IBM has committed US$5 billion to a new initiative designed to help companies manage security risks across open source software environments, as enterprises face increasing pressure to secure complex software supply chains.
The company said Project Lightwell will combine engineering resources with AI capabilities to create what it describes as a centralized framework for identifying, validating and distributing security fixes for open source software used inside enterprise environments.
Open source software, which allows code to be used and modified by anyone, underpins technology infrastructure across most industries. Its widespread adoption has also expanded the attack surface for organizations as cyber criminals increasingly use AI tools to identify vulnerabilities and accelerate exploitation.
Project Lightwell was developed jointly by IBM, the technology company focused on enterprise software, infrastructure and consulting services, and Red Hat, IBM’s hybrid cloud subsidiary that develops enterprise open source software platforms. According to IBM, the initiative has already been piloted with companies including Bank of America, JPMorgan Chase and Visa to refine processes for detecting vulnerabilities and distributing fixes across large software environments.
The service is expected to become commercially available within 30 days.
Rob Thomas, senior vice president of software at IBM, said the company intends to offer the service through subscription pricing models that will likely depend on the number of software packages customers use.
Thomas described the initiative as providing organizations with a “stamp of approval from the clearinghouse that their open source is safe to use in production”.
The platform is intended to operate as a centralized environment where organizations can confidentially report vulnerabilities, access tested fixes and contribute remediations back into the wider open source ecosystem.
IBM said the initiative is designed to cover software across the entire lifecycle, from development environments through production systems, allowing customers to integrate validated security patches into existing workflows rather than rebuilding security processes from scratch.
