Skip to main content

IBM and Red Hat Launch Lightwell Catalog to Automate Remediation

IBM and Red Hat this week revealed that Lightwell Network, a catalog of more than 6,500 application-layer dependencies that drives an automated vulnerability remediation service, is now generally available.

At the same time, the Lightwell Clearinghouse Premier service, through which application development teams can both access validated patches and coordinate remediation efforts, is now available to a limited number of organizations.

Ben Breard, a senior principal product manager at Red Hat, said collectively these two offerings will make it simpler for organizations to address 30 years of technical debt that is now being exposed by artificial intelligence (AI) models that make it possible to discover vulnerabilities and create exploits in a matter of hours.

At the core of the Lightwell service is a remediation engine that software engineers are using to
help identify, validate, and remediate vulnerabilities across critical dependencies embedded deep within modern software architectures. Lightwell then employs automation to backport critical fixes directly to specific, long-lived production software versions to reduce the amount of time required to update applications.

Organizations that subscribe to the Lightwell Network receive a continuous stream of digitally signed binaries, source code, and compliance artifacts, including software bills of materials (SBOMs).

Technology partners working with IBM and Red Hat to provide software artifacts and updates include Amazon Web Services (AWS), AMD, F5, GitLab, Intel, JFrog, Microsoft, NVIDIA, Palo Alto Networks, and ServiceNow. Providers of IT services that are also participating include Accenture, Atos, Cognizant, Deloitte, EY, HCLTech, Infosys, Kyndryl, LTM, NTT DATA, Tata Consultancy Services (TCS), and Tech Mahindra.

IBM and Red Hat earlier this year pledged $5 billion toward the Lightwell initiative through which more than 20,000 engineers are working to remediate vulnerabilities that might have been created by humans many years ago or an AI coding tool a few days ago. For example, IBM and Red Hat have remediated a vulnerability dating back to 2001 involving a legacy Apache Debian package that is still found in enterprise environments more than two decades later.

Ultimately, the goal is to rapidly improve the quality of the code that will increasingly be targeted by cybercriminals as they gain access to more advanced AI models, noted Breard.

Right now, access to advanced AI models from Anthropic and OpenAI is limited in the hopes that organizations will be able to remediate code before the volume of expected attacks starts to rise. However, cybercriminals are already using a range of AI models to discover vulnerabilities and craft exploits. As those AI models become more advanced in the weeks and months ahead, the more lethal the attacks against software supply chains will become.

The fundamental challenge is two-fold. Organizations that have deployed software need to discover and remediate as many existing vulnerabilities in their code bases as quickly as possible. Historically, organizations tended to wait months before applying a patch to ensure that any update made would not inadvertently take their applications offline. That process, however, now needs to occur in days and weeks to prevent cybercriminals from exploiting those weaknesses.

The second element is providing the maintainers of the open source software that is frequently being targeted with the tools and expertise they need to resolve application security issues. At the moment, organizations are discovering issues using AI, but few are contributing validated code to help open source maintainers resolve an issue. Far too many of the contributions being made are created using AI tools that often introduce additional vulnerabilities and weaknesses that adversaries might easily exploit in a downstream application, noted Breard.

The concern is that if the maintainers of the open source project are unable to address the issues, organizations will then create their own secure private forks of that code. The end result, however, would be a fracturing of an open source community in a way that might prove to be ultimately unsustainable, said Breard.

One way or another, a technical debt bill that many organizations have been ignoring for decades is now coming due. The issue now is finding the means to pay it off as quickly as possible without breaking the bank.



from DevOps.com https://ift.tt/Q2f10dU

Comments

Popular posts from this blog

Building a Security Feedback Process for DevOps

The last few years have seen some major slip-ups in the security space among all major cloud providers, resulting in uncertainty and speculation. That’s understanding; cloud security is an extremely complicated subject as enterprises build and deploy applications faster than ever before to keep up with business requirements. Most of the security issues that occur […] The post Building a Security Feedback Process for DevOps appeared first on DevOps.com . from DevOps.com http://bit.ly/2L1DS7t

Cloudbees Is A Launch Partner For Google Cloud Run As Product Goes Ga

Industry Leaders Collaborate to Offer Streamlined Deployment of Containerized Applications, Better Access to CloudBees Solutions on Google Cloud Platform Marketplace   GOOGLE CLOUD NEXT, LONDON AND SAN JOSE, CA. – November 20, 2019 – CloudBees, the enterprise DevOps leader powering the continuous economy, today announced an extension of its partnership with Google. As a Google […] The post Cloudbees Is A Launch Partner For Google Cloud Run As Product Goes Ga appeared first on DevOps.com . from DevOps.com https://ift.tt/2XuFTxc

Carbon-Aware DevOps: Turning CI/CD Pipelines Into Emissions-Controlled Workloads 

Turning continuous integration and continuous delivery (CI/CD) pipelines into emissions‑controlled workloads is a strategy businesses adopt to reduce the carbon footprint of their pipelines. This article examines how a Carbon-Aware DevOps strategy can help optimize CI/CD pipelines for sustainability by reducing their carbon footprint while also decreasing costs and meeting the increasing demand for innovative, eco-friendly solutions.   Understanding the Problem   Today’s organizations take advantage of CI/CD pipelines to streamline and accelerate their software delivery. However, these CI/CD pipelines can become a hindrance to sustainability because of the resources required to create, build, test and ultimately deploy software into production.   Typically, CI/CD pipelines run tens of thousands of automated builds, tests and deployments daily, thereby consuming significant compute and energy resources. If you don’t take the steps necessary to reduce the emissions generated by these ...