SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Ps maki final
#
Security Operations
#
Cybersecurity
#
Software Development

How security theatre is killing developer productivity

Fri, 21st Nov 2025
By Derek Maki, SVP Head of Product, Veracode

Developers are caught in the crosshairs of the AI revolution – simultaneously empowered and overwhelmed by it.  

Juggling an ever-expanding AI toolkit, overwhelmed developers are battling with new technologies to ensure clean and secure code is delivered on increasingly aggressive deadlines. Every new framework, shifting business priority and emerging threat brings with it a narrowing margin for error, turning each sprint into a high-stakes race. Today, innovation has never felt faster – or more overwhelming. 

Amid the rush to keep up, a quieter crisis is unfolding: developer burnout. Often creeping in long before it's noticed, overworked and time-poor developers are feeling the heat behind every security fix and patched vulnerability. This problem is slowly impacting the industry and, if not resolved, will soon become a critical issue for cybersecurity. 

Consider a typical Tuesday for a senior developer: she starts by reviewing 47 vulnerabilities from three different scanning tools. Twenty are duplicates, fifteen are false positives. Of the remaining twelve, she can't tell which ones actually matter to production. By lunch, she's context-switched eight times, written zero lines of new code, and the sprint deadline is tomorrow. This isn't an edge case – it's the norm. 

The flaw in the fix: how manual remediation drains developers 

Burnout among developers is rarely caused solely by working long hours. Most often, it stems from repeated exposure to inefficient processes and cognitive overload. In today's security workflows, both are in abundance.  

Take tool fragmentation. Most organisations run multiple security testing tools, from static application security testing (SAST) which analyses code at rest, and dynamic application security testing (DAST) which tests running applications, to container scanning tools and software composition analysis (SCA) solutions that flag vulnerabilities in open-source dependencies.  Each of these feeds into separate dashboards with no unified picture of risk.  

Developers are expected to sift through this noise manually, identify what's critical, and determine how to fix it. In fact, recent research shows 69% of developers lose around eight hours of their time a week to inefficiencies like these – that's 52 full working days a year per developer. Despite this, less than half believe their leaders even recognise this issue, and fewer still feel their organisation prioritises developer experience. A senior developer put it bluntly: 'I didn't spend years mastering my craft to become a full-time vulnerability janitor.' 

On top of this, context switching is significantly impacting developer focus. This is where the 'flow state' – that precious zone of deep focus where developers solve complex problems and produce their best code – is constantly broken, whether by unclear vulnerability tickets, juggling of tools, or interruptions from other teams. This lack of consolidation leads to 'alert fatigue', and without clear business context or recommended remediation paths, every fix becomes a time-consuming research project.  

The compounding effect of this is massive. When developers can't quickly identify and resolve root causes, technical debt accumulates. They fall behind, and the wall of unresolved flaws grows taller. Already, over half of organisations today carry significant critical security debt – gaps in their defences that persist because their risk resolution process is inefficient and error-prone. This, in turn, takes even more of their time and energy to overcome. Many developers are left stuck in a loop, chasing issues that never truly go away.  

Building a stronger security culture 

Burnout often feels like a personal issue, but it's really the symptom of systematic challenges. It builds from environments where developers are left to weave through mounting security debt manually, without effective automation or clear prioritisation. Though preventing burnout isn't all about tools or technology – it starts with good leadership rooted in proven frameworks. 

Two sets of DevOps principles offer a blueprint for building successful developer teams in an environment conducive to their success: 'The Three Ways' (flow, feedback, continual learning) and 'The Five Ideals', including locality and simplicity, improvement of daily work, and psychological safety. These principles provide a basis for implementing a culture of trust and continuous improvement; key to reducing developer burnout. 

Psychological safety is an important characteristic of high-performing DevOps teams. When individuals feel safe enough to speak up about failures and ask questions, teams can surface issues before they unravel. But this kind of open problem-solving only happens when honesty is met with trust, not blame. This means celebrating the developer who admits they don't understand a vulnerability report, rewarding teams that automate painful processes, and treating production incidents as learning opportunities rather than blame sessions. 

Giving developers the time and support to automate repetitive, low risk tasks and improve their own workflows can help the mounting load feel more manageable. And when they're empowered to fix the root causes of burnout, instead of just managing the symptoms, they can shift daily work from reactive firefighting to proactive innovation.  

The tools for success 

While culture and leadership create the foundation, the right technology amplifies these efforts. AI-powered automation also plays a vital role, but it's important to be selective about where and how these technologies are implemented. Recent research found 45% of AI-generated code introduces known security flaws, highlighting the risk of unintentionally widening the attack surface when using genAI to produce new code.  

Instead, the clearest opportunity for AI lies in applying it to remediation, helping teams streamline vulnerability resolution and maintain efficient development workflows. Preventing developer burnout relies heavily on simplification: a modern security approach that consolidates insights across the development lifecycle and can surface actionable remediation steps when necessary.  

Automated risk resolution accelerates remediation without sacrificing accuracy, with AI tools able to identify and correct insecure code before it even reaches production. By mapping vulnerabilities back to their root causes, whether in a specific line of code or open-source library, and applying a 'fix once, solve many' approach, teams can dramatically reduce manual remediation and free up time for higher-impact work. However, it's crucial for any tool that handles source code, especially for security purposes, to maintain the highest standards of data integrity.  

This is where consolidated security intelligence becomes critical. Application Security Posture Management (ASPM) platforms can unify data from multiple tools like SAST, DAST, SCA, and CNAPP into one contextual picture of risk – essentially creating a single source of truth. By automating the prioritisation and remediation process, these platforms help developers finally escape the alert fatigue cycle and preserve their focused flow state. 

The benefits of this integrated approach extend far beyond faster fix times. Organisations embracing AI-driven ASPM build healthier security cultures and more resilient software delivery. This approach can ensure security keeps pace with today's rapid development cycles without exhausting the people responsible for building and protecting the software.  

Future-proofing security in a fast-paced world 

As the pace of innovation accelerates and security grows more complex, developer burnout remains a critical but overlooked risk. A natural consequence of fragmented tools and lack of support, burnout, if ignored, can quietly erode team performance and security posture alike.  

To counter this, organisations must shift from manual flagging and fixing of vulnerabilities to strategic and intelligent remediation to protect their developers from a constantly mounting load of work and pressure. Businesses must not only invest in automation and AI, but also in the cultural foundations and leadership that enable developers to thrive.  

The path forward is clear: audit your security toolchain for redundancy, measure actual developer time spent on remediation, and start treating developer experience as a security metric. If organisations get the balance between technology and culture right, they won't just improve security outcomes, but foster resilient teams who can finally do what they do best: build remarkable software that moves the business forward. 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Keeper Security named Overall Leader in non-human identity management
ATEN unveils secure KVM switches with 5K video for defence use
Celerity appoints Stephen Leonard to drive US IBM Power growth
Climb expands US cybersecurity offerings with Fortinet deal
Cyber-extortion incidents surge as criminals target small firms

Top stories

DivisionHex launches new framework to streamline exposure management
HP predicts surge in AI-driven cyber threats & cookie theft by 2026
Hack The Box launches AI cyber range & unveils red team certification
Dynatrace expands AWS integrations & wins LATAM partner award
Informatica expands AWS integration to boost enterprise AI agents