Vigyata.AI
Is this your channel?

Why Are Vulnerability Backlogs Still Growing Despite Better Detection?

34 views· 28:18· Jan 28, 2026

Podcast: The Security Strategist Guest: John Amaral, Co-Founder & CTO, Root.io Host: Chris Steffen, VP of Research, Enterprise Management Associates (EMA) For over a decade, shift-left security has been the leading idea in DevSecOps. The concept was straightforward: move security earlier in the software development process so vulnerabilities could be fixed more quickly and cheaply. However, new benchmark data suggests that the reality is quite different. In the latest episode of The Security Strategist podcast, Chris Steffen sat down with John Amaral, Co-Founder and CTO of Root.io, to discuss why shift-left has stalled and why autonomous remediation and “shift-out” security is the best option moving forward. One striking data point mentioned in the episode comes from the Shift-Out Benchmark Report by Root. It reveals that 82 per cent of organisations say they are confident in their shift-left strategy; however, only four per cent have achieved zero CVE backlog. “That four per cent shocked me,” Steffen expressed during the conversation. “Honestly, it felt high.” Amaral explained that this gap exists because the industry has focused on detection instead of remediation. “We built CVE detection at computer speed,” Amaral noted. “But remediation has never scaled beyond human speed.” Modern pipelines can quickly identify vulnerabilities, open tickets, and generate extensive lists. However, the actual work of fixing those vulnerabilities still falls on engineering teams. Takeaways The shift left approach is not yielding the expected results. Only 4% of teams have achieved zero CVE depth, indicating a significant gap in vulnerability management. Remediation processes have not scaled with the speed of detection, leading to a backlog of vulnerabilities. Engineers prefer to work on first-party code rather than third-party open source libraries, complicating remediation efforts. Burnout among engineers is a critical issue due to the overwhelming vulnerability management tasks. Security is increasingly viewed as a business problem, impacting organisational success. Effective vulnerability management requires a shift towards autonomous remediation. Pinning dependencies can help mitigate risks associated with open source vulnerabilities. The Shia Lute attack exemplifies the risks of automated upgrades in software supply chains. Organisations need a cogent strategy for managing software dependencies to stay ahead of security threats. Chapters 00:00 Introduction to Cybersecurity Challenges 03:00 The Shift Left vs. Shift Out Debate 05:48 Understanding Vulnerability Management 08:58 The Role of Open Source in Security 11:40 Impact of Vulnerability Remediation on Engineering Teams 15:00 The Business Perspective on Security 18:02 Autonomous Remediation and Its Importance 20:47 Strategies for Effective Vulnerability Management #Shift-leftsecurity #vulnerabilitymanagement #autonomous remediation #softwaresupplychainsecurity #CVEbacklog #DevSecOps #Root.io #EM360Tech #dependencymanagement #shift-outsecurity

🎬 More from Enterprise Management 360