DevSecOps in Flux: Black Duck Report Warns That AI Speed Is Outrunning Software Security

The 2025 Global State of DevSecOps report from Black Duck Software offers a sobering reality check for anyone betting that AI-driven development will make security simpler. Instead, it reveals that while code is being deployed faster than ever, application security is struggling to keep pace—burdened by manual processes, tool overload, and a growing tension between innovation and risk.

According to the report, nearly 60% of organizations now push new code to production daily or even more frequently. Yet 46% still depend on manual steps to move code into security testing pipelines. This operational lag is fueling what experts call “security debt”—the widening gap between rapid development and slow, inconsistent security coverage.

A Perfect Storm: Tool Sprawl and False Positives

Black Duck’s survey of over 1,000 global software and security professionals highlights one of the most persistent pain points in modern DevSecOps: alert fatigue. A staggering 71% of respondents said their teams are inundated with false positives and duplicate alerts from overlapping tools. The result is a paradox—more tools and dashboards, but less actionable security.

“The findings paint a clear picture: the old ways of doing application security aren't working, and speed without integrated security creates risk for companies,” said Jason Schmitt, CEO of Black Duck. “To navigate this new world, development teams must shift from a reactive, tool-centric model to a proactive, platform-based strategy that integrates security directly into developer workflows to achieve true scale application security.”

AI’s Dual Nature: Amplifier and Attack Surface

Perhaps the most revealing data point is the industry’s conflicted relationship with AI. While 63% of respondents believe AI helps developers write more-secure code, 57% admit that it also introduces new types of risk. From opaque model behaviors to data leakage and dependency confusion, AI-generated code is forcing organizations to rethink what “secure development” even means.

“This report nails the core dilemma facing modern DevSecOps: the tradeoff between velocity and visibility,” said Mayur Upadhyaya, CEO of APIContext. “We’re seeing a shift away from adding more tools toward simplifying and integrating the ones teams already have. The standout finding for me is the demand for workflow-native security, making risk insight available at the point of decision, not in post-mortem dashboards. As AI becomes both a productivity multiplier and an attack vector, governance must evolve, but so must observability.”

The Integration Imperative

Twenty-seven percent of respondents ranked “better development workflow integration” as their top security priority—a statistic that underscores the evolution of DevSecOps from a testing phase to a continuous process. Teams want security controls that are embedded directly into development environments, offering real-time visibility without derailing productivity.

The report’s overall message is clear: the DevSecOps of 2025 can’t survive on manual processes or fragmented tools. As AI accelerates both development and risk, organizations need to consolidate and automate their security stack—building guardrails that move as fast as their code.

Black Duck’s findings reflect a maturing industry caught between two speeds: the breakneck pace of AI-assisted innovation and the slow grind of security adaptation. The winners won’t be those who build faster, but those who secure smarter.