But then things changed, like the moment Will Byers disappeared and Hawkins realized something was very wrong. The stack changed from being a simple concept that could be sketched on a whiteboard into a sprawling ecosystem of interconnected services and unpredictable components. Applications pulled in open-source dependencies with their own release calendars. Temporary workarounds quietly hardened into permanent architecture.  
 
Today’s network applications can be like the “Upside Down,” sprawling, unpredictable, and capable of chaos if left unchecked. For developers and AppSec professionals, this complexity is a force multiplier for risk.  
 
Checkmarx may not be a hoodie-wearing, Eggo-waffle loving, telekinetic superhero like 11  (brilliantly portrayed by actor Millie Bobby Brown). But it does deliver something close to a sixth sense for software: a unified, scalable security platform that spots hidden issues early and stops vulnerabilities from ever crossing into production. 

Welcome to the Secure Side of the Upside Down  

The boundary between “shipping software” and “securing software” is now mostly imaginary, like the line between “front end” and “back end” in a microservices repo with 47 folders named “shared.” Developers aren’t being dragged into security like the Demogorgon that got Barb. They are choosing it.  

In Stack Overflow’s 2025 Developer Survey, when developers were asked what would turn them off or cause them to reject a technology, the #1 deal-breaker was “security or privacy concerns.” It outranked pricing, usability, and even the availability of better alternatives.  

That’s not a minor preference. It’s P-0 level ticket hitting the Jira workflow like a global outage. Security is no longer optional. It is the ultimate deal-breaker. 

The New Hawkins Heroes: Developers as Defenders 

A transformational shift is happening in software development: those who write the code are becoming responsible for defending it. Developers are the new defenders. 
 
Developers sit at the epicenter of risk, seeing firsthand how vulnerabilities creep in through everyday actions: IDEs, pull requests, CI/CD pipelines, and production deploys. Like performance and reliability, security is a critical component that can make or break a product. 

With at least 41% of code being generated by AI (and climbing) that shift doesn’t just accelerate velocity. It multiplies complexity. More components, more integrations, more code paths, and more chances for something small to become something serious. Every new link in the chain is a potential point of failure. 

The good news? Developers are stepping up. 

In GitLab’s 2024 Global DevSecOps Report, 58% of respondents agreed to some degree that they are primarily responsible for application security. A 2025 survey of 200 global CISOs sponsored by Checkmarx found that “well over half… (56%) said most of their development teams are fully integrated into application security programs, with 41% soliciting feedback from developers to improve security processes.” 

Two important takeaways hide in this research. 

First, developers aren’t “taking on security” as a philosophical statement. They’re doing it as a practical necessity because that’s where the leverage is. Security that arrives late arrives expensive.  

Second, the shift doesn’t mean security teams fade into history like Steve Harrington’s big hair and high-waisted jeans. It means the operating model changes. 
 
AppSec teams still own standards, governance, and threat expertise, but more of the day-to-day prevention happens now happens upstream in the developers’ workflow, where agentic AI for application security empowers them to code fast and keep shipping without compromise.  
 
Of course, this doesn’t mean security teams have less to do. Prevention is now critical in early in the development life cycle, but security teams still face a constant stream of threats and issues to keep them busy. This evolution frees them up to think more strategically and focus on challenges like organizational risk, governance, and compliance. (By the way, Checkmarx research found that only 18% of organizations have AI governance policies in place. That’s data for another episode, er, blog 😊.) 

Vecna-Proof Your Releases 

So, if you want developers to be more in-step with security, the question isn’t “how do we convince them?” 

The question is: how do we make secure behavior the easiest behavior? 

We’re entering an era where intelligent agents assist developers in real time, catching risks as code is written, offering context-aware fixes, and reducing remediation times from hours to seconds. The agentic future of Application Security is our top priority at Checkmarx, focusing on developers-first application security with a  family of agents who bring real-time, context-aware prevention. 
 
The stack is complicated but our mission is simple: secure code as it’s created, so teams move fast without adding risk. It’s the same instinct that kept the Stranger Things crew alive: don’t wander into the dark without a plan, and don’t ignore the weird noise just because you’re in a hurry. 
 
Spoiler alert: in the Stranger Things finale, Joyce Byers (the amazing Winona Ryder) delivers well-earned justice with an axe to eliminate the evil Vecna, ruler of the Upside Down. In today’s software world, developers are the defenders—and Checkmarx is the protection they can wield to eliminate vulnerabilities before they turn your stack upside down. 
Learn more about the future of Application Security.