Why Are Vulnerability Backlogs Still Growing Despite Better Detection?

Podcast: The Security Strategist

Guest: John Amaral, Co-Founder & CTO, Root.io

Host: Chris Steffen, VP of Research, Enterprise Management Associates (EMA)

For over a decade, shift-left security has been the leading idea in DevSecOps. The concept was straightforward: move security earlier in the software development process so vulnerabilities could be fixed more quickly and cheaply.

However, new benchmark data suggests that the reality is quite different.

In the latest episode of The Security Strategist podcast, Chris Steffen sat down with John Amaral, Co-Founder and CTO of Root.io, to discuss why shift-left has stalled and why autonomous remediation and “shift-out” security is the best option moving forward.

One striking data point mentioned in the episode comes from the Shift-Out Benchmark Report by Root. It reveals that 82 per cent of organisations say they are confident in their shift-left strategy; however, only four per cent have achieved zero CVE backlog.

“That four per cent shocked me,” Steffen expressed during the conversation. “Honestly, it felt high.”

Amaral explained that this gap exists because the industry has focused on detection instead of remediation. “We built CVE detection at computer speed,” Amaral noted. “But remediation has never scaled beyond human speed.”

Modern pipelines can quickly identify vulnerabilities, open tickets, and generate extensive lists. However, the actual work of fixing those vulnerabilities still falls on engineering teams.

Also Watch: What If We Could Fix Vulnerabilities Faster Than We Find Them?

Detection Scales but Humans Don’t

Shift-left claimed that developers could fix security issues faster because they work closely with the code. In reality, that assumption falls apart, particularly for third-party and open-source dependencies.

The Root CEO added that developers are being asked to fix code they didn’t write, don’t own, and don’t understand. “They want to build features, not reverse-engineer open-source libraries.”

With over 90 per cent of modern applications built by leveraging open-source models, fixing vulnerabilities often depends on upgrades. Often, this ends up forming a risky trade-off.

Upgrading dependencies has long been the go-to remediation strategy. However, recent supply-chain attacks—like “Sha1-Hulud-style malware injections”—have shown how dangerous blind upgrades can be.

“If you compromise a popular repository at the right moment, malware can spread to millions of downstream projects in minutes,” Amaral warned.

Organisations now face a difficult choice between upgrading automatically and risking a malware spread or pinning dependencies that build CVEs hard to fix quickly. “Pinning protects you from supply-chain attacks,” Amaral says, “but now you’ve created a CVE backlog you don’t have the resources to clear.”

What Is “Shift-Out” Security?

Instead of focusing remediation efforts earlier (shift-left), Amaral suggests organisations need to shift it out—removing the responsibility from developers entirely.

Shift-out security stresses on pinned dependencies to prevent untrusted upgrades, automated backporting and patching for known CVEs and AI-backed remediation that operates independently of engineering teams.

“Remediation shouldn’t be done by your engineers,” the co-founder of Root tells Steffen, “It should be managed by technology that operates at the same speed as detection.”

This method allows organisations to keep tight control over dependencies while still meeting service level agreements for critical and high-severity vulnerabilities.

“In 2026, you need a real dependency management strategy—one that assumes supply-chain attacks will keep happening,” Amaral added.

With state actors increasingly targeting open-source environments, the stakes continue to rise. “Sha1-Hulud is just the tip of the iceberg,” Amaral concluded. “This will happen again and again. You need to be ready.”

Shift-left helped organisations identify their risk, but it didn’t eliminate it. As vulnerability backlogs increase and engineering teams face burnout, autonomous remediation and shift-out security are becoming the next step in DevSecOps.

To learn more about this approach, visit Root.io or listen to the full episode of The Security Strategist podcast on EM360Tech.

Takeaways

• The shift left approach is not yielding the expected results.
• Only 4% of teams have achieved zero CVE depth, indicating a significant gap in vulnerability management.
• Remediation processes have not scaled with the speed of detection, leading to a backlog of vulnerabilities.
• Engineers prefer to work on first-party code rather than third-party open source libraries, complicating remediation efforts.
• Burnout among engineers is a critical issue due to the overwhelming vulnerability management tasks.
• Security is increasingly viewed as a business problem, impacting organisational success.
• Effective vulnerability management requires a shift towards autonomous remediation.
• Pinning dependencies can help mitigate risks associated with open source vulnerabilities.
• The Shia Lute attack exemplifies the risks of automated upgrades in software supply chains.
• Organisations need a cogent strategy for managing software dependencies to stay ahead of security threats.

Chapters

• 00:00 Introduction to Cybersecurity Challenges
• 03:00 The Shift Left vs. Shift Out Debate
• 05:48 Understanding Vulnerability Management
• 08:58 The Role of Open Source in Security
• 11:40 Impact of Vulnerability Remediation on Engineering Teams
• 15:00 The Business Perspective on Security
• 18:02 Autonomous Remediation and Its Importance
• 20:47 Strategies for Effective Vulnerability Management

#Shift-leftsecurity #vulnerabilitymanagement #autonomousremediation #softwaresupplychainsecurity #CVEbacklog #DevSecOps #Root.io #EM360Tech #dependencymanagement #shift-outsecurity