2023 Global DevSecOps Report

The State of AI
in Software
Development
 2

Table of contents

03 Executive summary 15 The stumbling blocks: Security, privacy, and IP

04 Who took the survey? 17 Bridging the skills gap

08 Introduction 20 AI can’t replace human experience

09 AI in the software development lifecycle:

Gaining traction

12 Code generation — the start of a larger shift

Follow us:
 3

Executive summary

Artificial intelligence (AI) can help development, security, and operations (DevSecOps) teams write code, resolve security vulnerabilities, accelerate code
review, and improve collaboration. Our survey suggests DevSecOps teams are feeling optimistic about their adoption of AI and all its potential — but to
ensure AI initiatives are successful, organizations will need to examine how AI can support all stages of the software development lifecycle. Respondents
also surfaced significant concerns around data privacy, intellectual property, and security.

DevSecOps teams are embracing AI in a big way Data privacy, intellectual property, and security are

67%
of respondents said their organizations are planning to key areas of concern

95%
use AI in software development (and 23% are already of C-level and VP respondents said privacy and
using it today). protection of intellectual property are important

83%
when evaluating an AI tool or feature.
of respondents said it is essential to implement AI in
their software development processes to avoid falling

79%
of respondents said they are concerned about
behind.
AI tools having access to private information or
intellectual property.
AI needs to support the entire software

40%
of security professionals were concerned that AI-
development lifecycle
powered code generation will increase their workload

75%
of developers’ time is spent on tasks other than code (compared to just 29% of respondents overall).
generation — suggesting that code generation is only
one area where AI can add value.
Teams feel they lack the skills and training
Top three use cases for AI in software development, necessary to implement AI
according to respondents
81%
of respondents said they need more training to use AI
in their work.
Natural-language chatbots
65%
of respondents said their organization has hired or will
Automated test AI-generated summaries hire new talent to manage the implementation of AI.
generation of changes made to code

Follow us:
 4

Who took the survey?

We collected a total of 1,001 survey responses in June 2023 from Primary industry
individual contributors and leaders in development, IT operations, and 347
security across a mix of industries and business sizes worldwide.
87
We used two sampling methods for the data collection:
83
1. We distributed the survey via GitLab's social media channels and
email lists. 76
2. A
 third-party research partner conducted panel sampling, which
51
reduces bias in the sample. Our research partner used its proprietary
access to lists, panels, and databases to gather quality responses 51
and cleaned the data throughout fielding to ensure data quality.
34
Here’s a closer look at the survey respondents:
31

Gender Age 29
18-24 8% Automotive
25-34 39%
35-44 36% 29
45-54 13% 8%
55-65
Nonbinary
4%
35% 18-24 36% 35-44 28

28

63% 25-34
39% 13%
45-54
26

4% 25
55-65
22

20

14
Food & Beverage

20

Follow us:
 32
5
29

Role within the organization 28

134 28

105 27

93 20

83 20
Engineering Manager

81 17
IT Generalist

58 15

53 11
DevOps Manager

46 6

44 6
Site Reliability Engineer

43 5

32 5

29 12

28

28

27

20

20

17

15

11 Follow us:
 6

Number of employees Functional area

51

69

115

171
41%
131

111
24%
91 35%
77

185

Follow us:
 7

Region

6% UK
61

2% Germany
14% Canada 15
142
1% France
US 6
38%
384

37% India
373

2% Other
20

Follow us:
 8

Introduction

Artificial intelligence (AI) has made incredible technological strides But first, a note on terminology.
in the past several years. From image and text generation to speech
recognition, new developments in AI are poised to have a significant Artificial intelligence is an umbrella term referring to computer
impact on virtually every industry — including software development. software that simulates human capabilities such as logic and problem
solving. Machine learning (ML), a subset of AI, is the use of complex
The power of AI to shape how teams plan, build, secure, and deploy mathematical models to enable a computer to identify patterns and
software is already being tested in the real world. But is AI living make predictions based on existing data. There are also a number of
up to its promise? How are DevSecOps teams using AI in software other more specific applications of AI, such as generative AI (a form of
development today, and where do they actually want to use it? AI that generates new, original content based on patterns in existing
What are organizations hoping to achieve with AI, and what are the data), deep learning (a subset of ML that uses complex layers of ML
tradeoffs? In this special edition of our 2023 Global DevSecOps algorithms to carry out sophisticated tasks), and natural language
Report Series, we seek to answer these questions and understand processing (a subset of AI that focuses on building systems that can
how AI might be able to introduce new efficiencies and opportunities understand language using ML). Throughout this report, we’ll use the
into the software development lifecycle. broadest term, AI, to cover all of these applications.

First, we’ll look at how many organizations are actually using AI Now, let’s dive in.
today and the benefits they’re hoping to drive. We’ll also explore how
organizations are using AI across the software development lifecycle,
and where there are gaps between DevSecOps teams’ interest in and
current usage of AI. Then we’ll turn to the challenges respondents are
facing in implementing AI, focusing primarily on concerns around data
privacy, intellectual property, security, and training. We'll conclude
with a note on why, despite some fears to the contrary, AI can’t
replace human experience — and how leveraging the experience of
human team members alongside AI can help organizations address
the concerns that respondents surfaced in our survey.

Follow us:
 9

AI in the software development lifecycle: Gaining traction

If there was one inescapable takeaway from the survey data, it’s that However, AI isn’t just another fad — it’s seeing real adoption among
AI in software development is here to stay. The vast majority (83%) of practitioners. A solid majority (75%) of respondents whose organizations
respondents agreed that it is essential to implement AI in their software are using AI or planning to use AI for software development said at least
development processes to avoid falling behind, and this was consistent a quarter of their DevSecOps team members currently have access to AI
regardless of respondents’ functional area (development, operations, tools or functionality. For these teams, AI is becoming embedded in their
and security), job level, or years of experience. It’s not surprising, then, day-to-day responsibilities: Among respondents whose organizations are
that most organizations have plans to incorporate AI into software using AI in software development today, 60% said they use AI daily, and
development: 23% of respondents said their organizations are currently 22% said they use AI several times a week. This was consistent across
using AI in the software development lifecycle, and 67% said their development, operations, and security, although respondents with five or
organizations are planning to do so. fewer years of experience in their functional area were significantly more
likely to use AI on a daily basis than more experienced respondents.

Is your organization using or planning to use AI in the

software development lifecycle? Frequency of AI usage, according to respondents whose
organizations are using AI in software development today
23%
Yes, we are currently using AI in the software development lifecycle
49%
19% Multiple times a day
Yes, in the next year
11%
22% Once a day

Yes, in 1-2 years

22%
Several times a week
11%
Yes, in more than 2 years 7%
Once a week
15%
Yes, but there is no specific timeline 8%
Several times a month
8%
No, the organization has no plans to introduce AI into 1%
the software development lifecycle Once a month

1% 1%
Never
No, the organization has explicitly prohibited the use of
AI in the software development lifecycle

Follow us:
 10

Promisingly, the vast majority of respondents

whose organizations are using AI today (90%)
said they feel confident using AI in their daily
tasks at work, and more than half (51%) rated What benefits does your organization associate with using
their organization’s efforts in incorporating AI in the software development lifecycle?
AI into the software development lifecycle as
“very” or “extremely” successful. In addition, 55%
Improved efficiency
it’s clear that organizations as a whole agree
44%
that AI is an important investment. Among Faster cycle times
respondents whose organizations are using AI
41%
or plan to in the future, 83% said they have or Increased innovation
will have budget specifically allocated to AI for
40%
software development. Improved employee productivity

40%
What’s driving the widespread adoption of AI? Improved security

Respondents whose organizations are using 39%

AI now or plan to use AI in the future identified Faster time to market/increased business agility

improved efficiency (55%), faster cycle times 37%

(44%), and increased innovation (41%) as the Increased revenue

top organizational benefits of introducing AI 36%

Improved customer satisfaction
into the software development lifecycle.
29%
Improved employee satisfaction

26%
Improved customer retention

24%
Improved employee retention

Follow us:
 11

Different functional areas and job levels identified slightly different benefits from Respondents identified similar benefits when
adopting AI. For example, developers (48%) were significantly more likely than security asked what they have personally achieved or
respondents (38%) to identify faster cycle times as a benefit of AI. Similarly, respondents hope to achieve by adopting AI in the software
with five or fewer years of experience (50%) were more likely than more experienced development lifecycle, with improved productivity
respondents (42%) to choose faster cycle times. (51%), faster deployments (44%), and increased
accuracy (40%) rounding out the top three.
Security emerged as a key organizational benefit of AI overall, making the top five, and
this was particularly true for managers and executives. Respondents with C-level/VP Interestingly, general benefits related to work
(46%) or manager titles (43%) were significantly more likely than non-managers (34%) to experience, such as feeling more satisfied at
identify improved security as a benefit. work (32%) and learning new skills (36%), ranked
relatively low, although respondents with five or
fewer years of experience (41%) were more likely
than more experienced respondents (33%) to
What benefits have you personally achieved or do you hope to choose career growth. This suggests that while
achieve by using AI in the software development lifecycle? DevSecOps teams see AI as a utility that assists
with their day-to-day work, this doesn’t necessarily
51% translate (or isn’t expected to translate) into
Improved productivity
improved work satisfaction for everyone. One
44%
Faster deployments/software releases
explanation is that AI needs to be more uniformly
integrated across the entire software development
40%
Increased accuracy, fewer errors lifecycle — more on that in the next section.

40%
More intelligent monitoring and alerting Next, let’s explore where respondents are using
40% AI today, where they’re interested in using AI, and
Improved ability to predict potential issues, where in the software development lifecycle AI has
identify patterns, and make data-driven decisions
the potential to have the biggest impact.
38%
Enhanced quality assurance

36% “The role of software developers is evolving

Career growth/learning new skills
because of AI. It can help them with their
35% code, but we’re years away from AI being
Improved collaboration
able to write code completely on its own or
32%
Feeling more satisfied at work
replace developers.”
–E
 xecutive in the computer/SaaS industry

Follow us:
 12

Code generation — the

start of a larger shift For which of the following use cases is your organization
interested in using AI in the software development lifecycle?

55%
Generative AI has important applications in Code generation and code suggestions

software development. By using AI to suggest 54%

common lines of code or generate logic for Forecasting of productivity metrics and identification
of anomalies across the software development lifecycle
function declarations, developers can boost
their accuracy, efficiency, and productivity. 53%
Summaries of code changes

Given that generative AI has been in the

53%
Explanations of how a piece of code works
spotlight for much of this year, it’s no surprise
52%
that DevSecOps teams are curious about how Suggestions for who can review code changes
it might be able to help them accelerate code
52%
creation. In fact, code generation and code Summaries of issue comments
suggestions (55%) topped the list of software
52%
development use cases where respondents Explanations of how a vulnerability can be
exploited and how to remediate it
were interested in applying AI, closely followed
by forecasting of productivity metrics and 50%
Automated test generation
identification of anomalies (54%), summaries of
code changes (53%), and explanations of how a 50%
Tracking machine learning model experiments
piece of code works (53%).
48%
Chatbots that allow users to ask questions in
documentation using natural language

Follow us:
 13

However, when we look at how respondents said they’re using AI today, Our survey findings suggest that although code generation is
we get a slightly different picture. The top ways respondents said they important, it’s only one area where AI can potentially add value.
are currently using AI for software development were natural-language Developers reported spending only 25% of their total work time
chatbots in documentation (41%), automated test generation (41%), and writing code, with the rest spent improving existing code (17%),
summaries of code changes (39%). understanding code (14%), testing (11%), maintaining code (9%), and
identifying and mitigating security vulnerabilities (7%). That’s nearly
60% of developers’ day-to-day where AI — in the form of vulnerability
For which of the following use cases is your organization explanations, code change summaries, automated tests, and more —
currently using AI in the software development lifecycle? can introduce efficiencies and boost productivity and collaboration.

41%
Chatbots that allow users to ask questions Amount of time developers report spending on daily tasks
in documentation using natural language

41%
Automated test generation
25%
Writing new code
39%
Summaries of code changes
17%
Improving existing code
38% 17%
Tracking machine learning model experiments
Meetings and administrative tasks

37% 14%
Suggestions for who can review code changes
Understanding what code does

37% 11%
Summaries of issue comments Testing

36% 9%
Code generation and code suggestions Code maintenance

36% 7%
Explanations of how a piece of code works Identifying and mitigating security vulnerabilities

36%
Explanations of how a vulnerability can be
exploited and how to remediate it

35%
Forecasting of productivity metrics and identification
of anomalies across the software development lifecycle

Follow us:
 14

Respondents also identified several concerns around generative AI in the For which of the following use cases is your organization
context of code creation. More than half (57%) of respondents said they currently using or interested in using AI in the software
think AI will replace their role within the next five years. In addition, among development lifecycle?
the 32% of respondents who expressed concern about introducing AI into
the software development lifecycle, two of the top three specific concerns 36%
were related to code generation: code generated using AI may not be 55%
subject to the same copyright protection as human-generated code (48%) Code generation and code suggestions

and code generated using AI may introduce security vulnerabilities (39%). 35%
54%
Forecasting of productivity metrics and identification of
It’s apparent that DevSecOps teams see the bigger picture: From test anomalies across the software development lifecycle

generation to vulnerability analysis to summaries of issue comments, 50% 36%

or more of respondents expressed interest in a number of AI-powered 53%
use cases beyond code generation. In other words, there’s a strong Explanations of how a piece of code works

appetite for more — and more integrated — AI spanning the breadth of the 36%
software development lifecycle. 52%
Explanations of how a vulnerability can be
exploited and how to remediate it
Looking at the gaps between respondents’ interests and current usage 37%
helps us see exactly how much opportunity there is for AI across the 52%
software development lifecycle. After code generation, forecasting Suggestions for who can review code changes

productivity metrics and anomalies represents the next biggest area of 37%
demand, with 54% of respondents saying they are interested, but only 35% 52%
saying they are doing it today. Summaries of issue comments

39%
As DevSecOps teams capitalize on these opportunities and AI becomes 53%
Summaries of code changes
more embedded in software development workflows, where are they
expecting challenges? Next, we’ll dive deeper into where respondents 38%
expressed concerns about incorporating AI into the software development 50%
Tracking machine learning model experiments
lifecycle, and what we can learn from the common themes that emerge.
41%
50%
Automated test generation

“Testing and quality assurance can benefit the most from AI, as 41%
intelligent algorithms can spot bugs and errors that humans might 48%
Chatbots that allow users to ask questions in documentation
miss.” using natural language

Currently using Interested in

– Software engineer in the industrial manufacturing industry

Follow us:
 15

The stumbling blocks: Security,

privacy, and IP

As we’ve seen, respondents expressed mostly positive sentiments What are your biggest concerns around introducing AI into
about AI and their organizations’ use of AI in software development; the software development lifecycle?
however, concerns around privacy, intellectual property, and
security emerged repeatedly, suggesting that organizations should 48%
Code generated using AI may not be subject to the same
seriously consider these areas when implementing AI initiatives. copyright protection as human-generated code

42%
Overall, nearly a third (32%) of respondents said they were “very” AI will introduce a new set of skills to learn

or “extremely” concerned about AI being introduced into the 39%

software development lifecycle, while 23% were “not very” or “not Code generated using AI may introduce security vulnerabilities

at all” concerned. As mentioned above, when asked to identify 37%

AI will make it difficult to find a job
specific areas of concern, respondents pointed to ambiguities in
36%
copyright protection (48%) and the potential to introduce security
AI will replace or eliminate my job
vulnerabilities (39%) as two of the top concerns.
34%
People that I work with will introduce errors using AI,
which will make my job more difficult
Continuing the security theme, concern that the use of AI will
increase professionals’ workload was particularly prevalent among 29%
AI-powered code generation will increase my workload
security professionals: 40% of security professionals said they were
concerned that AI-powered code generation will add more to their
plate, compared to just 29% of respondents overall.

Follow us:
 16

In addition, the vast majority of respondents (79%) said they are What obstacles has your organization encountered or do you
concerned about AI tools having access to private information or expect will encounter regarding the use of AI in the software
intellectual property. Among these respondents, the top reason for development lifecycle?
concern was, by far, that sensitive information such as customer data
may be exposed (72%). 37%
Concerns around privacy and data security

35%
Why are you concerned about AI tools having access to Concerns around security vulnerabilities in software built using AI
private information? 34%
Lack of appropriate skill set to employ AI or interpret AI output
72%
33%
Sensitive information (such as customer data) may be exposed
Lack of knowledge about AI
48%
32%
Trade secrets (such as product plans or source code)
Difficulty keeping up with the latest developments in AI
may be exposed

48% 32%
It is unclear how the data will be stored Concerns around copyright and intellectual property

43% 32%
It is unclear how the data will be used Lack of confidence in AI-generated output

30%
Concerns around complying with government regulations related to AI

Privacy, security, and intellectual property also emerged as common 26%

Accelerated code creation causing problems for security and
themes in the obstacles respondents said they have encountered or operations teams
expect to encounter while implementing AI in the software development
24%
lifecycle. Concern around privacy and data security (37%) was the top Difficulty procuring tools (securing legal approval, etc.)
obstacle identified by respondents, followed by security vulnerabilities
24%
in software built using AI (35%). Nearly a third (32%) of respondents Difficulty securing budget
pointed to copyright and intellectual property.

Given these concerns, it’s not surprising that an overwhelming 90% of

respondents said that privacy and protection of intellectual property are
“AI will have the biggest impact on overall planning and monitoring/ important to them when evaluating an AI tool or feature for use in the
prioritizing the software development cycle. It’s pretty harmless to software development lifecycle. This was particularly true for executives:
have AI help to keep things on track, but I personally wouldnʼt trust 95% of C-level and VP respondents said they prioritize privacy and
it to write code due to the risk of bugs or fundamental flaws in logic. protection of intellectual property when selecting an AI tool.

– Software engineer in the computer/SaaS industry

Follow us:
 17

Bridging the skills gap Percentage of respondents in Development, Security, and

Operations who agreed with the following statements:

I feel I need more training to use AI at work

Training and skills also emerged as a common theme in the
obstacles and concerns identified by respondents: A lack of the Development
appropriate skill set to use AI or interpret AI output was one of
the top obstacles (34%) and AI introducing a new set of skills to Security
learn was one of respondents’ top areas of concern (42%). Clearly,
despite overall optimism about AI in software development, Operations
DevSecOps professionals feel a pressing need to grow and maintain 0% 25% 50% 75% 100%

their skills to stay ahead. Strongly Somewhat Somewhat Strongly Don’t

agree agree disagree disagree know

An overwhelming 81% of respondents agreed that they need

more training to use AI at work, and 87% said organizations will
need to re-skill employees to adapt to the changes AI will bring.
This was largely consistent across functional areas, job levels,
and organization sizes, although operations respondents (91%) Organizations will need to re-skill employees to adapt to the
were significantly more likely to agree that organizations will need changes AI will bring
to re-skill employees than either developers (85%) or security
respondents (83%)
Development

Security

Operations

0% 25% 50% 75% 100%

Strongly Somewhat Somewhat Strongly Don’t

agree agree disagree disagree know

Follow us:
 18

To address the lack of in-house skills, 65% of respondents said Does your organization provide training and resources for
their organization has hired or will hire new talent to manage the using AI?
implementation of AI in the software development lifecycle.
C-level and VP
When we asked respondents what types of resources they are using
to build their skills in AI, the top responses were books, articles, and
Management
online videos (49%), educational courses (49%), practicing with open-
source projects (47%), and learning from peers and mentors (47%).
Non-management

0% 25% 50% 75% 100%

What types of resources do you use to learn about AI? Yes No

49%
Books, articles, and online videos Interestingly, despite three-quarters of respondents saying their
49% organization provides training and resources for using AI, a roughly
Educational courses
equal proportion also said they are finding resources on their own,
47% further suggesting that the currently available resources and training
Practicing with open-source projects
may be insufficient. Developers (82%) were significantly more likely
47%
Learning from peers and mentors
than either security (69%) or operations respondents (74%) to report
finding AI resources on their own.
43%
News websites

34%
Vendor resources Are you finding training and resources on your own for using AI?

Development
The vast majority of respondents (75%) told us their organization
provides training and resources for using AI — but C-level
Security
respondents (85%) and respondents with manager titles (78%)
were significantly more likely than non-managers (69%) to say
Operations
their organization provides training and resources for using AI. This
0% 25% 50% 75% 100%
suggests that although organizations are making a top-down attempt
to make AI resources available to employees, those resources may Yes No

not be adequate, or some employees may not be aware of them.

Follow us:
 19

This makes sense, as developers are likely What AI-related skills would you like to learn as part of your
to be more hands-on with generative AI use career development?
cases that require training to use effectively.
Developers were also significantly more likely We asked respondents to share, in their own words, how they’d like to build their AI
to lack confidence in AI-generated output skills. Here are a few of the most common responses:
than either security or operations respondents
(38% versus 28% and 28%, respectively).
Java
While organizations should focus on providing

Machine learning
AI training and resources to all job roles
and functional areas that will be using AI, it ChatGPT
may be especially important to ensure that
the resources for development teams are
Generative AI
relevant, up to date, and cover the latest AI Model training
technologies and applications. Computer
vision Data science
Large
language Natural language
models (LLMs) processing (NLP)
C++ Neural Data
networks analytics
Automation
Monitoring
Prompt
Python engineering
Data
engineering Data
Deep learning
security

Follow us:
 20

AI can’t replace human experience

DevSecOps professionals are in agreement that AI has the power Ultimately, however, it comes down to more than simply human
to boost their teams’ productivity and efficiency, and that it will be versus machine. Leveraging the experience of human team members
essential for them to build and maintain AI skills to stay competitive as alongside AI is the best — and perhaps only — way organizations
individuals. At the same time, they acknowledge the inherent limitations can fully address the concerns around security and intellectual
of AI — such as the potential to introduce security risks — and the need property that emerged repeatedly in our survey data. AI may be able
for human review of AI-generated output. to generate code more quickly than a human developer, but a human
team member needs to verify that the AI-generated code is free of
One respondent, a DevOps engineer in the financial services industry, errors, security vulnerabilities, or copyright issues before it goes to
summed up DevSecOps teams’ cautious optimism towards AI: “Given production. As AI comes to the forefront of software development,
current levels of AI, I would argue that simple, repeatable tasks are organizations should focus on optimizing this balance between driving
the best way forward. Everything else requires human interaction efficiency with AI and ensuring integrity through human review.
and review. I think AI can help speed up some tasks, but the humans
involved have to be aware and responsible for what the AI is
generating.” Another respondent, a quality assurance associate in the
software industry, wrote: “I think AI could be beneficial in many areas,
but it’s important to not lose a personal touch and connection.”

As organizations work to embed AI more deeply into their workflows,

a tension is emerging between promises and reality — with human
expertise as the inflection point. In our survey, more experienced
respondents were less likely to associate AI with value drivers such as
productivity gains and faster cycle times. One explanation is that more
experienced DevSecOps professionals accept AI as a supportive tool for
skill development, but don’t think it can completely replace the expertise,
knowledge, and problem-solving of seasoned professionals like
themselves. Conversely, DevSecOps professionals who are newer to the
field may have more confidence in AI, perhaps because of their exposure
to the technology through their schooling or on-the-job training.

Follow us: