IBM and Red Hat Launch Lightwell Catalog to Automate Vulnerability Remediation
A new tool aimed at streamlining the process of identifying and fixing vulnerabilities in software has been launched by IBM and Red Hat. The companies have made available a catalog called Lightwell Network, which contains over 6,500 application-layer dependencies that can be used to automate vulnerability remediation. This service is designed to help organizations address what Ben Breard, senior principal product manager at Red Hat, describes as ‘30 years of technical debt’ that has been exposed by the use of artificial intelligence (AI) models to discover vulnerabilities and create exploits in a matter of hours.
The Lightwell Clearinghouse Premier service, which allows application development teams to access validated patches and coordinate remediation efforts, is also now available. However, this service is currently limited to a small number of organizations. Breard notes that the combination of these two offerings will make it easier for companies to address existing vulnerabilities in their code bases.
At the heart of the Lightwell service is a remediation engine that helps identify, validate, and fix vulnerabilities across critical dependencies embedded deep within modern software architectures. The tool then uses automation to backport critical fixes directly to specific production software versions, reducing the time required for updates. Organizations subscribing to the Lightwell Network receive a continuous stream of digitally signed binaries, source code, and compliance artifacts, including software bills of materials (SBOMs).
Technology partners working with IBM and Red Hat include Amazon Web Services (AWS), AMD, F5, GitLab, Intel, JFrog, Microsoft, NVIDIA, Palo Alto Networks, and ServiceNow. Providers of IT services participating in the initiative include Accenture, Atos, Cognizant, Deloitte, EY, HCLTech, Infosys, Kyndryl, LTM, NTT DATA, Tata Consultancy Services (TCS), and Tech Mahindra.
IBM and Red Hat have pledged $5 billion toward the Lightwell initiative, which involves over 20,000 engineers working to remediate vulnerabilities created by humans many years ago or AI coding tools a few days ago. For example, IBM and Red Hat have already fixed a vulnerability dating back to 2001 involving a legacy Apache Debian package still found in enterprise environments more than two decades later.
The ultimate goal is to rapidly improve the quality of code that will increasingly be targeted by cybercriminals as they gain access to advanced AI models. Breard notes that right now, access to these models from Anthropic and OpenAI is limited, but this may not last for long. As those AI models become more sophisticated in the weeks and months ahead, the attacks against software supply chains will likely become more lethal.
The challenge facing organizations is two-fold: they need to discover and remediate existing vulnerabilities as quickly as possible, and provide maintainers of open source software with the tools and expertise needed to resolve application security issues. Historically, companies have tended to wait months before applying a patch to ensure that any update would not inadvertently take their applications offline. However, this process now needs to occur in days and weeks to prevent cybercriminals from exploiting those weaknesses.
Breard notes that organizations are discovering vulnerabilities using AI tools but few are contributing validated code to help open source maintainers resolve issues. Many of the contributions being made are created using AI tools that often introduce additional vulnerabilities and weaknesses that adversaries might easily exploit in a downstream application. The concern is that if the maintainers of an open source project are unable to address the issues, organizations may create their own secure private forks of that code, leading to a fracturing of the community.
One way or another, a technical debt bill that many organizations have been ignoring for decades is now coming due. The issue now is finding the means to pay it off as quickly as possible without breaking the bank.