Setting the Backlog on Fire

It’s finally time to start fixing things! After all the prioritization, classification, and workflow design, you’ve reached the moment where you can actually begin reducing your security backlog. Historically, this has meant developers going through findings one by one, manually implementing fixes, running tests, validating that nothing broke, and opening pull requests for peer review.

This manual approach still works, and it’s still common across the industry. But it shouldn’t be your only option, especially when you’re dealing with large backlogs that could take months or years to clear through purely manual remediation.

The AI-Augmented Remediation Revolution

Human-based fixes can now be significantly augmented by AI to create a better developer experience and drive substantially better efficiency during remediation. This typically involves a combination of an LLM that has access to your codebase and some form of security scanner to validate that proposed fixes aren’t introducing new vulnerabilities or breaking existing functionality.

AI-driven development has become such a common part of developers’ workflows that it can help with burning down security backlogs just as effectively as it helps with creating new code. The key difference is that backlog remediation requires understanding existing code patterns, potential side effects, and the broader application context—areas where AI systems with access to your full codebase can be particularly valuable.

If you’ve skipped some of the previous chapters and don’t already have prioritized, classified results, you can certainly use AI to help with initial triage and prioritization. But the critical point here is that you don’t want to start fixing “everything” indiscriminately. Taking a spray-and-pray approach to security remediation is highly likely to break something, introduce new vulnerabilities, or create technical debt that’s worse than the original security issues.

The Systematic Approach to Backlog Remediation

Effective backlog remediation follows a systematic process that considers both the technical and business impact of changes:

Identify What You’re Fixing

Start with clear identification of the specific vulnerability, its location in your codebase, its potential impact, and its relationship to other components. This isn’t just about understanding the technical details—you need to understand how the vulnerable code fits into your application’s broader architecture and business logic.

AI can help with this identification by analyzing code patterns, tracing data flows, and identifying all the places where similar vulnerabilities might exist. Instead of fixing one instance of a SQL injection vulnerability, you can identify and address the entire class of similar issues across your application.

Determine First-Party vs. Third-Party Code

The remediation approach differs significantly depending on whether you’re dealing with code your team wrote versus dependencies and libraries from external sources.

First-party code gives you complete control over the fix. You can modify the code directly, adjust the implementation approach, or refactor the surrounding architecture if necessary. AI can suggest specific code changes, help identify the safest modification approach, and even generate test cases to validate the fix.

Third-party code requires a different strategy. You typically can’t modify the vulnerable code directly, so your options are upgrading to a patched version, replacing the dependency with a secure alternative, or implementing compensating controls that mitigate the vulnerability without changing the underlying library.

First-Party Code Remediation Strategy

When fixing vulnerabilities in code your team controls, the process typically involves:

Understanding the root cause: Don’t just fix the symptom—understand why the vulnerability exists and whether similar patterns exist elsewhere in your codebase. AI can help identify these patterns and suggest architectural improvements that prevent entire classes of vulnerabilities.

Implementing targeted fixes: Make the minimal changes necessary to address the security issue without breaking existing functionality. AI can suggest specific code modifications and help identify potential side effects of those changes.

Comprehensive testing: Validate that your fix actually resolves the vulnerability without introducing new issues. This includes both security testing to confirm the vulnerability is gone and functional testing to ensure the application still works correctly.

Third-Party Dependency Management

Third-party vulnerabilities often require a more strategic approach:

Impact assessment: Before upgrading any dependencies, understand what else might break. AI can help analyze your codebase to identify all the places where a dependency is used and predict potential compatibility issues with newer versions.

Batch upgrades where possible: Instead of upgrading dependencies one by one, look for opportunities to upgrade multiple related packages together. This approach minimizes the number of separate changes and reduces the overall testing burden.

Breaking change evaluation: Major version upgrades of dependencies often include breaking changes that require code modifications. AI can help identify these breaking changes and suggest the code modifications needed to accommodate them.

The AI-Assisted Workflow in Practice

Modern AI-assisted remediation typically follows this pattern:

Analysis and suggestion: AI analyzes the vulnerable code, understands the surrounding context, and suggests specific remediation approaches. This might include multiple options with different trade-offs in terms of implementation complexity, performance impact, and architectural changes.

Validation and refinement: Security scanners validate that proposed fixes actually address the vulnerability without introducing new issues. This creates a feedback loop that helps refine the AI’s suggestions and ensures that fixes are genuinely effective.

Testing and integration: AI can help generate test cases that validate both the security fix and the continued functionality of the application. This includes both positive tests (ensuring the application still works) and negative tests (ensuring the vulnerability is actually fixed).

The Human Element Remains Critical

AI can significantly accelerate security remediation, but it will make mistakes. Always review AI-generated code changes for correctness, completeness, and potential side effects. Ensure that the application still works as expected after implementing fixes, and validate that the security issue is actually resolved rather than just superficially addressed.

The most effective approach combines AI efficiency with human oversight. Let AI handle the routine analysis, code generation, and initial testing, but maintain human review for final validation, business logic considerations, and architectural decisions.

Scaling Your Remediation Efforts

The goal isn’t just to fix individual vulnerabilities—it’s to systematically reduce your security backlog while building organizational capabilities that prevent similar issues in the future.

Pattern recognition: As you fix vulnerabilities, look for patterns that indicate broader issues with coding practices, architectural decisions, or development processes. AI can help identify these patterns across your entire codebase.

Preventive measures: Use remediation efforts as opportunities to implement preventive controls—linting rules, security libraries, architectural patterns—that make entire classes of vulnerabilities less likely to occur in future development.

Knowledge sharing: Document successful remediation approaches and share them across your development teams. AI can help create reusable remediation templates that can be applied to similar vulnerabilities in the future.

Measuring Progress and Impact

Track your progress not just in terms of vulnerabilities fixed, but in terms of overall security posture improvement. This includes metrics like:

• Reduction in backlog size over time
• Time to remediation for different types of vulnerabilities
• Rate of new vulnerability introduction versus remediation
• Developer satisfaction with remediation tools and processes

The ultimate measure of success is building a sustainable remediation capability that can keep pace with both your existing security debt and newly discovered vulnerabilities, while maintaining development velocity and application reliability.

Setting your backlog on fire isn’t about rushing through fixes—it’s about building efficient, sustainable processes that systematically improve your security posture while leveraging both AI capabilities and human expertise to achieve results that neither could accomplish alone.