IBM and Red Hat launch Lightwell to defend open-source code from AI attacks

1 hour ago 5
IBM and Red Hat person  moved Project Lightwell from imaginativeness   to product
IBM/Red Hat

Follow ZDNET: Add america arsenic a preferred source connected Google.


ZDNET's cardinal takeaways

  • Lightwell is present a work for open-source AI defense.
  • Akrites and Athena are taking akin approaches.
  • AI-driven attacks request AI-powered defenders.

For bundle developers, AI is some a blessing and a curse. On the 1 hand, AI enables developers to physique programs faster than ever. On the different hand, AI enables hackers to find and exploit information holes adjacent faster. 

To woody with this, IBM and Red Hat launched Project Lightwell

Backed by a $5 billion, AI-powered initiative, Lightwell's occupation is to find and hole vulnerabilities successful open-source bundle astatine an concern scale. Now, it's moved from a task to products: Lightwell Network and Lightwell Clearinghouse Premier.

Also: Open-source information is simply a messiness - IBM and Red Hat stake $5 cardinal and 20,000 engineers tin hole it

Lightwell Network is mostly available, portion Lightwell Clearinghouse Premier is entering a limited-availability onboarding phase. According to the companies, "Lightwell present extends that proven endeavor extortion to an organization's full bundle portfolio." Both services supply a mode to unafraid open-source components for enterprises, not conscionable those that vessel wrong Red Hat and IBM products.

Turbo-charged open-source information

Both companies stress that this is not truthful overmuch a caller attack arsenic a supercharged open-source mega-project backed by AI and 20,000 engineers. It's "a exemplary built connected decades of trust, successful which Red Hat has secured the astir captious systems successful the satellite for thousands of customers," and scaling it to screen a overmuch broader portion of the bundle stack.

At the bosom of the offering is what the brace describes arsenic "the high-throughput capableness of a generative AI-powered remediation motor that is already unrecorded and operating astatine scale." This automation pipeline "combines frontier AI models with quality engineering expertise to identify, validate, and remediate vulnerabilities crossed captious dependencies embedded heavy wrong modern bundle architectures." 

Also: IBM says it tin acceptable astir 100 cardinal transistors connected a spot - wherefore the milestone matters

Rather than insisting customers perpetually pursuit upstream releases, Lightwell "uses automation to backport captious fixes straight to exact, long-lived accumulation bundle versions, helping to code the lengthy regression investigating and breaking changes that often paralyze teams forced to follow large upstream upgrades."

The archetypal caller product, Lightwell Network, provides "immediate entree to an progressive and increasing room of contented spanning latest to bequest libraries with high-value remediations." Members person "a continuous watercourse of digitally signed binaries, root code, and broad compliance artifacts, including implicit Software Bills of Materials (SBOMs), delivered straight into existing pipelines without codification drift."

The second, Lightwell Clearinghouse Premier, is "designed to service arsenic a trusted intermediary for heavy manufacture collaboration, precocious vertical menace coordination, and secured spot embargoes."

Initially, Lightwell Clearinghouse Premier volition beryllium constricted to fiscal services. Participating organizations tin taxable vulnerabilities and petition "targeted mentation remediation nether a secured embargo window." If successful, it volition beryllium expanded into government, healthcare, and telecommunications.

How Lightwell changes the patching equation

IBM and Red Hat are explicit that the people is what they picture arsenic a breached remediation exemplary successful the property of inexpensive AI-driven exploitation. With unfastened root "running endeavor software," they argue, "massive measurement and 50-dollar AI-generated exploits person breached accepted spot management." Lightwell, the vendors claim, is designed to mitigate this unmapped hazard and neutralize execution bottlenecks by evaluating exertion discourse and dependency interactions to present validated fixes straight into progressive workflows.

As Matt Hicks, Red Hat's president and CEO, said, "Lightwell represents a cardinal structural displacement successful however we unafraid each endeavor software. By pairing automated remediation with our heavy engineering heritage, we purpose to present the trusted infrastructure required to devour unfastened root reliably, sustainably, and astatine frontier exemplary speeds."

Also: Stuck successful AI aviator mode? IBM has a solution to assistance you standard - without ripping everything up

Rob Thomas, IBM's elder vice president for bundle and main commercialized officer, underscores the "we'll bash the hard enactment for you" angle. "IBM and Red Hat are giving enterprises certified fixes they tin propulsion consecutive into the systems they already run, with nary retooling oregon disruption, backed by a increasing web of exertion and transportation partners," helium said.

Lightwell besides leans heavy connected Red Hat's "upstream-always" model. According to the announcement, "security fixes are actively submitted backmost to the originating open-source assemblage for reappraisal and acceptance," which is meant to guarantee "commercial protections and assemblage wellness continually reenforce 1 another, preventing task fragmentation without risking in-production zero days."

That sounds good, but IBM and Red Hat aren't the lone ones seeking to usage AI to support open-source codification against AI-driven attackers.

Where Akrites fits

Lightwell doesn't beryllium successful a vacuum. The Linux Foundation, unneurotic with manufacture partners, precocious launched Akrites to support captious open-source bundle against AI-enabled threats. Akrites mitigates open-source bundle proviso concatenation risks by hardening captious open-source projects. It does this by creating a communal model for however maintainers and consumers coordinate connected superior vulnerabilities.

While Lightwell is simply a commercialized service, Akrites is simply a foundation-governed effort that focuses connected process and coordination for the projects themselves. Its extremity is to springiness maintainers and critical-infrastructure users a confidential, structured mode to grip AI-discovered flaws, standardizing vulnerability remediation and disclosure alternatively than delivering enterprise-specific, backported patches.

Also: Red Hat Desktop vs. Fedora Hummingbird: Which AI improvement Linux way is close for you?

Those lines are already blurring. In the Lightwell announcement, Microsoft's VP of autarkic bundle vendor (ISV) Partner Development, Sandy Gupta, points straight astatine that intersection: "Speed successful delivering patches to customers is critical. We're already moving unneurotic with IBM and Red Hat arsenic portion of the Linux Foundation's Akrites effort and present extending that collaboration to Lightwell to guarantee captious fixes scope customers arsenic rapidly arsenic imaginable utilizing the fastest transportation mechanisms and tools." 

In practice, Akrites aims to signifier however captious open-source projects grip vulnerabilities successful an AI-accelerated world, portion Lightwell offers enterprises a mode to devour those fixes and IBM/Red Hat-engineered backports nether contract.

Where Chainguard's Athena fits

Chainguard's Athena conjugation occupies yet different country of this fast-moving information race. Athena is an manufacture conjugation protecting open-source bundle from AI attacks. It's built for the frontier-model era, wherever AI systems tin find superior flaws faster than anyone tin spot them. 

Like Lightwell, Athena is framed arsenic a benignant of AI-powered clearinghouse, but alternatively of a azygous vendor's service, it pools vulnerability findings and remediation enactment from "over 2 twelve organizations," including banks and large infrastructure providers, arsenic good arsenic developers.

Athena is already publishing aboriginal metrics. According to Chainguard, "Athena is operational today. It processed 40,000+ findings and generated 2,000+ patches crossed 500+ unfastened root projects. The conjugation uses AI to find and hole vulnerabilities successful widely-used open-source bundle earlier attackers tin exploit them." Its absorption is connected libraries, containers, and different components that underpin captious systems.

Also: How digitally sovereign is your organization? This Red Hat instrumentality tin archer you successful minutes

As Chainguard laminitis and CEO Dan Lorenc explained, "Athena provides a spot for organizations to find → hole → shield → aboveground → disclose vulnerabilities that frontier AI models are discovering. Findings travel from crossed the coalition. We physique fixes nether embargo. Partners stack non-patch extortion astir them. We aboveground exposures that would different enactment invisible. And past durable fixes get driven location to the upstream maintainers who tin marque them permanent."

In opposition to Lightwell's accent connected shipping enterprise-ready backports into lawsuit pipelines, Athena's workflow starts with pooled AI findings that are "deduplicated, triaged, and enriched successful a shared clearinghouse," aft which conjugation members collaborate connected patches and mitigations earlier vulnerabilities are public. 

When a cleanable spot is not yet available, "Athena layers autarkic protections truthful that sum remains adjacent successful the lack of a timely patch, and continues to show each flaw until a robust upstream solution is established." Those fixes are past intended to travel upstream and into Chainguard's ain secure-by-default artifacts, including minimal, SLSA-compliant images and packages.

Three models for AI-era unfastened root defence

Taken together, Lightwell, Akrites, and Athena sketch retired 3 antithetic and progressively overlapping responses to the aforesaid underlying problem: Cheap, accelerated AI tooling that tin observe and weaponize flaws successful the open-source commons faster than accepted spot pipelines tin support up with.

Also: IBM says it tin acceptable astir 100 cardinal transistors connected a spot - wherefore the milestone matters

Akrites focuses connected governance and process for captious projects, trying to standardize however maintainers and cardinal users grip AI-driven vulnerabilities and embargoed patches. Athena wraps AI-accelerated vulnerability probe successful a cross-industry conjugation that shares findings, coordinates pre-disclosure remediation, and pushes fixes upstream portion besides feeding them into hardened supply-chain artifacts. Lightwell, by contrast, is aimed squarely astatine enterprises that privation nary fuss oregon muss, conscionable certified fixes they tin propulsion consecutive into the systems they already run, with nary retooling oregon disruption.

For the contiguous future, we're going to request each of them and much besides. AI is transforming some open-source bundle and security. Until we've worked retired a way guardant to genuinely unafraid our code, we'll request to effort each of these approaches and spot which ones volition enactment champion to support america and our programs.

Read Entire Article