DevOps.com

IBM and Red Hat Launch Lightwell Catalog to Automate Remediation

General Availability of Lightwell Network

IBM and Red Hat this week revealed that Lightwell Network, a catalog of more than 6,500 application-layer dependencies that drives an automated vulnerability remediation service, is now generally available. At the same time, the Lightwell Clearinghouse Premier service, through which application development teams can both access validated patches and coordinate remediation efforts, is now available to a limited number of organizations.

Ben Breard, a senior principal product manager at Red Hat, said collectively these two offerings will make it simpler for organizations to address 30 years of technical debt that is now being exposed by artificial intelligence (AI) models that make it possible to discover vulnerabilities and create exploits in a matter of hours.

Core Remediation Engine

At the core of the Lightwell service is a remediation engine that software engineers are using to help identify, validate, and remediate vulnerabilities across critical dependencies embedded deep within modern software architectures. Lightwell then employs automation to backport critical fixes directly to specific, long-lived production software versions to reduce the amount of time required to update applications.

Organizations that subscribe to the Lightwell Network receive a continuous stream of digitally signed binaries, source code, and compliance artifacts, including software bills of materials (SBOMs).

Partner Ecosystem

Technology partners working with IBM and Red Hat to provide software artifacts and updates include:

  • Amazon Web Services (AWS)
  • AMD
  • F5
  • GitLab
  • Intel
  • JFrog
  • Microsoft
  • NVIDIA
  • Palo Alto Networks
  • ServiceNow

Providers of IT services that are also participating include:

  • Accenture
  • Atos
  • Cognizant
  • Deloitte
  • EY
  • HCLTech
  • Infosys
  • Kyndryl
  • LTM
  • NTT DATA
  • Tata Consultancy Services (TCS)
  • Tech Mahindra

Investment and Scale

IBM and Red Hat earlier this year pledged $5 billion toward the Lightwell initiative through which more than 20,000 engineers are working to remediate vulnerabilities that might have been created by humans many years ago or an AI coding tool a few days ago. For example, IBM and Red Hat have remediated a vulnerability dating back to 2001 involving a legacy Apache Debian package that is still found in enterprise environments more than two decades later.

AI-Driven Threat Landscape

Ultimately, the goal is to rapidly improve the quality of the code that will increasingly be targeted by cybercriminals as they gain access to more advanced AI models, noted Breard. Right now, access to advanced AI models from Anthropic and OpenAI is limited in the hopes that organizations will be able to remediate code before the volume of expected attacks starts to rise.

However, cybercriminals are already using a range of AI models to discover vulnerabilities and craft exploits. As those AI models become more advanced in the weeks and months ahead, the more lethal the attacks against software supply chains will become.

Two-Fold Challenge

The fundamental challenge is two-fold:

  1. Organizations that have deployed software need to discover and remediate as many existing vulnerabilities in their code bases as quickly as possible. Historically, organizations tended to wait months before applying a patch to ensure that any update made would not inadvertently take their applications offline. That process, however, now needs to occur in days and weeks to prevent cybercriminals from exploiting those weaknesses.

  2. The second element is providing the maintainers of the open source software that is frequently being targeted with the tools and expertise they need to resolve application security issues. At the moment, organizations are discovering issues using AI, but few are contributing validated code to help open source maintainers resolve an issue.

Open Source Community Concerns

Far too many of the contributions being made are created using AI tools that often introduce additional vulnerabilities and weaknesses that adversaries might easily exploit in a downstream application, noted Breard. The concern is that if the maintainers of the open source project are unable to address the issues, organizations will then create their own secure private forks of that code.

The end result, however, would be a fracturing of an open source community in a way that might prove to be ultimately unsustainable, said Breard. One way or another, a technical debt bill that many organizations have been ignoring for decades is now coming due. The issue now is finding the means to pay it off as quickly as possible without breaking the bank.

Comments

No comments yet. Start the discussion.