Recently, I had the opportunity to sit down with a group of AppSec leaders for a closed-door conversation about their 2025 DevSecOps strategy. No vendors. No slides. Just candid discussions about the challenges they’re facing, what’s working, and what’s keeping them up at night.

While every organization is unique, three key themes emerged from the conversation—ones that highlight the broader state of DevSecOps as we head into 2025, and highlight that it is still a work-in-progress.

1. Everyone Feels Like They’re the Only Ones Struggling—They’re Not

Despite years of DevSecOps talk and initiatives, many security leaders still feel like they’re alone in the struggle to make it work. They see other companies talking about their successes and assume they’ve cracked the code while their own teams are still stuck in the trenches.

The reality? Everyone is struggling. The shift to embedding security into development is a transformational change, not just a tooling upgrade. It requires shifts in culture, processes, and priorities—things that don’t happen overnight. Every organization faces resistance, gaps in adoption, and moments where progress feels impossible.

The biggest mistake? Assuming that DevSecOps is “done” anywhere else. No one has a perfect implementation. The best teams are simply further along in adapting their security approach to fit their unique business needs—and that takes time.

2. Context Around Vulnerabilities Is Key

One of the biggest frustrations security leaders voiced was the flood of vulnerability data without enough context to make it actionable. It’s not enough to know that a vulnerability exists; teams need to understand why it matters in their specific environment and how to prioritize it effectively.

Today, many AppSec programs still operate in a vacuum—detecting vulnerabilities but failing to integrate that data with business risk, application dependencies, or development priorities. As a result, developers either ignore security tickets or fix them without fully understanding which ones truly reduce risk.

The leaders in our conversation agreed: The future of DevSecOps isn’t just finding vulnerabilities faster—it’s making sense of them faster. Security teams must move beyond surface-level detection and invest in context-driven security workflows that help developers take action where it matters most.

3. Shifting Responsibility Isn’t the Answer—Collaboration Is

A common pitfall in DevSecOps is the belief that simply shifting responsibility—whether moving all testing to developers or putting more burden on security—is the solution. The reality? This approach doesn’t solve the problem; it just moves bottlenecks to different places.

Instead of reassigning security responsibilities to one team or another, successful organizations are focusing on improving collaboration and coordination between security and development. DevSecOps isn’t about making security someone else’s problem—it’s about embedding security into existing workflows in a way that enhances efficiency, rather than creating friction.

By fostering shared responsibility, aligning incentives, and ensuring that security and development teams are working towards a common goal, organizations can break the cycle of finger-pointing and build a truly integrated security approach.

Final Thoughts

Walking away from this conversation, one thing was clear: DevSecOps is still evolving, and no one has all the answers. But the leaders who are making the most progress are the ones focusing on context, collaboration, and culture—rather than just tools and tactics.

For organizations still struggling to implement DevSecOps, the best next step isn’t to chase the latest automation trend—it’s to focus on the fundamentals: understanding risk in context, integrating security into business priorities, and remembering that you’re not alone in this journey.

What challenges are you seeing in your DevSecOps strategy for 2025? Let’s keep the conversation going.

Join us on February 25th at 4pm ET for an exclusive DevSecOps Strategy Chat (with a side of cocktails)