Market Forecast

Worldwide DevSecOps Software Tools Forecast, 2021–2025

Jim Mercer Al Gillen

IDC MARKET FORECAST FIGURE

FIGURE 1

Worldwide DevSecOps Software Tools Revenue Snapshot

Note: Chart legend should be read from left to right.

Source: IDC, 2021

July 2021, IDC #US48052421

EXECUTIVE SUMMARY

DevSecOps is a subset of the larger DevOps competitive market and is a methodology that asserts
that security needs to be prioritized at the beginning of the DevOps delivery pipeline (i.e., shifted left).
Embracing of DevSecOps enables DevOps teams to act as primary stakeholders in defining and
implementing security policies endeavoring to integrate security across the DevOps pipeline.

The implementation of DevSecOps includes more than just adding security tools to the development
and operations team's arsenal, and much like DevOps, there is an important cultural aspect required.
Organizations must successfully encourage the security and DevOps teams to work together.

DevSecOps includes several specialized use cases of DevOps that involve the automation of security
best practices across the DevOps life cycle. It is frequently described as "security as code" as it
embraces the use of programmatic, code-based approaches to ensure software security and quality.
DevSecOps use cases typically include automation and analytics for security scanning of code,
software quality, and configuration compliance. In containerized environments, registries are also
critical elements of the DevSecOps life cycle. Representative tools include static application security
testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA),
secrets management, runtime application self-protection (RASP), and container security.

Although IDC has been tracking DevSecOps revenue for a couple of years within the DevOps forecast,
this year represents the first publication of a DevSecOps competitive market forecast. For this forecast,
IDC started with the functional markets used to define the DevOps competitive market and then
dropped functional markets that had no products offering DevSecOps attributes. For the markets that
include products having DevSecOps functionality, we included the revenue that was specifically
associated with DevSecOps implementations.

To define this new competitive market, IDC published a new DevOps software tools market taxonomy
(see IDC's Worldwide DevOps and DevSecOps Software Tools Taxonomy, 2021, IDC #US48033621,
forthcoming).

Overall, the market for products that support DevSecOps practices is a high-growth market, with a
2020-2025 compound annual growth rate (CAGR) of 24%. Underlying this five-year CAGR is individual
functional market growth rates that have 2020-2025 CAGRs of as much as 42%, with the slowest
growing market still showing a five-year CAGR of 12.2%. On an annual basis, the growth rates are
more than 20% for every year of the forecast period except for 2025, which dips below that bar to
17.1%.

Like the larger DevOps market, the DevSecOps competitive market did not experience an off year in
2020. Despite pandemic-related pressures, parts of the industry experienced, tools that applied to
empowering and aligning a remote, distributed workforce, in general, had a very good year in CY20.

This five-year forecast was based on the assumptions represented in the June 2021 Worldwide Black
Book: Live Edition. These forecasts include the post-pandemic market behaviors and other recent
macroeconomic inputs from the last week of June 2021. We will continue to monitor changes in
macroeconomic conditions and reflect these changes in future forecasts.

This IDC study provides an updated market forecast for 2021–2025 based on June 2021 conditions as
described in IDC's Black Book Live Edition: June 2021. It also reflects updates made to the IDC
Software Tracker in spring 2021.

©2021 IDC #US48052421 2

"The use of software tools that support the adoption of DevSecOps practices are a hot commodity
today, and we are seeing considerable interest in the market today," said Jim Mercer, research
director, DevOps and DevSecOps, IDC. "With 24% growth in spending on DevSecOps software tools
in 2020, there was effectively no pandemic downturn, and looking forward, we project the DevSecOps
competitive market to grow from $2.6 billion in spending in 2020 to $7.5 billion in 2025. We anticipate
that this competitive market to be an active segment through our forecast period."

ADVICE FOR TECHNOLOGY SUPPLIERS

Through 2020, the DevSecOps software tools competitive market continued to demonstrate strong
growth as major vendors expanded and more tightly integrated their portfolios. Increasing numbers of
enterprise developers are adding DevSecOps practices to their day-to-day operations.

With growth in adoption of modern frameworks, architectural designs, and container packaging — along
with the ability to build, deploy, and fail fast — it becomes increasingly imperative for security to
become a development process, rather than an add-on technology that may or may not keep pace with
today's iterative development methodologies.

As a result, end-user organizations will need a variety of solutions to empower their developers to
move quickly and safely, as they create disruptive and digitally innovative software that can help grow
the business.

As with the DevOps market, the DevSecOps market, too, can be expected to experience merger and
acquisition activities that will continue to shake up the competitive environment going forward. It
becomes imperative for leading vendors to look for ways to expand and improve the capabilities that
their technologies offer to clients.

MARKET FORECAST

This IDC analysis provides a forecast by geographic region and market distribution for the worldwide
DevSecOps software tools market as of July 2021. Refer back to Figure 1 for the DevSecOps revenue
portions by IDC operational categories. Refer to the Market Definition section for further details on the
underlying functional markets, and Table 1 provides a detailed breakdown of the revenue allocations
by operational category.

IDC's data sizes the 2020 worldwide DevSecOps software tools competitive market at $2.6 billion in
U.S. dollar (USD) current currency. The overall DevSecOps software tools market is currently forecast
to grow to $7.5 billion in 2025, with a CAGR of 24% for the five-year 2021–2025 forecast period.

The updated IDC's DevSecOps software tools taxonomy (see IDC's Worldwide DevOps and
DevSecOps Software Tools Taxonomy, 2021, IDC #US48033621, forthcoming) has further expanded
the market to include portions of endpoint security and API management software. Refer back to
Figure 1 and see Table 1 for a summary of the allocation of these functional market revenues with the
four logical market groupings as follows:

 Application security tools:

 Security analytics, intelligence, response, and orchestration

©2021 IDC #US48052421 3

  API and container security:
 Endpoint security software
 API management software
 Test, secrets, and network management:
 Automated software quality
 Network security software
 Other security software
It is important to note that the DevSecOps software tools market estimates model-selected portions of
each of the functional markets listed in Table 1. Revenue is only allocated to DevSecOps software
tools if it is purchased and deployed specifically to support security-related development and
deployment activities, both pre- and postproduction. For more detail, see the Market Definition section.

TABLE 1

Worldwide DevSecOps Software Tools Revenue by Functional Market,

2020–2025 ($M)

2020 2025
Share 2020–2025 Share
2020 2021 2022 2023 2024 2025 (%) CAGR (%) (%)

Application security tools 1,357.1 1,733.2 2,161.7 2,550.1 2,980.3 3,349.6 53.1 19.8 44.7

API and container security 629.1 977.2 1,349.9 1,806.7 2,361.0 2,950.9 24.6 36.2 39.4

Testing, secrets, and network 568.5 662.5 784.1 919.4 1,059.0 1,196.8 22.3 16.0 16.0
management

Total 2,554.7 3,372.9 4,295.6 5,276.3 6,400.3 7,497.3 100.0 24.0 100.0

Growth (%) 23.0 32.0 27.4 22.8 21.3 17.1

Source: IDC, July 2021

IDC forecasts that by 2025, 53.6% of the worldwide DevSecOps software tools market will be
delivered as public cloud services (see Table 2 and Figure 2). Successful vendors will need to ensure
that they have an aggressive strategy to capture public cloud revenue opportunities but also make
sure that they do not neglect the equally large revenue opportunity for on-premises software, much of
which will likely be deployed into private and hybrid cloud environments.

©2021 IDC #US48052421 4

 TABLE 2

Worldwide DevSecOps Software Tools Revenue by Deployment Type, 2020–2025 ($M)

2020 2025
Share 2020–2025 Share
2020 2021 2022 2023 2024 2025 (%) CAGR (%) (%)

On-premises/other software 1,458.8 1,855.1 2,276.7 2,690.9 3,136.2 3,478.7 57.1 19.0 46.4

Growth (%) 33.5 27.2 22.7 18.2 16.5 10.9

Public cloud (SaaS) 1,096.0 1,517.8 2,018.9 2,585.4 3,264.2 4,018.5 42.9 29.7 53.6

Growth (%) 20.5 38.5 33.0 28.1 26.3 23.1

Total 2,554.7 3,372.9 4,295.6 5,276.3 6,400.3 7,497.3 100.0 24.0 100.0

Growth (%) 23.0 32.0 27.4 22.8 21.3 17.1

Source: IDC, July 2021

FIGURE 2

Worldwide DevSecOps Software Tools Revenue by Deployment Type, 2020

and 2025

Source: IDC, July 2021

©2021 IDC #US48052421 5

Table 3 and Figure 3 show the worldwide DevSecOps software tools revenue forecast for 2021–2025
by geographic region. All three geographies will experience 2021-2025 CAGRs of more than 22% —
strong growth indeed. Of the three regions presented, the EMEA and APJ regions will experience the
fastest growth, in part because these markets are roughly one-quarter to one-half the size of the
Americas region.

TABLE 3

Worldwide DevSecOps Software Tools Revenue by Region, 2020–2025 ($M)

2020 2025
Share 2020–2025 Share
2020 2021 2022 2023 2024 2025 (%) CAGR (%) (%)

Americas 1,512.4 1,959.6 2,465.7 2,991.6 3,577.8 4,123.5 59.2 22.2 55.0

EMEA 643.8 880.3 1,138.3 1,424.6 1,760.1 2,091.7 25.2 26.6 27.9

APJ 398.5 532.9 691.6 860.0 1,062.5 1,282.0 15.6 26.3 17.1

Total 2,554.7 3,372.9 4,295.6 5,276.3 6,400.3 7,497.3 100.0 24.0 100.0

Growth (%) 23.0 32.0 27.4 22.8 21.3 17.1

Source: IDC, July 2021

©2021 IDC #US48052421 6

FIGURE 3

Worldwide DevSecOps Software Tools Revenue by Region, 2020 and 2025

Source: IDC, July 2021

MARKET CONTEXT

Drivers and Inhibitors

Drivers
Improve the Security Posture of Applications
 Assumption: Growth of internet-exposed applications from several years of digital
transformation and the rising use of open source, containers, and APIs have all been
accelerated by the recent pandemic. This has made the application attack surface an
attractive target for bad actors using accessible tools such as bots, Nmap, and Wireshark to
locate applications with known vulnerabilities or susceptible code that could permit access to
customer data and corporate assets. Already in 2021, we have seen several high-impact
security breaches that have gained the attention of national leaders and will likely create
increased regulations around application security.
 Impact: Government agencies and private companies working with government agencies will
need to implement and prove that they are doing their proper due diligence to secure their
applications. Even before the SolarWinds and Colonial Pipeline security breaches, in October
2020, the National Institute of Standards and Technology (NIST) issued NIST 800-53
publication that provides a collection of high-quality security guidelines to organizations
looking to strengthen their position against cyberattacks and explicitly recommends runtime
application security testing and interactive application security testing (IAST) solutions, and
organizations under the federal government umbrella must follow these directives. In May
2021. U.S. President Joe Biden issued an executive order to modernize the cybersecurity of
the federal government as well as private sector entities that have commercial relationships

©2021 IDC #US48052421 7

 with the government. This ongoing trend toward more application security regulations will drive
the adoption of DevSecOps tools as well as compliance tools to be able to ensure and attest
that security standards are being met.
Security Teams Are Unable to Keep Pace with DevOps Release Velocity
 Assumption: There are considerably more developers than security team members, with the
average ratio being about 100:1. As organizations adopt DevOps and begin to release
software with higher frequency, it is impossible to scale the security team to audit all the new
software updates to ensure new vulnerabilities are not being introduced. The security teams
become overwhelmed and work to slow things down so they can ensure proper oversight. This
is diametrically opposed to developer and DevOps teams who are trying to push out more
software updates faster.
 Impact: Just as organizations are compelled to adopt DevOps as part of digital transformation,
as they scale their DevOps usage and begin to improve their overall velocity, they are
recognizing the need for security automation. This dichotomy between DevOps and security is
driving the adoption of more security automation tools. Beyond point solutions that automate a
single piece of security, we are seeing the emergence of security platforms and new solutions
that are designed to orchestrate the DevSecOps process, normalize security scan results
across point solutions, help with prioritization of vulnerabilities, and even enable security policy
management.
Inhibitors
Cultural Change and Resistance
 Assumption: Cultural change is always difficult, and the adoption of DevSecOps requires
breaking down long-held wariness between development and security teams. Oftentimes
these teams are not collaborative and have misaligned priorities. Development teams are
driven to add new functionality to applications and release them to production on schedule.
Developers frequently view requests from security teams as unscheduled requests that were
not a part of their release and sprint planning.
 Impact: With DevSecOps, these traditional roles need to change as both teams need to be
working together to ensure application security. Both developers and security team members
need to adapt to new more collaborative ways of working together to ensure the organization
is not unnecessarily put at risk for a security breach. Cultural resistance is the single-largest
challenge for adopting DevSecOps and can slow down the adoption process. Vendors that
can provide guidance or offer examples of how similar organizations overcame cultural inertia
can benefit and be seen more as a trusted partner.
The Secure Coding Skills Gap
 Assumption: In DevSecOps Adoption, Techniques, and Tools Survey (IDC #US47597321,
April 2021), 33% of organizations that are adopting DevSecOps indicated that one of their top
challenges for adopting DevSecOps was the lack of secure coding skills and knowledge.
Historically, application security has been a lower functional requirement or even categorized
under technical debt with a lower priority in comparison to application feature requests.
 Impact: The lack of secure coding skills can hamper the adoption of DevSecOps tools and
make overcoming cultural inertia more challenging. There is a growing need for the training of
developers on secure coding practices and opportunities to leverage modern DevSecOps
tools to both educate developers on secure coding and insulate them from coding errors.
Vendors that offer developer training, as well as intelligent DevSecOps tools, can capitalize on
this challenge.

©2021 IDC #US48052421 8

Significant Market Developments
Enterprise adoption of DevSecOps processes and products continued to accelerate quickly in 2020
and into 2021. The awareness of DevOps continues to grow, and it can be expected that DevSecOps
will ride on the coattails of DevOps adoption into the larger and more sophisticated organizations
initially and spread out to a broader mix of all-size organizations through the forecast period.

Larger and more regulated enterprise organizations are continuing to move toward DevOps. This is
boosting the demand for adding DevSecOps security and compliance software tools as part of the
application release workflow. The organizational effect has improved coordination between security
and DevOps teams, resulting in a security-as-a-code culture. We also see increased coordination
between security and quality teams for code analytics and metrics coordination, and initial coordination
with architects and designers in early phases of software development emerging as trends. Over time,
machine learning (ML) and artificial intelligence (AI) will build on emerging capabilities available now to
further company success in improving application resilience for security and quality.

The disruption that COVID-19 caused in 2020 ultimately resulted in, if anything, the acceleration of
spending on many categories of IT products and services. While other sectors of the economy face a
recovery transition during a gradual return to the next normal, DevSecOps products have never really
experienced a downturn.

Changes from Prior Forecast

This is the first time the DevSecOps competitive market has been published by IDC. There is no prior
years' forecast to be used for comparison.

MARKET DEFINITION

The 2021 IDC DevOps and DevSecOps software tools taxonomy has been expanded since the 2020
taxonomy and market share assessment were published. The revised 2021 taxonomy encompasses
portions of six IDC functional markets and products to the extent they are used to support DevSecOps
such as programmatic security scanning analytics.

Specifically, the updated market taxonomy covers software license, maintenance, subscriptions, and
software-as-a-service revenue related to the extent that DevSecOps initiatives make use of products
from the following functional markets:

 Automated software quality (ASQ): This technology comprises automated software test and
related continuous integration/continuous delivery (CI/CD) tools used to enable agile DevOps
teams and use cases. Sample vendors include:
 SonarSource
 CAST
 Micro Focus
 HCL
 Security analytics, intelligence, response, and orchestration (SAIRO): Selected compliance
and security scanning remediation and automation tools are included in the DevOps software
tools market to the extent they are integrated as part of CI/CD and DevOps operational
toolchains supporting the development and production of agile DevOps use cases. Sample
vendors include:

©2021 IDC #US48052421 9

  Synopsys
 Qualys
 Veracode
 Network security software (NSS): NSS would include tools such as web application firewalls
(WAFs) and configuring web rules to adequately protect applications from Layer 7 attacks
such as SQL injection. Sample vendors include:
 F5 Networks
 Akamai
 Imperva
 Endpoint security (ENDPT): This technology consists of tools used to secure software
containers by scanning the included components, setting configuration policies that ensure the
integrity of the container as well as runtime protections to ensure the container is functioning
as intended. Sample vendors include:
 Aqua Security
 Sysdig
 Palo Alto Networks
 Trend Micro
 API management software (API): This technology supports the secure and scalable publishing
and management of application programming interfaces. This software helps DevOps teams
design, monitor, and secure APIs. In runtime, API management provides secure gateway
services and enforces access rights through authentication. Representative vendors and
products include the following:
 TIBCO
 IBM
 Red Hat
 Other security software (OSS): OSS includes select secrets management tools for managing
digital authentication credentials, keys, APIs, and tokens for use in applications, services,
privileged accounts, and other susceptible data. Sample vendors include:
 HashiCorp Vault
 AWS Secrets Manager
 Azure Key Vault
More detail on the individual functional markets that contribute to the competitive DevSecOps software
tools market analysis can be found in IDC's Worldwide DevOps and DevSecOps Software Tools
Taxonomy, 2021 (IDC #US48033621, forthcoming).

METHODOLOGY

The software revenue forecasts presented in this study represent IDC's best top-down estimates and
projections based on existing bottom-up historical data and forecasts for 2021–2025. In addition:

 Software market forecasting begins with the formulation of global and regional macroeconomic
assumptions that are then analyzed to determine how they apply to specific market segments.
In addition, assumptions about specific market-level drivers and inhibitors are developed.

©2021 IDC #US48052421 10

  All company revenue models and market forecasts are generated and maintained in a central
database. The "forecast base" is the vendor historical revenue model.
 Annual growth rates are determined for each market by geographic region (bottom-up) by
IDC's regional analysts. Also, regional analysts factor country-level inputs into the regional
forecasts where available.
 IDC's worldwide analysts compile the regional data and are responsible for the overall
forecast.
 When included, operating environment forecasts are performed based on the distribution of
revenue (i.e., total market forecasts are not changed by operating environment forecasts).
 Annual forecasts are reviewed and updated as required throughout the year. Updated
forecasts for functional markets are published periodically. For further details, see IDC's
Worldwide DevOps and DevSecOps Software Tools Taxonomy, 2021 (IDC #US48033621,
forthcoming).
Note: All numbers in this document may not be exact due to rounding.

Historical and Forecast Market Values and Exchange Rates

Historical market values presented here are as published in prior IDC documents based on the market
taxonomies and current U.S. dollar exchange rates existing at the time the data was originally
published. For markets other than the United States, these as-published values are therefore based on
a different exchange rate each year.

Forecast market values are built using a bottom-up approach in which our country analysts develop
forecasts in local currencies. These local currency forecasts are converted into U.S. dollars to produce
a forecast in one consistent currency. The latest quarterly exchange rate is applied to the 2021–2025
forecast period to better reflect the impact of the most recent known economic situation in each
country. In this document, the quarterly exchange rates used are based on the average quarterly
exchange rates from October 1 to December 31, 2020. The data represented in this document uses
this methodology unless otherwise stated and is termed current currency.

The data in this document is based on IDC's Worldwide Semiannual Software Tracker. IDC tracks
historical vendor revenue and develops forecasts in 53 individual countries and subregions. Because
of the detailed geographical granularity of the underlying data, the Worldwide Semiannual Software
Tracker also provides a "constant currency" revenue estimate for the total worldwide market in the
years reported in this document. Constant currency eliminates exchange rate fluctuation effects by
applying the same exchange rate to all historical and forecast periods.

Table 4 describes the average exchange rates applied to the local currency historical and forecast
estimates in the current currency and constant currency revenue numbers reported. Refer to IDC's
regional research studies for more accurate regional growth in local currencies.

©2021 IDC #US48052421 11

 TABLE 4

Exchange Rates, 2016–2025

2016 2017 2018 2019 2020 2021–2025

June 2020 forecast

Current USD 1H16 + 2H16 1H17 + 2H17 1H18 + 2H18 1H19 + 2H19 4Q19 4Q19

Constant USD 4Q19 4Q19 4Q19 4Q19 4Q19 4Q19

June 2021 forecast

Current USD 1H16 + 2H16 1H17 + 2H17 1H18 + 2H18 1H19 + 2H19 1H20 + 2H20 4Q20

Constant USD 4Q20 4Q20 4Q20 4Q20 4Q20 4Q20

Source: IDC, June 2021

RELATED RESEARCH

 Worldwide DevOps Software Tools Market Shares, 2020: Growth Fueled by Accelerated
Digital Transformation (IDC #US48050921, forthcoming)
 Worldwide DevOps Software Tools Forecast, 2021-2025 (IDC #US48052021, forthcoming)
 Worldwide DevSecOps Software Tools Market Shares, 2020: Strong Growth as DevOps
Teams Prioritize Security (IDC #US48051321, forthcoming)
 IDC's Worldwide DevOps and DevSecOps Software Tools Taxonomy, 2021 (IDC
#US48033621, forthcoming)
 IDC's Forecast Scenario Assumptions for the ICT Markets, April 2021 (IDC #US47665121,
May 2021)
 DevSecOps Adoption, Techniques, and Tools Survey (IDC #US47597321, April 2021)
 IDC FutureScape: Worldwide Developer and DevOps 2021 Predictions (IDC #US46417220,
October 2020)
 Market Analysis Perspective: Worldwide DevOps Software, 2020 — Market View (IDC
#US46418720, September 2020)

©2021 IDC #US48052421 12

About IDC
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory
services, and events for the information technology, telecommunications and consumer technology
markets. IDC helps IT professionals, business executives, and the investment community make fact-
based decisions on technology purchases and business strategy. More than 1,100 IDC analysts
provide global, regional, and local expertise on technology and industry opportunities and trends in
over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients
achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology
media, research, and events company.

Global Headquarters

140 Kendrick Street

Building B
Needham, MA 02494
USA
508.872.8200
Twitter: @IDC
blogs.idc.com
www.idc.com

Copyright Notice

This IDC research document was published as part of an IDC continuous intelligence service, providing written
research, analyst interactions, telebriefings, and conferences. Visit www.idc.com to learn more about IDC
subscription and consulting services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please
contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or sales@idc.com for information on
applying the price of this document toward the purchase of an IDC service or for information on additional copies
or web rights.

Copyright 2021 IDC. Reproduction is forbidden unless authorized. All rights reserved.