Application Security Strategy 2026: AI, DevSecOps and Platform Consolidation

18 September 2025 - ID G00835784 - 14 min read
By Dionisio Zumerle
Application security maturity remains low despite its critical role in data breaches. AI, developer experience in DevSecOps and tool convergence present opportunities to strengthen application security programs. This research provides insights and actionable steps for cybersecurity leaders to boost maturity and streamline workflows.

Overview


Key Findings

  • Generative AI’s (GenAI) dual impact: GenAI in coding assistants increases development speed but also introduces security vulnerabilities. However, AI code security assistants are emerging to help fix these vulnerabilities and improve security.
  • Developer experience is key to DevSecOps: As developers take on more hands-on security tasks like testing and mitigation, they are becoming overwhelmed, making the developer experience critical for streamlining DevSecOps programs.
  • Convergence of application security tools: The market is seeing a trend toward convergence, where application security testing (AST), application security posture management (ASPM) and software supply chain security are merging into platforms, offering better integrated solutions.

Recommendations

  • Govern AI-augmented development and implement AI-generated code remediation: Discover where GenAI is being used for development in your organization. Only resort to blocking access for very sensitive projects. Allow experimentation with AI-augmented software development and also enable AI-assisted remediation tools to help developers fix vulnerabilities faster, improving the mean time to remediate.
  • Improve developer experience for vulnerability management: Reduce friction with developers by implementing ASPM principles, focusing on prioritization and workflow automation of vulnerability remediation.
  • Plan for platform convergence: Inventory your existing application security tools and identify strategic vendors or platforms, including potential convergence with cloud security capabilities, around which you can build your future consolidated application security program.

Strategic Planning Assumptions


By 2027, at least 30% of application security exposures will result from usage of vibe coding practices.
Through 2029, over 50% of successful cybersecurity attacks against AI agents will exploit access control issues, using direct or indirect prompt injection as an attack vector.

Introduction


This document was revised on 23 September 2025. For more information, see the Corrections page on gartner.com.
Application security needs to mature.
According to more than 3000 organizations that have completed Gartner’s IT Score for Security and Risk Management, application security is considered an important functional activity. However, 43% of these organizations remain at the lowest maturity level (level 1), with an average score of just 2.2, which is the lowest across all functional activities (see Figure 1).1 Despite almost two-thirds of software engineering leaders considering application security to be highly important for delivering software that meets business needs, many organizations struggle to elevate their application security program maturity.2
Figure 1: Discipline in the Cybersecurity Space
Securing applications is rated as highly important but is the least mature discipline. Securing networks and endpoints show higher maturity, while recruiting talent and organizing structure are less important and have moderate maturity.
This research examines the outlook for application security strategy in 2026, focusing on three main trends that are significantly reshaping the discipline and offering opportunities for strategic improvement:
  • GenAI’s dual impact on development speed and security vulnerabilities
  • The critical role of developer experience in fostering effective DevSecOps adoption
  • The trend toward the convergence of application security tools into more integrated platforms
Cybersecurity leaders can advance their application security programs by recognizing these main forces shaping application security and acting upon them.

Analysis


Govern AI-Augmented Development and Implement AI-Generated Code Remediation

GenAI is reshaping application development, enabling much faster development and presenting new risks. Most engineering leaders (65%) responding to the Gartner Software Engineering Survey for 2025 report that up to half of their software development teams are already employing AI tools to augment workflows,with more expected to adopt not only AI coding assistants but true vibe coding in the near future (see Why Vibe Coding Needs to Be Taken Seriously).2 These tools leverage language models to help developers code faster with minimal effort.
The adoption of AI-augmented software development introduces significant security concerns: 76% of organizations that choose to ban AI-assisted coding do so out of fear of introducing vulnerabilities.4 This concern is reasonable considering the training data for these tools is likely to be vulnerable and, therefore, so would be the output.6 After all, 97% of codebases contain open-source components and 81% of these contain high severity security vulnerabilities (also see How to Secure Software Development in the AI-Driven Era). However, the new AI-assisted and vibe coding tools themselves also present potential exposures and unforeseen behaviors that can lead to security issues.7
While it may not be advisable to experiment with AI-augmented coding on critical applications, cybersecurity leaders should allow the developer population to experiment with AI-augmented software development selectively on less sensitive applications — for example, internal or experimental projects or limited to certain advanced teams of developers. Establishing an AI-generated code security policy and process is key.
In addition to new security concerns, AI-assisted coding exacerbates the problems that come with DevSecOps. AI-augmented coding allows developers to produce more code, faster. The issues that GenAI introduces in that sense can be alleviated with the same GenAI technology: AI code security assistants (ACSAs) act as virtual security champions by providing explanations and guidance about vulnerabilities, and by proposing code remediations. Thirty-percent of organizations using AI have reported improvements in code security.2 These tools can significantly speed up the mean time to remediate (MTTR) vulnerabilities.5 Examples include Checkmarx Developer Assist Agent, GitHub Copilot AutoFix, Mobb, Qwiet AI and Veracode Fix, among others (see AI code security assistants in the Hype Cycle for Application Security, 2025). ACSAs can come as a stand-alone tool, or as a static application security testing (SAST) or software composition analysis (SCA) add-on (see Innovation Insight for AI Code Assistants).
Gartner is observing clients that decide to include ACSAs in their AST renewals (typically after a first-year trial), recognizing both its potential and the fact it still has room to mature. For now, we advise to err on the side of caution and maintain a human in the loop for code remediation suggestions from ACSAs.

Optimize Developer Experience and Streamline DevSecOps Workflows

Fifty-five percent of the engineering leaders in the Gartner Software Engineering Survey for 2024 reported that their software engineering organizations are using code inspections or reviews to improve software quality.3 Application security engineers are mainly responsible for defining the rules and thresholds that need to be applied throughout the development life cycle (see the Sample Job Description for AppSec Engineer [Word download] from the Cybersecurity Job Descriptions Library). As a result of this shift, developers become overwhelmed by the added workload, leading to friction with security teams.
Developer experience is fundamental to streamlining DevSecOps. Application security posture management (ASPM) principles are the key.
There are three main things that ASPM provides to enhance the developer experience: vulnerability prioritization, workflow orchestration and application visibility.
Vulnerability prioritization is a process that integrates several techniques to effectively identify and address the most critical security risks. It involves reachability analysis to determine whether vulnerable third-party libraries are actually used in the code, helping to distinguish between essential and less urgent fixes. The process also includes deduplication of findings from multiple security scanners to minimize noise, and considers whether vulnerabilities are actively being exploited in the wild. Additionally, the criticality of the application — such as whether it is externally facing or vital to business operations — is assessed, alongside the severity of vulnerabilities as indicated by their common vulnerability scoring system (CVSS) scores. Finally, correlating findings from different scanners for the same application further enhances the accuracy of vulnerability assessment and prioritization.

By applying these prioritization techniques, organizations can significantly reduce the number of findings developers need to address (some ASPM vendors claim approximately 75% reduction in findings), making their workload more manageable.
Workflow orchestration translates logical application security policies into technical enforcement directly into the development life cycle. ASPM systems can automate critical tasks, such as requiring signed commits for code integrity, or ensuring that only reviewed changes make it into the codebase. They can also monitor for compliance with policies such as multifactor authentication (MFA) across development tools. ASPM integrates with DevOps platforms and integration/continuous delivery (CI/CD) pipeline components — such as the ticketing systems, issue tracking systems and build servers. Additionally, it can help impose automated actions like failing builds when vulnerabilities exceed severity thresholds, blocking the use of insecure dependencies or creating tickets for remediation. Automated workflows not only reduce manual intervention but also ensure that security best practices are consistently applied across the organization’s software teams and projects.
Visibility with ASPM provides discovery of assets and assignment of issues ownership. ASPM can identify applications and APIs across the organization by inspecting code repositories. One of the persistent challenges in application security is determining which team is responsible for addressing specific vulnerabilities, especially when there are thousands of findings across multiple teams. ASPM aims to map security findings to the appropriate teams. This clarity not only prevents delays but also fosters accountability, ensuring that security issues are promptly assigned and resolved.
Application security posture management is a practice, not a product but ASPM products can help operationalize this practice.
Gartner has observed large organizations build their own ASPM tools, but most mainstream organizations are likely to either use the ASPM that their AST provides, or go for a stand-alone solution.

Drive Application Security Maturity Through Platform Convergence

Along with ASPM, Software Supply Chain Security (SSCS) is coming into prominence and for good reason: 97% of codebases contain third-party code and 81% of them contain high security vulnerabilities.9 ASPM and SSCS are interrelated, for example:
  • SSCS controls such as version control and package firewalls can hinder the developer experience that ASPM is supposed to fix.
  • SSCS controls and compliance checks, such as signed commits and usage of MFA, can be enforced via ASPM tools.
This leads to ASPM providers offering SSCS and vice versa. Additionally, both ASPM and SSCS providers are increasingly adding static code analysis to their offerings, which enables them to compete in an AST-driven market. Therefore, the third main trend shaping application security, and its maturity, is tool convergence. Providers from different backgrounds try to solve the same problem: application vulnerability identification and remediation.
The future of application security is trending toward convergence into a unified application security platform that brings together AST (including SAST, SCA, dynamic application security testing [DAST], and interactive application security testing [IAST]) with ASPM and SSCS. These are products that have security leaders as the main buyer, security practitioners as the main administrator and developers as the main end user.
Figure 2: Convergence of AST, ASPM and SSCS Into a Unified Application Security Platform
Three core elements — software supply chain security, application security testing and application security posture management — are unified into one platform, combining key functions like scanning, analysis, orchestration and visibility.
Gartner clients often ask whether they should go further and merge their AST with their cloud-native application protection platform (CNAPP) offering. Because the borders between cloud infrastructure and code are increasingly blurry, most application security platform offerings already provide container security scanning, and infrastructure-as-code scanning. CNAPP tools do so as well, and they are increasingly providing application security functionality.8 This increasing overlap will eventually lead to a convergence between CNAPP and application security platforms with providers from both backgrounds, resulting in one common platform that identifies, prioritizes and remediates application and cloud infrastructure vulnerabilities. With one major caveat: shifting left for a security tool means impacting developer experience. Therefore, the convergence will be slowed down because it takes time for traditional security vendors with products intended for security practitioners to “reinvent” their offering for a developer audience. At the same time, a speedier adoption of ACSAs will accelerate this convergence by resolving developer experience issues. Eventually these two forces will balance each other out.
Another related question is whether application runtime security such as web application and API protection (WAAP) will also converge with AST and CNAPP. It is important to note that when it comes to runtime, there is runtime protection and runtime scanning. We are already observing WAAP runtime protection vendors offer API security testing. For now we believe these will remain spot opportunities where sensible rather than full integration. However, runtime scanning will be a central part of this convergence and application security platforms will have to provide this kind of functionality: examples include reachability analysis approaches that use eBPF-enabled runtime scanning (see “Reachability Analysis” in Hype Cycle for Application Security 2025).
Cybersecurity leaders should assess consolidated offerings from all sides with a focus on developer enablement. For offerings from the cloud security space, cybersecurity leaders should ensure they can still support any on-premises use cases they might have (the frame of mind should be “code-to-workload” rather than “code-to-cloud”), either on the same platform or via a stand-alone offering.
To begin a platform convergence project, cybersecurity leaders should first inventory their existing application and cloud security tools to understand their current landscape, identify redundancies and assess effectiveness. Following this, they should identify strategic vendors and key products around which to build an application and cloud security consolidation project. Cybersecurity leaders can use Tool: Cybersecurity Platform Consolidation Workbook to assess their landscape and start this initiative.

Evidence


1 The IT Score for Security and Risk Management offers the best of Gartner expertise and peer-based research.​

Maturity is measured on a scale ranging from 1 (low) to 5 (high). It measures how advanced an organization’s development is in a functional activity relative to Gartner’s expert assessment of practices associated with that activity. The maturity of an activity is measured by several subactivities weighted 1 through 5, depending on how progressive they are.​

Importance is measured on a scale of 1 (low) to 5 (high). Importance measures how important each functional activity is to the overall effectiveness of the function in meeting its business objectives.​

3,396 organizations completed the IT Score for SRM assessment online from October 2020 through December 2024.
2 Gartner Software Engineering Survey for 2025. This survey was conducted to provide a comprehensive understanding of the current landscape in software engineering. It aims to identify the demand for various roles, essential skills and upskilling strategies within the software engineering organization. It explores the integration of AI in software engineering workflows, their leadership experiences and prior roles of the current leaders. It also assesses their budget expectations, team structures, organizational outcomes and priorities. The survey was conducted online from October through December 2024 among 400 respondents from the U.S. (n = 320) and U.K. (n = 80). Qualifying organizations operated in multiple industries (excluding the IT software industry involved in the development of commercial software and the education sector) and reported enterprisewide revenue for fiscal year 2023 of at least $250 million or equivalent. Qualified participants were highly involved in managing software engineering/application development teams and the activities they perform. Disclaimer: The results of this study do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.
3 Gartner Software Engineering Survey for 2024. This survey was conducted to identify the most important roles and skills for software engineering leaders and the change in their demand and importance since last year, understand how talent is sourced generally and for acquiring necessary artificial intelligence (AI)/machine learning (ML) skills, and what tools are seen to increase developer productivity and the metrics used to measure them. It also examines how software engineering leaders anticipate change in their operating budgets and the cost management steps taken. It further aims to identify the quality and testing techniques and programming languages software engineering leaders currently use and/or plan to use; their frequency of usage of UX design, user research and AI in generating components of user experience; and its impact on user satisfaction, accessibility and usability. It also intends to understand the software engineering leaders’ responsibilities they find most difficult, the career paths available for senior-level individual contributors and how they are set up, how organizations attract and retain top performers in those career paths, and what management training is offered to staff.

The survey was conducted online from October through December 2023 among 300 respondents from the U.S. (n = 241) and U.K. (n = 59). Qualifying organizations operated in multiple industries (excluding the IT software industry and education sector) and reported enterprisewide revenue for fiscal year 2022 of at least $250 million or equivalent, with 63% over $1 billion in revenue. Qualified participants were highly involved in managing software engineering/application development teams and the activities they perform. Disclaimer: Results of this study do not represent global findings or the market as a whole but reflect sentiment of the respondents and companies surveyed.