and cut lifecycle by 80 days (IBM 2025).
Over 512,000 malicious packages were discovered in open-source registries in 2024, a 156% increase year-over-year, while 97% of commercial codebases contain open-source components (Sonatype 2024, Black Duck OSSRA 2025).
The global cybersecurity workforce gap grew to 4.8 million unfilled positions in 2024, with 67% of organizations reporting a shortage of cybersecurity staff (ISC2 2024).
81% of organizations admit to knowingly shipping vulnerable code under deadline pressure, and 50% carry accumulated security debt, 70% of which originates from third-party library flaws (Checkmarx 2025, Veracode 2025).
The DevSecOps market was valued at $5.9 billion in 2024 and is projected to reach $24.2 billion by 2032 at a 19.4% CAGR (Fortune Business Insights).

DevSecOps is the practice of integrating security testing into every phase of the software development lifecycle, from code commits and CI/CD pipelines through to production monitoring. Rather than treating security as a gate at the end, DevSecOps teams automate vulnerability scanning, dependency checks, and infrastructure-as-code validation directly in their workflows.

I pulled numbers from 14 industry reports (IBM, Verizon, Sonatype, Checkmarx, and others) published in 2024 and 2025, then added data from three studies I ran myself in February 2026. Every statistic links to its source.

For broader application security data from my original research, see my Application Security Statistics page.

Key statistics at a glance#

$4.44M

Average Data Breach Cost

IBM 2025

512K+

Malicious Packages Discovered

Sonatype 2024

4.8M

Cybersecurity Workforce Gap

ISC2 2024

97%

Codebases With Open Source

Black Duck OSSRA 2025

$1.9M

Saved With Security AI & Automation

IBM 2025

44%

Breaches Involving Ransomware

Verizon DBIR 2025

DevSecOps adoption & maturity#

Most organizations say they do DevSecOps now. Dig into the numbers, though, and you’ll find a gap between “we have a platform” and “we actually scan before we ship.”

Adoption rates#

56% of developers say their organization has adopted a DevSecOps platform — GitLab Global DevSecOps Report 2024
71% of AWS organizations use infrastructure-as-code through Terraform, CloudFormation, or Pulumi — Datadog State of DevSecOps 2024
55% of Google Cloud organizations use IaC, compared to 71% in AWS — Datadog State of DevSecOps 2024
38% of AWS organizations still deployed workloads manually through the console in production within a 14-day period — Datadog State of DevSecOps 2024

Maturity gaps#

Only 30% of organizations consider themselves at a “mature” DevSecOps level — Checkmarx DevSecOps Evolution 2025
81% of organizations admit to knowingly shipping vulnerable code under deadline pressure — Checkmarx DevSecOps Evolution 2025
67% of organizations report a shortage of cybersecurity staff — ISC2 Cybersecurity Workforce Study 2024
50% of organizations carry security debt (accumulated unfixed vulnerabilities), and 70% of that debt comes from third-party code — Veracode State of Software Security 2025
80% of application dependencies remain un-updated for over a year despite available fixes — Sonatype State of the Software Supply Chain 2024

81% of organizations ship vulnerable code knowingly under deadline pressure, 50% carry accumulated security debt, 70% of that debt from third-party code, and 80% of dependencies un-updated over a year

Application security market#

Security tooling spending keeps climbing. Here’s where the money is going.

Global application security market was valued at $8.86 billion in 2022, projected to reach $25.30 billion by 2030 at a 14.3% CAGR — Fortune Business Insights
The DevSecOps market alone was valued at $5.9 billion in 2024, projected to reach $24.2 billion by 2032 at a 19.4% CAGR — Fortune Business Insights
72% of global enterprises with 500+ employees have integrated SAST tools into their development pipelines — Grand View Research 2024
Cloud-based SAST solutions now make up 54% of all installations — Grand View Research 2024
SAST holds the largest revenue share in application security testing, followed by DAST and SCA — Grand View Research 2024

Shift-left security#

The idea is simple: find bugs before they reach production, when they’re cheaper to fix. The numbers back this up, but teams are still slow to patch what they find.

Cost multiplier#

Fixing a vulnerability in later SDLC phases costs 6x to 15x more than fixing it during design — and the production multiplier can reach 30x or higher — NIST SSDP , IBM Systems Sciences Institute
Organizations with high DevSecOps adoption saved nearly $1.7 million per breach compared to those without — IBM Cost of a Data Breach 2024
Security AI and automation saved an average of $1.9 million per breach and shortened the breach lifecycle by 80 days in 2025 — IBM Cost of a Data Breach 2025
Detection and escalation costs became the largest portion of breach costs after jumping over recent years — IBM Cost of a Data Breach 2024

Adoption of early-stage testing#

63% of applications have first-party code flaws, and 70% have flaws from third-party libraries — Veracode State of Software Security 2024
Vulnerability exploitation as an initial breach vector nearly tripled year-over-year, reaching 14% of all breaches — Verizon DBIR 2024
Organizations take a median of 55 days to patch just 50% of critical vulnerabilities after patches become available — Verizon DBIR 2024

Software supply chain security#

Attackers figured out that poisoning a popular npm or PyPI package is easier than breaching individual companies. The numbers from 2024 are grim.

Malicious packages#

512,847 malicious packages were discovered in 2024, a 156% increase over the previous year — Sonatype State of the Software Supply Chain 2024
Over 33,000 new vulnerabilities were disclosed in 2024 — JFrog Software Supply Chain Report 2025
64% of high- and critical-severity CVEs had low applicability ratings after JFrog’s contextual analysis — JFrog Software Supply Chain Report 2025
25,229 exposed secrets and tokens were detected in public package registries, up 64% year-over-year — JFrog Software Supply Chain Report 2025

Open-source risk#

97% of commercial codebases contain open-source components — Black Duck OSSRA 2025
81% of codebases contained at least one high- or critical-risk open-source vulnerability — Black Duck OSSRA 2025
The average commercial codebase is 77% open-source by composition — Black Duck OSSRA 2025
80% of application dependencies remain un-updated for over a year — Sonatype State of the Software Supply Chain 2024
Open-source repositories handled an estimated 6.6 trillion download requests in 2024 — Sonatype State of the Software Supply Chain 2024

512,847 malicious packages discovered in open-source registries in 2024, a 156% increase year-over-year, with 33,000+ new CVEs disclosed, 25,229 exposed secrets in registries up 64%, and 97% of codebases containing open-source

Third-party breaches#

Third-party involvement surged to 30% of all breaches, doubling from 15% the previous year — Verizon DBIR 2025

Vulnerability remediation#

Organizations find vulnerabilities faster than they fix them. That gap between discovery and remediation is where attackers operate.

Remediation timelines#

Mean time to remediate internet-facing critical vulnerabilities: 35 days — Edgescan Vulnerability Statistics Report 2025
Mean time to remediate internet-facing host/cloud critical vulnerabilities: 61 days — Edgescan Vulnerability Statistics Report 2025
Median remediation time for third-party (SCA) vulnerabilities: 11 months — Veracode State of Software Security 2024
Organizations take 55 days to patch just 50% of their critical vulnerabilities — Verizon DBIR 2024

Security debt#

50% of organizations carry accumulated security debt — Veracode State of Software Security 2025
70% of that security debt originates from third-party library flaws, not first-party code — Veracode State of Software Security 2025
Average time to fix security flaws has increased 47% since 2020 — Veracode State of Software Security 2025
45.4% of enterprise vulnerabilities remain unpatched after 12 months — Edgescan Vulnerability Statistics Report 2025

Remediation gap ranges from 35 days for internet-facing critical vulnerabilities to 11 months for third-party SCA vulnerabilities, with 45.4% of enterprise vulnerabilities unpatched after 12 months

CI/CD pipeline security#

Faster delivery means faster exposure if security isn’t baked into the pipeline. Hardcoded secrets and missing scans in deployment stages are still common.

Pipeline scanning adoption#

72% of enterprises with 500+ employees have integrated SAST tools into development pipelines — Grand View Research 2024
54% of SAST deployments are now cloud-based — Grand View Research 2024
SCA is the fastest-growing testing category, largely because of supply chain attacks — Grand View Research 2024
Terraform is the most popular IaC technology across both AWS and Google Cloud — Datadog State of DevSecOps 2024
38% of AWS organizations still deployed workloads manually in production within a 14-day window — Datadog State of DevSecOps 2024

Developer security#

There aren’t enough people who can write code and think about security at the same time. The workforce numbers tell the story.

Workforce gap#

The global cybersecurity workforce reached 5.5 million professionals in 2024, up just 0.1 million from 2023 — ISC2 Cybersecurity Workforce Study 2024
The workforce gap grew to 4.8 million unfilled positions, up from 4 million the previous year — ISC2 Cybersecurity Workforce Study 2024
67% of organizations report a shortage of cybersecurity staff — ISC2 Cybersecurity Workforce Study 2024
Lack of budget replaced lack of qualified talent as the top-cited cause of staffing shortages for the first time — ISC2 Cybersecurity Workforce Study 2024

Developer time on security#

72% of developers spend more than 17 hours per week on security-related tasks — Checkmarx DevSecOps Evolution 2025
98% of organizations have suffered at least one breach from vulnerable application code — Checkmarx DevSecOps Evolution 2025
38% report shipping vulnerable code specifically to meet business deadlines or feature requirements — Checkmarx DevSecOps Evolution 2025

AI-assisted development risks#

25.7% of AI-generated code samples contained at least one confirmed vulnerability when tested without security-specific prompts — AppSec Santa AI Code Security Study 2026
Injection-pattern weaknesses (SSRF, command injection, NoSQL injection, path traversal) accounted for roughly half of all vulnerabilities found in AI-generated code — AppSec Santa AI Code Security Study 2026
The gap between the safest and least safe LLM was roughly 10 percentage points in vulnerability rate — AppSec Santa AI Code Security Study 2026

Cost of insecurity#

Breaches keep getting more expensive. The one bright spot: organizations that invest in DevSecOps and automation spend significantly less when things go wrong.

Breach costs#

Average global data breach cost fell to $4.44 million in 2025, down 9% from $4.88 million in 2024 — the first decline in five years — IBM Cost of a Data Breach 2025
US breach costs reached a record high of $10.22 million, up 9% year-over-year — IBM Cost of a Data Breach 2025
Extensive use of security AI and automation saved an average of $1.9 million per breach — IBM Cost of a Data Breach 2025
Organizations with high DevSecOps maturity paid nearly $1.7 million less per breach than those without — the most recent IBM breakdown specifically by DevSecOps practice — IBM Cost of a Data Breach 2024

Breach timeline#

The global average breach lifecycle dropped to 241 days in 2025, a 17-day reduction from 2024’s 258 days and the lowest level in nearly a decade — IBM Cost of a Data Breach 2025
Organizations extensively using security AI and automation cut their breach lifecycle by an additional 80 days on average — IBM Cost of a Data Breach 2025
44% of confirmed breaches involved ransomware in 2025, up from 32% the previous year — Verizon DBIR 2025
88% of basic web application attacks involved stolen credentials — Verizon DBIR 2025
The 2025 DBIR covered 22,000+ incidents and 12,195 confirmed breaches, its largest dataset yet — Verizon DBIR 2025

IBM 2025 breach cost data: global average fell 9% to $4.44M (first decline in five years), security AI and automation saved $1.9M per breach and cut lifecycle by 80 days, global lifecycle dropped to 241 days

My own research#

I also run my own research. Here is what I found in February 2026.

AI-Generated Code Security Study#

I gave 6 LLMs 87 identical coding prompts and scanned the output with 5 SAST tools. 25.7% of the 522 generated code samples had confirmed vulnerabilities.

SSRF (CWE-918) was the most common weakness, and GPT-5.2 had the lowest vulnerability rate at 19.5%. Full study: AI-Generated Code Security Study 2026 .

Security Headers Adoption Study#

I scanned the Tranco Top 10,000 websites and analyzed HTTP security headers from 7,510 valid responses. Only 27.3% deploy Content-Security-Policy, and 48.8% of those use unsafe-inline — undermining XSS protection. Full study: Security Headers Adoption Study 2026 .

State of Open Source AppSec Tools#

I analyzed GitHub data for 65 open-source security tools across 8 categories. Combined they hold 608,000+ stars, but the median health score is just 58 out of 100.

Four tools are flagged as at-risk. Full study: State of Open Source AppSec Tools 2026 .

For more statistics from my original research, see my Application Security Statistics page. For deeper dives into specific topics: Software Vulnerability Statistics (CVE trends, remediation timelines), Supply Chain Attack Statistics (malicious packages, open source risk), and AI Security Statistics (LLM vulnerabilities, prompt injection).

Sources & methodology#

Every number on this page links to a published report or to my own research. If I cannot verify it, I do not include it.

Industry reports cited:

IBM Cost of a Data Breach Report 2025 — latest IBM/Ponemon study covering 600+ breached organizations across 17 industries and 16 countries (earlier 2024 edition cited for DevSecOps-maturity breakdown no longer published)
Verizon Data Breach Investigations Report 2025 — 22,000+ incidents, 12,195 confirmed breaches
Verizon Data Breach Investigations Report 2024 — 30,000+ incidents, 10,000+ confirmed breaches
Sonatype State of the Software Supply Chain 2024 — Open-source ecosystem analysis, malicious package tracking
Black Duck (Synopsys) OSSRA Report 2025 — Audit results from 1,000+ commercial codebases
Veracode State of Software Security 2024/2025 — Analysis of application security scan results across customers
ISC2 Cybersecurity Workforce Study 2024 — Global survey of cybersecurity professionals
Datadog State of DevSecOps 2024 — Cloud deployment and security analysis across Datadog customers
GitLab Global DevSecOps Report 2024 — Developer survey on DevSecOps practices
Edgescan Vulnerability Statistics Report 2025 — Vulnerability remediation timing analysis
JFrog Software Supply Chain Report 2025 — CVE analysis and software supply chain findings
Checkmarx DevSecOps Evolution 2025 — Survey of 1,500 development and security professionals
Fortune Business Insights — Application security and DevSecOps market sizing
Grand View Research — Security testing market analysis

Original research (AppSec Santa, February 2026):

AI-Generated Code Security Study 2026 — 522 code samples, 6 LLMs, 5 SAST tools
Security Headers Adoption Study 2026 — 7,510 websites scanned for 10 security headers
State of Open Source AppSec Tools 2026 — GitHub data for 65 tools across 8 categories

Frequently Asked Questions

What is DevSecOps?

DevSecOps integrates security practices into every phase of the software development lifecycle, from planning and coding through testing, deployment, and operations. Instead of treating security as a final gate before release, teams embed automated security checks directly into CI/CD pipelines.

What is the current DevSecOps adoption rate?

Adoption varies by metric. According to GitLab’s 2024 survey, 56% of developers say their organization uses a DevSecOps platform. Datadog’s 2024 report found that 71% of AWS organizations use infrastructure-as-code, a core DevSecOps practice. However, full maturity remains low — 38% of AWS organizations still deploy manually in production.

How much does DevSecOps reduce data breach costs?

IBM’s 2025 Cost of a Data Breach report found that organizations extensively using security AI and automation saved an average of $1.9 million per breach and cut their breach lifecycle by 80 days. Earlier IBM 2024 data showed organizations with high DevSecOps maturity paid nearly $1.7 million less per breach than those without.

How often is this page updated?

I update this page quarterly as new industry reports and research data become available. Each statistic links to its original source.

How big is the DevSecOps market?

The DevSecOps market was valued at $5.9 billion in 2024 and is projected to reach $24.2 billion by 2032, growing at a 19.4% CAGR, according to Fortune Business Insights. The broader application security market is projected to reach $25.30 billion by 2030.

What percentage of code has open-source vulnerabilities?

According to Black Duck’s 2025 OSSRA report, 97% of commercial codebases contain open-source components, and 81% of those codebases have at least one high- or critical-risk vulnerability. Sonatype found that 80% of application dependencies remain un-updated for over a year.

Can I cite these statistics?

Yes. Please cite as: ‘DevSecOps Statistics 2026, AppSec Santa (appsecsanta.com).’ Every data point links to its source report.

Written & maintained by

Suphi Cankurt

Eight years on the vendor side of application-security sales — thousands of evaluations and demos. I started AppSec Santa in 2022 to put that insider view to work for buyers. Independent of any vendor, paid by none, and honest about what fits whom.

Methodology Contact LinkedIn