Eric Gallagher | SecuringTheBackbone.com

EXECUTIVE BRIEF | Why CVE Backlogs Shrink While Costs Keep Rising EXECUTIVE BRIEF | Why CVE Backlogs Shrink While Costs Keep Rising How apparent security progress can mask growing operational spend Prepared for Executive Leadership (CEO / CFO / CIO / CTO) Prepared b...

Full executive brief:
securingthebackbone.com/blog/stb-exe...

The organization didn’t eliminate the work.
It made the work continuous.

That’s not failure.
That’s a shift from deferred cost to recurring cost.

If teams close issues faster but new ones keep flowing in at the same rate, the system looks cleaner while labor demand stays flat — or rises.

Backlog metrics measure inventory.
Cost reflects throughput.
You can reduce the pile…
while the conveyor belt keeps running just as fast.

Your vulnerability backlog is shrinking.
Your remediation costs aren’t.
Both can be true at the same time.

Issue #42: Why "Verify Everything" Is Not an Operating Model Date: January 12, 2026 Last week, I argued that trust is dead, and that enforcement is what replaces it. Enforcement in the form of curated catalogs, golden repositories, well-lit paths, whatever you ...

securingthebackbone.com/blog/securin...

The Hidden Labor Cost of “Just Patch It” SECURING THE BACKBONE | Executive Brief Title: The Hidden Labor Cost of “Just Patch It” Prepared For: Executive Leadership (CEO / CIO / CISO / CTO) Prepared By: Eric Gallagher Date: December 29, 2025 ...

securingthebackbone.com/blog/stb-exe...

2025 State of Vulnerability Management and Remediation Report Download the State of Vulnerability Management & Remediation report for insights on DevSecOps challenges and strategies to overcome them.

👉 Get the full report from ActiveState to see the complete findings and benchmarks.
www.activestate.com/resources/20...

If container security and compliance are part of your 2026 priorities, the full 2026 State of Vulnerability Management & Remediation Report: Container Security Edition breaks down exactly where organizations are falling behind, and what’s replacing broken approaches.

The real failure point is remediation:
❌ Outdated base images
❌ Inherited CVEs
❌ Manual fixes that can’t keep up with ephemeral containers

The report shows that container adoption has outpaced security maturity, turning audits into a recurring risk event instead of a checkpoint.

🚨 78% of organizations have likely failed a compliance audit due to CVEs in container images.

Not because teams aren’t scanning.
Not because they don’t care about security.
But because finding vulnerabilities is no longer the hard part.

When compromise propagates inside the ecosystem itself, there is no clear breach moment and often nothing to “patch.”

This shift is explored further in a recent STB Executive Brief written for executive leadership. Reach out if you want a copy.

Some of the most disruptive software supply-chain attacks no longer exploit vulnerabilities.

They exploit trust, automation, and legitimate access — spreading through authorized workflows rather than breaking in.

Issue #41: If Trust Is Gone, What Replaces It? Date: January 4, 2026 We've spent years talking about Zero Trust. Never trust, always verify. It's on the slides. It's in the frameworks. It's embedded in every RFP you've ever read. But here's the un...

securingthebackbone.com/blog/securin...

I don’t know you, just found your feed, but don’t stop. Decline or not, you’re running, and that’s a win. “The best run is the run you CAN do now”

Here’s a little glimpse into the future. Go @sanfrancisco49ers.bsky.social !

Solutions like @ActiveState focus on preventing untrusted code from entering the pipeline in the first place, not just reacting after the fact.

Because when software can infect software, “just patch it” stops being a strategy.

It becomes a liability.

The real fix is control:
✔️ controlling which open-source packages enter the organization
✔️ controlling how builds are composed
✔️ controlling who can publish, pull, and promote artifacts

This is where curated catalogs, immutable builds, and hardened base images matter.

This new class of supply-chain attack spreads inside trusted developer workflows:
• no zero-days
• no obvious malware
• no CVEs to patch

Just automation + trust + public dependencies.

That’s why detection alone won’t stop it.

Shai Hulud isn’t scary because it’s sophisticated.
It’s scary because it’s allowed.

If you're in those boardroom conversations talking about CVE's, I expand on this further in this month's STB Executive Brief.

As scanning improves, numbers rise, remediation effort compounds, and leadership confidence can move in the wrong direction.

That gap rarely makes it into board conversations.

CVE counts are often treated as a proxy for security risk.

In reality, they measure visibility, not exposure — and say little about the labor required to manage that risk over time.

Securing the Backbone — 2025 Finale - The Year That Trust Broke A Year-End Reality Check Every year in cybersecurity gets labeled “a turning point.” Most aren’t. 2025 was different. Not because of one catastrophic breach. Not because of one new regulation. Not bec...

securingthebackbone.com/blog/securin...

YouTube video by Securing the Backbone Deepest Thoughts - Cyber Security Edition - August 8, 2025

youtube.com/shorts/3DTXM...

Securing the Backbone – Issue #24: AI Is In Your Supply Chain. And It’s Already Being Breached. 🗓 August 4, 2025 ✍️ Eric Gallagher 🔒 Securing Software Supply Chains | 🎙 Host of Securing the Backbone | 📘 Author of The No-Nonsense Guide to Software Supply Chain Security We’re officially in the era...

www.linkedin.com/pulse/securi...

🚨 Python devs targeted in phishing scam spoofing PyPI!

Emails urge you to “verify” your account via pypj[.]org—a fake site stealing credentials.

✅ Don’t click links
✅ Use MFA
✅ Go directly to pypi.org

Stay sharp.