IBM, Red Hat, and Deloitte are set to collaborate more closely on the security of open-source software. Deloitte is joining the Lightwell initiative, launched earlier this year, which aims to help organizations address vulnerabilities more quickly without having to immediately perform extensive software upgrades.
Lightwell was announced in May by IBM and its subsidiary Red Hat as an initiative to improve the security of widely used open-source software. At the launch, the companies announced they would make 20,000 engineers and a $5 billion investment available for the project. Deloitte is now joining as an integration partner, contributing expertise in cyber risk management and software supply chains.
Much enterprise software consists of a combination of proprietary code, open-source components, and commercial software. Vulnerabilities in any one of these components can therefore affect entire applications. According to the three companies, this challenge is growing as AI further accelerates the pace at which new vulnerabilities are discovered and exploited.
Patches without a full upgrade
Lightwell was established as an alternative to the traditional way security updates are rolled out. Normally, vulnerabilities are addressed through regular software upgrades. This means that organizations sometimes must first migrate to a newer software version before a security vulnerability is patched.
In practice, security patches are not always immediately applicable. They are sometimes only compatible with the latest software version or require significant configuration changes. Lightwell aims to address this by developing and validating patches for the specific software versions that organizations are already using in production.
Deloitte adds integration and management services to this. The company will support organizations in identifying vulnerable software, prioritizing security risks, and testing and rolling out validated patches. To this end, Deloitte is deploying, among other things, a team of so-called Forward Deployed Engineers.
Focus on regulated sectors
The collaboration will initially focus on organizations with highly regulated software environments, where cybersecurity and compliance requirements are typically more stringent. Deloitte will help clients maintain continuous visibility into which open-source components are actually present in their applications, enabling them to detect vulnerable dependencies more quickly.
In addition to detecting and remediating vulnerabilities, the three parties also aim to provide support for compliance, documentation, and coordination with open-source projects and software vendors. This should provide clarity on which vulnerabilities exist, how they have been resolved, and what measures have been taken.
The expansion of Lightwell follows shortly after the launch of Akrites, an initiative of the Linux Foundation in which IBM and Red Hat, among others, are participating. That project also focuses on detecting and resolving vulnerabilities in widely used open-source software more quickly. Both initiatives respond to the same trend: AI makes it easier to find vulnerabilities on a large scale, which in turn makes the speed at which security updates become available even more important.