This study addresses the persistent challenges impeding DevSecOps adoption in small and medium-sized enterprises (SMEs), identifying three primary bottlenecks: technical complexity (41%), resource constraints (35%), and cultural resistance (38%). Drawing on an integrated theoretical framework combining the Technology Acceptance Model (TAM) and Diffusion of Innovations (DOI) theory, we employ a mixed-methods approach to quantitatively uncover a critical security automation gap—only 12% of code commits trigger automated security scanning—and to characterize emerging AI-driven security evolution trends. Our contribution is a CI/CD security enhancement strategy anchored in three pillars: automated security scanning, leadership-driven security culture, and cross-functional collaboration. This strategy significantly improves scalable integration of API security (by 63%) and software composition analysis (SCA) (by 62%), delivering a reusable, low-barrier DevSecOps implementation pathway tailored for SMEs.

This study evaluates the adoption of DevSecOps among small and medium-sized enterprises (SMEs), identifying key challenges, best practices, and future trends. Through a mixed methods approach backed by the Technology Acceptance Model (TAM) and Diffusion of Innovations (DOI) theory, we analyzed survey data from 405 SME professionals, revealing that while 68% have implemented DevSecOps, adoption is hindered by technical complexity (41%), resource constraints (35%), and cultural resistance (38%). Despite strong leadership prioritization of security (73%), automation gaps persist, with only 12% of organizations conducting security scans per commit. Our findings highlight a growing integration of security tools, particularly API security (63%) and software composition analysis (62%), although container security adoption remains low (34%). Looking ahead, SMEs anticipate artificial intelligence and machine learning to significantly influence DevSecOps, underscoring the need for proactive adoption of AI-driven security enhancements. Based on our findings, this research proposes strategic best practices to enhance CI/CD pipeline security including automation, leadership-driven security culture, and cross-team collaboration.