Why a DevSecOps imperative for companies with mainframes?

By Guilherme Cartier

Editor’s note: This article, originally published in April 2024, was updated in October 2025.

While organizations continue to invest heavily in cloud computing, many of the world’s largest organizations still rely on decades-old technology as the backbone of their IT ecosystems.

I’m referring to mainframes, of course, which are too often misunderstood as outdated.

Mainframes are extremely sophisticated machines designed for mission-critical applications that still serve an important role. The biggest issue for IT teams is that many of the processes adopted in traditional mainframe application development are manual and error-prone and often lack automated testing, code scanning and documentation. Over time, these inefficiencies can lead to technical debt.

In the quest to meet market shifts and customer demands, organizations are looking for effective ways to optimize their mainframe environments while integrating across multiple hybrid IT platforms. That’s no small feat.

Kyndryl’s 2025 State of Mainframe Modernization Survey found that 99% of respondents are operating in a hybrid environment. Meanwhile, 56% of organizations are increasing their use of mainframes and utilizing them in new ways with hybrid platforms. But with greater and more novel usage comes greater risks, particularly for organizations that haven’t updated legacy systems.   

DevSecOps — a set of practices and tools that integrate development, security and operations teams — helps companies address the dual challenge of modernizing their mainframes while protecting against new and increasingly sophisticated cyber risks. In time, deploying DevSecOps will become a must-do for any enterprise using mainframes.

How DevSecOps delivers results

Implementing a DevSecOps pipeline for mainframe applications aims to improve the speed, quality and security of software delivery for organizations of all sizes. Benefits include:

• Accelerated time to market: DevSecOps enables mainframe teams to automate and streamline their development processes, from coding to testing to deployment. This process optimization reduces the manual effort and human errors that can slow down delivery and introduce defects.
• Enhanced quality: DevSecOps allows mainframe teams to implement quality gates and checkpoints throughout the pipeline, ensuring that code meets standards and requirements before moving to the next stage. This process also facilitates continuous testing and feedback, which helps identify and fix issues early and often.
• Elevated security: DevSecOps incorporates security into every step of the pipeline, rather than treating it as an afterthought. These safeguards mean that mainframe teams can apply security best practices, such as code scanning, vulnerability analysis and compliance checks to prevent and mitigate potential threats.
• Proactive operations: DevSecOps shifts the operational aspects of mainframe development from reactive to proactive. Instead of waiting for problems to arise and then scrambling to fix them, mainframe teams can monitor and optimize the performance, availability and reliability of their applications throughout the lifecycle. This proactivity enables teams to anticipate and prevent issues before they impact the end users and continuously improve the quality and efficiency of their operations.
• Connected collaboration: DevSecOps enables mainframe teams to use the same process and tools as other development teams, fostering a culture of collaboration and communication across the organization. This connection helps break down silos and improve alignment and integration among different platforms and applications.

DevSecOps drives value

DevSecOps is far more than a technical upgrade — it’s a strategic imperative for modernizing the mainframe.

Kyndryl’s Mainframe Modernization Survey found that 82% of enterprises are integrating DevSecOps practices as part of their modernization efforts, alongside the adoption of AI and agentic AI. These integrations help drive significant returns: Organizations report ROI ranging from 288% for modernizing applications on the mainframe to 362% for those moving workloads to other platforms.

DevSecOps also enables companies to address evolving security and compliance demands. With 94% of Mainframe Survey respondents indicating that regulatory compliance strongly influences their mainframe modernization decisions, embedding security into every stage of development is no longer optional. In fact, 32% of organizations cite security as a key reason for retaining applications on the mainframe.

The value of DevSecOps extends beyond risk mitigation. Collaboration between development, operations and security teams facilitates innovation and agility.

Results from Kyndryl’s Cloud Innovation Survey 2025 indicate that organizations that embed cloud-native operational practices, such as DevOps and FinOps, are four times more likely than other companies to achieve their cloud objectives. Sixty percent (60%) of these enterprises also report that business and IT teams align completely on cloud initiatives.

DevSecOps is even helping organizations realize the full potential of AI and automation. Nearly nine out of 10 (88%) Mainframe Modernization Survey participants have implemented or plan to implement generative AI tools in their mainframe environments to enhance performance, resource allocation, fraud detection and advanced security assessment.

Benefits aside, implementing DevSecOps can present challenges. The practice requires new skills and cross-functional collaboration, which can initially increase development cycles and put timelines at risk. However, development cycles should accelerate as teams gain experience, helping increase profitability, improve reliability and facilitate innovation.

A solution built for the future

The trusty mainframe combined with DevSecOps can deliver value more efficiently and effectively, while also reducing the risk of technical debt and legacy issues. DevSecOps isn’t a magic wand, but it can be a powerful ally in combining tried-and-true legacy technology with the business need for modernization.

Guilherme Cartier is the Associate Director of Infrastructure and Cloud Architecture for Kyndryl.