Ubuntu
͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌   ͏ ‌  

Are organizations ready for AI vulnerability discovery?

We’re at a turning point in open source security. With new AI frontier models, the security research landscape could quickly become unrecognizable. These models are already accelerating vulnerability discovery, and that begs the question: are organizations prepared?

Late last year, we surveyed 500 IT decision makers and DevOps professionals to understand how enterprises build, secure, and use open source software today. By mapping respondents' security concerns, cross-team friction points, and strategic approaches, the report gives us a sense of the “before AI-powered vulnerability discovery” state.

Let’s take a look at some of the highlights – as well as how Canonical is responding to the new open source security paradigm.

The view from the top vs the terminal

We asked survey respondents for their main security concerns about using open source software within their organizations. Unsurprisingly, it’s exposure to security vulnerabilities that are causing the most headaches. And we can expect concerns about exposure to security vulnerabilities to grow even further with the introduction of new vulnerability discovery models.

Drilling down deeper into the data, we found some division in how different categories of respondents ranked security concerns. IT decision makers were more likely than DevOps respondents to highlight exposure to security vulnerabilities and difficulty keeping up with patches as key security concerns. On the other hand, DevOps teams prioritize supply chain risks of third-party dependencies, focusing on software provenance rather than patching speed. In other words: DevOps are telling us that it’s not enough to have clear policies on when and what to patch. Clearer responsibilities, a trusted software source and better dependency management is critical to minimize the work burden.

The disconnect leads to friction that undermines organizations: 67% of all respondents agreed that a lack of strategic alignment on open source is holding back progress.

Proactive vs reactive patching strategies

The report also asked respondents about their strategies for updating open source software. There’s a natural tension between the drive to upgrade as soon as new software versions become available – to access the latest fixes and features – and a stability-first mentality of upgrading only when necessary.

The survey found that only 34% of organizations proactively upgrade dependencies, while 23% upgrade rarely, or only when issues arise. Respondents report that they’re held back from patching by the high operational cost, risk, and the effort of making changes.

Faster, AI-driven discovery means faster need for patches, so organizations will be under new pressure to deliver critical fixes throughout their dependency trees quickly – ideally with automation.

How we are responding at Canonical

Here at Canonical, we’re already using AI to help detect vulnerabilities, augmenting our established security processes with new AI-powered tools. Redhound is one such tool we’ve developed internally that’s already proven its effectiveness. For instance, it was able to detect bugs in LXD that static analysis and manual review had missed. Within one day, it uncovered three CVEs that had flown under the radar. You can read the full story about Redhound in this blog post from Miha Purg, the software engineer at Canonical who built it.

You can also learn more about how we are responding to the new threat landscape in this article by Lech Sandecki, product manager for Ubuntu Pro.

How customers like OEDIV handle open source security

OEDIV has solved its open source security challenges with Ubuntu Pro. As a provider of hosted managed services, OEDIV needed to meet the highest customer expectations for security and innovation. With Ubuntu Pro, the company has unlocked trusted provenance and consistent security maintenance for not only the base operating system, but also for thousands of upstream applications and libraries. OEDIV has been able to optimize their open source supply chain, and what’s more, to update seamlessly via Ubuntu’s automated patching processes. Find out more in the case study.

For further details on open source security, download the full report: The open source chain of trust.

🌐Visit us at canonical.com


For further information on data collection,
please refer to Canonical's privacy policy and privacy notice

To unsubscribe or update your email preferences, click here