Securing the enterprise software fabric: A blueprint for open source

Lately, headlines dominated by AI-driven zero-day vulnerabilities have raised a question: Is open source software becoming too risky for the enterprise? With open source comprising more than three-quarters of the average enterprise codebase, the question matters. But the answer is clear: open source software remains inherently safe, structurally resilient, and fundamentally secure.

Open source effectively serves as the foundation for all of modern technology, not just enterprise IT, and this is about much more than just Linux. Application servers, databases, network routing, developer environments, and all of the other invisible components that make up our technological fabric are fueled by open source projects in some way, shape, or form. 

The alternative to open source, in short, is that there isn’t one. Proprietary software comes closest, which is owned and controlled by a single company, but it lacks the sheer scale, variety, and ubiquity of open source. With proprietary software, the source code is a black box. Only the vendor decides what gets fixed and when. When a vulnerability is found, it may stay secret, known only to the attackers who discovered it. That model might feel secure, but the risk has only moved out of sight and become an unknown. Proprietary software allows vulnerabilities to breed in darkness.

Open source changes this by making the code available to everyone, highlighted by the mantra of “Given enough eyeballs, all bugs are shallow.” When anyone can read the code, anyone can find and report problems, and this now includes AI massively amplifying the inspection of the code. And because so many groups depend on open source software, there is a great collective motivation to resolve vulnerabilities. 

No software development method guarantees perfectly secure software, but the transparent, crowd-sourced nature of open source has distinct advantages over proprietary models when combating modern threats. Enterprises have always been, and will continue to be, vigilant to vulnerabilities as they are discovered. What has changed is the velocity. The number of published CVEs has grown by more than 520% since 2016. AI-powered scanning tools now discover critical zero-day vulnerabilities in hours, not months, and fewer than one percent of AI-discovered vulnerabilities have been patched. The challenge is now the enterprise's operational ability to consume and deploy fixes fast enough. 

This problem is compounded by a coordination failure. Every major institution depends on the same core open source packages — Spring Framework, Jackson, Log4j, Pandas, OpenSSL — yet without coordination, each institution independently discovers the same vulnerabilities, develops patches in isolation, and maintains private forks that no one else benefits from. The result is redundant effort at enormous cost and uneven quality, while the broader ecosystem remains exposed. To stay secure, organizations must contribute to upstream communities, accelerate their operational baselines, and they must do it together.

What enterprises can do to get started today

Open source remains the safest foundation for innovation, but closing the threat window requires immediate action. Here are simple, actionable steps enterprises can take to protect their supply chains today:

• Choose platforms backed by responsible vendors: Your infrastructure is the foundation everything else runs on. Make sure the vendors that support it are active contributors to the open source projects they ship. A vendor with a long track record of upstream contributions, security backports, and responsible disclosure is invested in keeping the community healthy, not just keeping your business.
• Build a complete dependency inventory: Begin by auditing your application portfolios to map your baseline. Identify every open source library, transitive dependency, and pinned version currently running in production.
• Define your patch-to-production cycle time: Measure your current reality. How long does it actually take for an upstream patch to navigate your internal security scans, testing, change advisory boards, and deployment pipelines? Once defined, set aggressive targets to shrink this window.
• Automate rebuild and redeploy pipelines: As the threat window shrinks from months to hours, manual updates fail. Prepare your environment for frequent, deterministic, and automated application rebuilds so you can safely consume secure packages at velocity.
• Use active security offerings: Adopt active supply chain solutions that provide zero-CVE baselines and runtime protection, such as Red Hat Hardened Images, Red Hat Trusted Libraries, and OpenShift Advanced Cluster Security, to move more quickly.

Accelerating change with Project Lightwell

As you automate your pipelines to consume fixes faster, IBM and Red Hat are building a remediation engine designed specifically to supply them. We recently introduced Project Lightwell, a joint $5 billion commitment backed by a global force of more than 20,000 engineers to redefine software supply chain security for the AI era.

Project Lightwell scales Red Hat's proven, two-decade-long methodology of backporting enterprise-grade security patches. We are extending this rigorous engineering discipline above the operating system layer to the broader application framework and dependency landscape starting with Maven/Java and expanding to PyPI, npm, and beyond. By combining AI for high-volume threat ingestion with expert human engineering, we execute surgical fixes on the exact stable versions enterprises run in production, eliminating the need to blindly upgrade and break systems.

Without a mechanism to get fixes accepted upstream, every backport an enterprise develops on its own creates a permanent private fork, one that must be carried forward through every subsequent vulnerability, update, and dependency change. This increases an organization’s costs and risks. Project Lightwell breaks this cycle: Red Hat develops the fix, delivers it to the enterprise, and contributes it to the originating open source project. The fix becomes part of the public codebase.

This approach aligns with the direction set by the recent Executive Order on AI and cybersecurity, which directs the formation of an AI cybersecurity clearinghouse to coordinate vulnerability scanning, validation, and remediation across critical infrastructure. Project Lightwell is built to be a private-sector operational backbone for that mandate.

Working together to protect your enterprise and all of open source

Securing the software supply chain is a collective industry challenge, one that no single enterprise can solve alone. Through Project Lightwell, we are collaborating with a premier cohort of financial and critical infrastructure leaders to establish a secure enterprise clearinghouse.

This collaborative intelligence network provides three capabilities that no enterprise can build independently. First, members share novel vulnerability findings and receive coordinated patches before public disclosure — turning isolated discovery into shared defense. Second, every patch is delivered production-ready: cryptographically signed, with machine-readable SBOM and security advisories to address compliance requirements. Third, and crucially, Project Lightwell operates on an upstream-always mandate. Every fix we develop is submitted back to the originating open source projects. By working together in this clearinghouse, we are not just protecting individual enterprises; we are systematically returning security advancements to the community, keeping open source safe for everyone.

Open source built the modern enterprise. Coordinated vigilance and Project Lightwell help this code remain secure by fixing it faster, as one community, in the open.

To learn more or register your organization's interest in upcoming phases of Project Lightwell, visit redhat.com/lightwell or contact your IBM or Red Hat account team.