Podcast: The Security Strategist Guest: John Amaral, Co-Founder & CTO, Root.io Host: Chris Steffen, VP of Research, Enterprise Management Associates (EMA) For over a decade, shift-left security has been the leading idea in DevSecOps. The concept was straightforward: move security earlier in the software development process so vulnerabilities could be fixed more quickly and cheaply. However, new benchmark data suggests that the reality is quite different. In the latest episode of The Security Strategist podcast, Chris Steffen sat down with John Amaral, Co-Founder and CTO of Root.io, to discuss why shift-left has stalled and why autonomous remediation and “shift-out” security is the best option moving forward. One striking data point mentioned in the episode comes from the Shift-Out Benchmark Report by Root. It reveals that 82 per cent of organisations say they are confident in their shift-left strategy; however, only four per cent have achieved zero CVE backlog. “That four per cent shocked me,” Steffen expressed during the conversation. “Honestly, it felt high.” Amaral explained that this gap exists because the industry has focused on detection instead of remediation. “We built CVE detection at computer speed,” Amaral noted. “But remediation has never scaled beyond human speed.” Modern pipelines can quickly identify vulnerabilities, open tickets, and generate extensive lists. However, the actual work of fixing those vulnerabilities still falls on engineering teams. Takeaways The shift left approach is not yielding the expected results. Only 4% of teams have achieved zero CVE depth, indicating a significant gap in vulnerability management. Remediation processes have not scaled with the speed of detection, leading to a backlog of vulnerabilities. Engineers prefer to work on first-party code rather than third-party open source libraries, complicating remediation efforts. Burnout among engineers is a critical issue due to the overwhelming vulnerability management tasks. Security is increasingly viewed as a business problem, impacting organisational success. Effective vulnerability management requires a shift towards autonomous remediation. Pinning dependencies can help mitigate risks associated with open source vulnerabilities. The Shia Lute attack exemplifies the risks of automated upgrades in software supply chains. Organisations need a cogent strategy for managing software dependencies to stay ahead of security threats. Chapters 00:00 Introduction to Cybersecurity Challenges 03:00 The Shift Left vs. Shift Out Debate 05:48 Understanding Vulnerability Management 08:58 The Role of Open Source in Security 11:40 Impact of Vulnerability Remediation on Engineering Teams 15:00 The Business Perspective on Security 18:02 Autonomous Remediation and Its Importance 20:47 Strategies for Effective Vulnerability Management #Shift-leftsecurity #vulnerabilitymanagement #autonomous remediation #softwaresupplychainsecurity #CVEbacklog #DevSecOps #Root.io #EM360Tech #dependencymanagement #shift-outsecurity

Can Your Observability Stack Handle 24/7 Agentic Query Volume?
21 views

Agentic AI is changing Cybersecurity in 2026
22 views

Coding Agents are an identity problem in 2026
20 views

Claude Mythos and the future of cybersecurity
29 views

AI Hype vs Reality: What Security Leaders Are Getting Wrong
23 views

Why Most Enterprise AI Investments Fail to Deliver ROI
25 views