DevSecOps Statistics 2026

Last updated on Feb. 19, 2026

DevSecOps is the practice of integrating security testing into every phase of the software development lifecycle, from code commits and CI/CD pipelines through to production monitoring. Rather than treating security as a gate at the end, DevSecOps teams automate vulnerability scanning, dependency checks, and infrastructure-as-code validation directly in their workflows.

We pulled numbers from 14 industry reports (IBM, Verizon, Sonatype, Checkmarx, and others) published in 2024 and 2025, then added data from three studies we ran ourselves in February 2026. Every statistic links to its source. For broader application security data from our original research, see our Application Security Statistics page.

Key statistics at a glance

$4.88M

Average Data Breach Cost

IBM 2024

512K+

Malicious Packages Discovered

Sonatype 2024

4.8M

Cybersecurity Workforce Gap

ISC2 2024

97%

Codebases With Open Source

Black Duck OSSRA 2025

$1.7M

Saved With DevSecOps Adoption

IBM 2024

44%

Breaches Involving Ransomware

Verizon DBIR 2025

DevSecOps adoption & maturity

Most organizations say they do DevSecOps now. Dig into the numbers, though, and you’ll find a gap between “we have a platform” and “we actually scan before we ship.”

Adoption rates

56% of developers say their organization has adopted a DevSecOps platform — GitLab Global DevSecOps Report 2024
71% of AWS organizations use infrastructure-as-code through Terraform, CloudFormation, or Pulumi — Datadog State of DevSecOps 2024
55% of Google Cloud organizations use IaC, compared to 71% in AWS — Datadog State of DevSecOps 2024
38% of AWS organizations still deployed workloads manually through the console in production within a 14-day period — Datadog State of DevSecOps 2024

Maturity gaps

Only 30% of organizations consider themselves at a “mature” DevSecOps level — Checkmarx DevSecOps Evolution 2025
81% of organizations admit to knowingly shipping vulnerable code under deadline pressure — Checkmarx DevSecOps Evolution 2025
67% of organizations report a shortage of cybersecurity staff — ISC2 Cybersecurity Workforce Study 2024
50% of organizations carry security debt (accumulated unfixed vulnerabilities), and 70% of that debt comes from third-party code — Veracode State of Software Security 2025
80% of application dependencies remain un-updated for over a year despite available fixes — Sonatype State of the Software Supply Chain 2024

Application security market

Security tooling spending keeps climbing. Here’s where the money is going.

Global application security market was valued at $8.86 billion in 2022, projected to reach $25.30 billion by 2030 at a 14.3% CAGR — Fortune Business Insights
The DevSecOps market alone was valued at $5.9 billion in 2024, projected to reach $24.2 billion by 2032 at a 19.4% CAGR — Fortune Business Insights
72% of global enterprises with 500+ employees have integrated SAST tools into their development pipelines — Grand View Research 2024
Cloud-based SAST solutions now make up 54% of all installations — Grand View Research 2024
SAST holds the largest revenue share in application security testing, followed by DAST and SCA — Grand View Research 2024

Shift-left security

The idea is simple: find bugs before they reach production, when they’re cheaper to fix. The numbers back this up, but teams are still slow to patch what they find.

Cost multiplier

Fixing a vulnerability in production costs 6x to 15x more than fixing it during design or coding — NIST SSDP, IBM Systems Sciences Institute
Organizations with high DevSecOps adoption saved nearly $1.7 million per breach compared to those without — IBM Cost of a Data Breach 2024
Detection and escalation costs jumped 42% over three years and are now the largest portion of breach costs — IBM Cost of a Data Breach 2024

Adoption of early-stage testing

63% of applications have first-party code flaws, and 70% have flaws from third-party libraries — Veracode State of Software Security 2024
Vulnerability exploitation as an initial breach vector nearly tripled year-over-year, reaching 14% of all breaches — Verizon DBIR 2024
Organizations take a median of 55 days to patch just 50% of critical vulnerabilities after patches become available — Verizon DBIR 2024

Software supply chain security

Attackers figured out that poisoning a popular npm or PyPI package is easier than breaching individual companies. The numbers from 2024 are grim.

Malicious packages

512,847 malicious packages were discovered in 2024, a 156% increase over the previous year — Sonatype State of the Software Supply Chain 2024
Over 33,000 new vulnerabilities were disclosed in 2024 — JFrog Software Supply Chain Report 2025
64% of high- and critical-severity CVEs had low applicability ratings after JFrog’s contextual analysis — JFrog Software Supply Chain Report 2025
25,229 exposed secrets and tokens were detected in public package registries, up 64% year-over-year — JFrog Software Supply Chain Report 2025

Open-source risk

97% of commercial codebases contain open-source components — Black Duck OSSRA 2025
81% of codebases contained at least one high- or critical-risk open-source vulnerability — Black Duck OSSRA 2025
The average commercial codebase is 77% open-source by composition — Black Duck OSSRA 2025
80% of application dependencies remain un-updated for over a year — Sonatype State of the Software Supply Chain 2024
Open-source repositories handled an estimated 6.6 trillion download requests in 2024 — Sonatype State of the Software Supply Chain 2024

Third-party breaches

Third-party involvement surged to 30% of all breaches, doubling from 15% the previous year — Verizon DBIR 2025

Vulnerability remediation

Organizations find vulnerabilities faster than they fix them. That gap between discovery and remediation is where attackers operate.

Remediation timelines

Mean time to remediate internet-facing critical vulnerabilities: 35 days — Edgescan Vulnerability Statistics Report 2025
Mean time to remediate internet-facing host/cloud critical vulnerabilities: 61 days — Edgescan Vulnerability Statistics Report 2025
Median remediation time for third-party (SCA) vulnerabilities: 11 months — Veracode State of Software Security 2024
Organizations take 55 days to patch just 50% of their critical vulnerabilities — Verizon DBIR 2024

Security debt

50% of organizations carry accumulated security debt — Veracode State of Software Security 2025
70% of that security debt originates from third-party library flaws, not first-party code — Veracode State of Software Security 2025
Average time to fix security flaws has increased 47% since 2020 — Veracode State of Software Security 2025
45.4% of enterprise vulnerabilities remain unpatched after 12 months — Edgescan Vulnerability Statistics Report 2025

CI/CD pipeline security

Faster delivery means faster exposure if security isn’t baked into the pipeline. Hardcoded secrets and missing scans in deployment stages are still common.

Pipeline scanning adoption

72% of enterprises with 500+ employees have integrated SAST tools into development pipelines — Grand View Research 2024
54% of SAST deployments are now cloud-based — Grand View Research 2024
SCA is the fastest-growing testing category, largely because of supply chain attacks — Grand View Research 2024
Terraform is the most popular IaC technology across both AWS and Google Cloud — Datadog State of DevSecOps 2024
38% of AWS organizations still deployed workloads manually in production within a 14-day window — Datadog State of DevSecOps 2024

Developer security

There aren’t enough people who can write code and think about security at the same time. The workforce numbers tell the story.

Workforce gap

The global cybersecurity workforce reached 5.5 million professionals in 2024, up just 0.1 million from 2023 — ISC2 Cybersecurity Workforce Study 2024
The workforce gap grew to 4.8 million unfilled positions, up from 4 million the previous year — ISC2 Cybersecurity Workforce Study 2024
67% of organizations report a shortage of cybersecurity staff — ISC2 Cybersecurity Workforce Study 2024
Lack of budget replaced lack of qualified talent as the top-cited cause of staffing shortages for the first time — ISC2 Cybersecurity Workforce Study 2024

Developer time on security

72% of developers spend more than 17 hours per week on security-related tasks — Checkmarx DevSecOps Evolution 2025
98% of organizations have suffered at least one breach from vulnerable application code — Checkmarx DevSecOps Evolution 2025
38% report shipping vulnerable code specifically to meet business deadlines or feature requirements — Checkmarx DevSecOps Evolution 2025

AI-assisted development risks

25.1% of AI-generated code samples contained at least one confirmed vulnerability when tested without security-specific prompts — AppSec Santa AI Code Security Study 2026
Injection-class weaknesses (SSRF, command injection, NoSQL injection, path traversal) accounted for 33.1% of all vulnerabilities found in AI-generated code — AppSec Santa AI Code Security Study 2026
The gap between the safest and least safe LLM was 10.1 percentage points in vulnerability rate — AppSec Santa AI Code Security Study 2026

Cost of insecurity

Breaches keep getting more expensive. The one bright spot: organizations that invest in DevSecOps and automation spend significantly less when things go wrong.

Breach costs

Average global data breach cost: $4.88 million in 2024, up 10% from $4.45 million the previous year — IBM Cost of a Data Breach 2024
Organizations with high DevSecOps adoption had breach costs nearly $1.7 million lower than those with low or no DevSecOps — IBM Cost of a Data Breach 2024
Extensive use of AI and automation in security saved an average of $2.2 million in breach costs — IBM Cost of a Data Breach 2024

Breach timeline

Organizations with AI and automation had a breach lifecycle 108 days shorter than those without (214 days vs. 322 days) — IBM Cost of a Data Breach 2024
44% of confirmed breaches involved ransomware in 2025, up from 32% the previous year — Verizon DBIR 2025
88% of basic web application attacks involved stolen credentials — Verizon DBIR 2025
The 2025 DBIR covered 22,000+ incidents and 12,195 confirmed breaches, its largest dataset yet — Verizon DBIR 2025

AppSec Santa’s own research

We don’t just cite other people’s reports. Here’s what we found in our own February 2026 research.

AI-Generated Code Security Study

We gave 6 LLMs 89 identical coding prompts and scanned the output with 5 SAST tools. 25.1% of the 534 generated code samples had confirmed vulnerabilities. SSRF (CWE-918) was the most common weakness. GPT-5.2 had the lowest vulnerability rate at 19.1%. Full study: AI-Generated Code Security Study 2026.

Security Headers Adoption Study

We scanned the Tranco Top 10,000 websites and analyzed HTTP security headers from 7,510 valid responses. Only 27.3% deploy Content-Security-Policy, and 48.8% of those use unsafe-inline — undermining XSS protection. Full study: Security Headers Adoption Study 2026.

State of Open Source AppSec Tools

We analyzed GitHub data for 65 open-source security tools across 8 categories. Combined they hold 608,000+ stars, but the median health score is just 58 out of 100. Four tools are flagged as at-risk. Full study: State of Open Source AppSec Tools 2026.

For more statistics from our original research — including AI code vulnerability rates, OWASP category breakdowns, and open-source tool health scores — see our Application Security Statistics page.

Sources & methodology

Every number on this page links to a published report or to our own research. If we can’t verify it, we don’t include it.

Industry reports cited:

IBM Cost of a Data Breach Report 2024 — 604 organizations across 17 industries and 16 countries
Verizon Data Breach Investigations Report 2025 — 22,000+ incidents, 12,195 confirmed breaches
Verizon Data Breach Investigations Report 2024 — 30,000+ incidents, 10,000+ confirmed breaches
Sonatype State of the Software Supply Chain 2024 — Open-source ecosystem analysis, malicious package tracking
Black Duck (Synopsys) OSSRA Report 2025 — Audit results from 1,000+ commercial codebases
Veracode State of Software Security 2024/2025 — Analysis of application security scan results across customers
ISC2 Cybersecurity Workforce Study 2024 — Global survey of cybersecurity professionals
Datadog State of DevSecOps 2024 — Cloud deployment and security analysis across Datadog customers
GitLab Global DevSecOps Report 2024 — Developer survey on DevSecOps practices
Edgescan Vulnerability Statistics Report 2025 — Vulnerability remediation timing analysis
JFrog Software Supply Chain Report 2025 — CVE analysis and software supply chain findings
Checkmarx DevSecOps Evolution 2025 — Survey of 1,500 development and security professionals
Fortune Business Insights — Application security and DevSecOps market sizing
Grand View Research — Security testing market analysis

Original research (AppSec Santa, February 2026):

AI-Generated Code Security Study 2026 — 534 code samples, 6 LLMs, 5 SAST tools
Security Headers Adoption Study 2026 — 7,510 websites scanned for 10 security headers
State of Open Source AppSec Tools 2026 — GitHub data for 65 tools across 8 categories

Frequently Asked Questions

What is DevSecOps?

DevSecOps integrates security practices into every phase of the software development lifecycle, from planning and coding through testing, deployment, and operations. Instead of treating security as a final gate before release, teams embed automated security checks directly into CI/CD pipelines.

What is the current DevSecOps adoption rate?

Adoption varies by metric. According to GitLab’s 2024 survey, 56% of developers say their organization uses a DevSecOps platform. Datadog’s 2024 report found that 71% of AWS organizations use infrastructure-as-code, a core DevSecOps practice. However, full maturity remains low — 38% of AWS organizations still deploy manually in production.

How much does DevSecOps reduce data breach costs?

According to IBM’s 2024 Cost of a Data Breach report, organizations with high DevSecOps adoption saw breach costs nearly $1.7 million lower than organizations with low or no DevSecOps adoption. Extensive use of AI and automation in security cut breach costs by an additional $2.2 million.

How often is this page updated?

We update this page quarterly as new industry reports and research data become available. Each statistic links to its original source.

How big is the DevSecOps market?

The DevSecOps market was valued at $5.9 billion in 2024 and is projected to reach $24.2 billion by 2032, growing at a 19.4% CAGR, according to Fortune Business Insights. The broader application security market is projected to reach $25.30 billion by 2030.

What percentage of code has open-source vulnerabilities?

According to Black Duck’s 2025 OSSRA report, 97% of commercial codebases contain open-source components, and 81% of those codebases have at least one high- or critical-risk vulnerability. Sonatype found that 80% of application dependencies remain un-updated for over a year.

Can I cite these statistics?

Yes. Please cite as: ‘DevSecOps Statistics 2026, AppSec Santa (appsecsanta.com).’ Every data point links to its source report.

Suphi Cankurt

Application Security @ Invicti

LinkedIn Twitter

10+ years in application security. Reviews and compares 162 AppSec tools across 10 categories to help teams pick the right solution. More about me →

Newsletter

Weekly AppSec tool insights

One email per week. Reviews, research, and what's changing in AppSec.