Setting the Backlog on Fire

Early Release: The following content is an early preview and should be considered a work in progress. Information may be missing or incomplete until the final release

Let’s be honest, nobody wants to work on the security backlog. It’s the digital equivalent of cleaning out the garage: necessary, tedious, and endlessly postponable in favor of building something new and exciting. Developers didn’t sign up to spend their days fixing old vulnerabilities when they could be shipping features that actually move the business forward.

If you work in a large enterprise, your security backlog is probably downright daunting. We’re talking months or even years worth of accumulated security debt that no one wants to touch with a ten-foot pole. That massive spreadsheet of vulnerabilities sits there, growing longer by the day, while teams focus on literally anything else. The backlog becomes this looming presence that everyone acknowledges but nobody tackles…until it shows up in a compliance audit, or worse, a security incident.

But something is changing. Advances in AI are allowing us to approach the backlog in a fundamentally different way; one that makes meaningful progress with velocity that was previously impossible. Instead of resigning ourselves to years of manual remediation drudgery, we can now leverage AI to burn through these accumulated security issues at a pace that actually makes a difference.

It’s time to set the backlog on fire and eliminate the security issues that have been staring us in the face for far too long. The tools and techniques are finally starting to appear to make this a reality. The question is no longer, “can we tackle this mountain of security debt?”, but rather “how fast can we make it disappear entirely?”.

Choosing Your Remediation Strategy

The first critical decision is determining how issues will be fixed. This choice significantly impacts your remediation velocity, quality, and resource allocation.

Traditional Human Approach: Developers manually review each finding, implement fixes, run tests, and submit pull requests. This traditional approach provides maximum control and learning opportunities but is time-intensive and doesn’t scale well for large backlogs.

AI-Driven Remediation: Developers use AI assistance to generate fix suggestions, write remediation code, and create test cases. Humans maintain oversight and make final decisions but benefit from AI-accelerated implementation. This hybrid approach balances speed with human judgment. For the majority of the market, this is the current favored approach.

Full Agentic Remediation: AI agents autonomously analyze findings, implement fixes, run validations, and create pull requests with minimal human intervention. This approach maximizes velocity but requires robust test coverage and appropriate governance controls.

Most organizations will use a combination of these approaches, applying different strategies based on issue complexity, application criticality, and team capacity. For the purposes of this section we will focus on AI-Driven Remediation.

Sorting the Queue

If you recall we previously talked about the importance of prioritization based on application and technical context. We then performed an analysis to ensure that we are only working with true positives. Now that we have the final list of items to remediation, the last step is to sort them (so we can quickly fix them).

Again, this used to be a tedious process where a developer would have to figure out what to pull from the queue and in what order. Thanks to AI, we can sort, slice, and analyze different portions of the queue in a more meaningful and expeditious way.

Perhaps you want to stick with a simple “highest severity first” ordering. Not a problem, but there are definitely some more creative approaches that can make a more immediate impact. What about sorting based on an issue type (eradicating all SQL Injections anyone?). Perhaps the focus is package remediation by which you refactor the code to no longer require a specific set of packages (reducing security risk and technical debt at the same time).

There are many ways in which you can sort the queue, the important thing is that you let AI do the heavy lifting and ensure that the remediation priority is aligned with how the business views risk reduction overall. If you’re lucky, a good chunk of the backlog is also reduced through proper implementation of ignores before you even see your first issue!

Leveraging AI for Safety and Efficiency

In addition to sorting the queue, we’ll want to begin remediation systematically, maintaining constant vigilance on potential breakability (a developer’s worst nightmare). Changes to any code, whether it’s your own, third-party dependencies, or build configurations, can have serious unintended consequences if approached carelessly. Some considerations that you should keep in mind when fixing issues.

Breaking Change Detection: AI can analyze proposed fixes against your codebase to identify potential breaking changes, incompatible API usage, or dependency conflicts before they become problems.

Impact Analysis: Modern AI can trace how a security fix might affect other parts of your application, helping you understand the full scope of changes needed.

Test Generation: AI excels at creating comprehensive test cases that validate both the security fix and continued functionality, helping catch regressions before they reach production.

Code Review Assistance: AI can perform initial code reviews of security fixes, flagging potential issues, suggesting improvements, and ensuring fixes follow your organization’s coding standards.

The great thing about AI is that it isn’t limited to one role. You can use it for code generation, security issue remediation, code quality analysis, and expert code analysis. Changing perspective through carefully crafted prompts allows you to use AI for remediation and safety, but most importantly you can accomplish both roles as efficiently as possible.

Building Sustainable Remediation Capabilities

Each remediation cycle provides opportunities for continuous improvement. Document common vulnerability patterns and their fixes to build a knowledge base that prevents similar issues in future development (remember our internal model use case from earlier?). Use remediation insights to improve scanning accuracy and reduce false positives in future scans. Identify bottlenecks in your remediation workflow and optimize them. If dependency updates consistently cause problems, develop better testing strategies.

Share successful remediation approaches across development teams, and leverage AI to create reusable remediation templates applicable to similar vulnerabilities. The goal isn’t just clearing your current backlog but building capabilities that keep future backlogs manageable while improving your overall security posture.

Measuring Progress and Impact

This is probably the most important part of this chapter. If you ultimately can’t track the process, or subsequent impact, of your remediation then it quickly becomes hard to justify the time investment. You should consider tracking your progress not just in terms of vulnerabilities fixed, but in terms of overall security posture improvement. This includes metrics like:

• Reduction in (total) backlog size over time
• Mean time to remediation (MTTR) for different types of vulnerabilities
• Rate of net-new vulnerabilities introduced versus remediation
• Developer satisfaction with remediation tools and processes

The ultimate measure of success is building a sustainable remediation capability that can keep pace with both your existing security debt and burn down the backlog of existing issues…all while maintaining development velocity and application reliability.

Setting your backlog on fire isn’t about rushing through fixes; it’s about building efficient, sustainable processes that systematically improve your security posture while leveraging both AI capabilities and human expertise to achieve results that neither could accomplish alone.