Nearly Half of Development Teams Now “Own” Application Security, Checkmarx Global Survey Finds

Improving DevSecOps maturity remains a priority, yet CISOs report only 39% of business operations run on secured applications

Checkmarx, the industry leader in cloud-native application security for the enterprise, has published its annual research report, “A CISO’s Guide to Steering AppSec in the Age of DevSecOps.” Based on a survey of 200 chief information security officers (CISOs) from across diverse industries and regions, the global study uncovered key factors driving the trend for closer collaboration between development and security teams. One key finding is that 49% of CISOs say buyers now factor application security (AppSec) into purchasing decisions. In fact, in nearly half of software-based product companies, security oversight has moved outside the CISO’s office entirely.

As application complexity and scale grow — driven by AI, microservices and hybrid application architectures — engineering teams are increasingly accountable for ensuring secure, scalable delivery. With faster release cycles and expanding code bases, AppSec decisions and budgets are shifting toward development teams to embed security earlier and more efficiently in the development process.

“We’re witnessing a pivotal change: AppSec is now a competitive differentiator, a budget priority and a boardroom issue,” said Checkmarx Chief Product Officer Jonathan Rende. “As development teams take greater ownership, CISOs must focus on governance, strategy and collaboration to keep security outcomes on track.”

Key Finding: Application Security is Crucial to Purchasing Decisions

CISOs responding from industries including banking and finance, media, insurance, software, manufacturing and the public sector revealed that robust AppSec programs and practices remain a strong differentiator in their customers’ buying decisions. Key data points include:

• 49% of respondents report that buyers regularly consider application security in purchasing decisions
• 24% indicated that application security is “always” a factor in those decisions
• This trend is most pronounced in Europe, where 58% of respondents report that security is “always” a factor, compared to 33% in the Asia Pacific region and only 8% in North America

The Checkmarx study also found that decision-making is becoming increasingly decentralized, with development teams more often influencing security practices and even owning budget authority. The study revealed that:

• In organizations developing software-based products responsibility is split, 50% of organizations assign security responsibility to CISOs while 43% move security oversight to development teams
• 56% of organizations say that most of their development teams are fully integrated with AppSec programs

Rende added, “As security responsibility migrates toward development teams, so does the funding. That’s why CISOs today need to lead with influence, creating guardrails, not roadblocks.”

Security’s Role in the Boardroom Remains Inconsistent

The study report highlights a persistent gap in how security is communicated at the executive level. While 62% of CISOs report AppSec metrics to their board, most focus solely on vulnerability counts, with only 25% tying those risks to business outcomes like brand reputation or regulatory exposure. This disconnect underscores the urgency for CISOs to frame security in terms of business risk — a prerequisite for securing sustained buy-in at the executive level.

To download the full report, visit this page.

Methodology

Performed in collaboration with Global Surveyz, researchers surveyed CISOs at organizations with annual revenues exceeding $750 million and development teams of at least 180 developers. Participants represented key sectors including banking and finance, insurance, software, technology, engineering, media, manufacturing, industrials and the public sector, spanning the United States, Canada, Western Europe and the APAC region.

About Checkmarx

Checkmarx helps the world’s largest enterprises get ahead of application risk without slowing down development. More applications, faster pipelines and growing threats are all contributing to skyrocketing risk. Checkmarx helps end the guesswork in identifying the most critical issues to fix. Giving AppSec the tools they need while letting developers work the way they want, from DevOps pipelines to developer experience, Checkmarx helps security and development teams work better together – all on a unified application security platform. That’s why so many enterprises rely on Checkmarx to scan over one trillion lines of code each year, see 2X ROI, and improve developer productivity on security tasks by 50%. Checkmarx. Always Ready to Run.

Follow Checkmarx on LinkedIn, YouTube and X.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250513212261/en/

“As security responsibility migrates toward development teams, so does the funding. That’s why CISOs today need to lead with influence, creating guardrails, not roadblocks.” --Jonathan Rende, Checkmarx CPO