The landscape of enterprise software security is shifting massively, driven by advances in AI foundation models that can find and exploit vulnerabilities faster than humans can address them, lowering the barrier to entry for cyber adversaries and shrinking the time organizations have to respond to those potential threats.
So Broadcom’s Tanzu Division, the steward and sole committer to the Spring Framework, today is releasing what it calls “the largest set of Spring security updates to open source in Spring’s 20-year history.” Further, Broadcom is implementing clean room builds of all the Java dependencies under Spring, which the company said will protect users from these AI-enabled security threats.
“The background is, as you can imagine, like many vendors, we’ve been sorting through all the implications of the new foundation models and their ability to find vulnerabilities,” Kevin Strohmeyer, chief marketing officer for Broadcom’s Tanzu Division, told SD Times in an interview..
This shift has fundamentally changed the timing for security teams. Where companies once relied on a comfortable “Patch Tuesday” rhythm, the threat profile has evolved. “Customers are realizing that the patching window now is very small,” Strohmeyer said. Organizations that once were comfortable with seeing the patches come in once a week and decide on severity and priority, now, with agentic AI attacks coming more quickly, and low severity attacks are being chained together to create more dangerous vulnerabilities, he said.
Compounding the issue for Spring users is that Broadcom Tanzu is seeing that about 60% of runtimes being downloaded are older versions that are out of community support, and customers are looking for both guidance on what to do and getting the tools that help them find and close vulnerabilities, he said.
“What we are announcing is that we will issue the first large block of Spring updates; they’ll be simultaneous, they will be both in the open source and for our commercial customers… it’ll really be the single largest release of patches and updates in Spring’s history,” Strohmeyer said. “We will also provide those clean room Java builds in the same commercial repository… it’s important that our customers know that they can pull the right trusted versions and of those dependent software packages,” he said.
Securing the Java Software Supply Chain for Spring
In its announcement, Broadcom Tanzu explained that customers will now have access to::
- Secured, SLSA Level 3–validated software supply chain for Java dependencies.
- Coverage that spans the full transitive dependency graph managed by the Spring Boot bill of materials.
- Thousands of secured dependencies, built and tested across every supported Spring version. Spring Boot 4.0 alone manages 1,768 of them; across the full supported portfolio, that totals more than 100,000 validated dependency builds.
Beyond that, the company wrote that is providing customers with day zero access to validated common vulnerabilities and CVE-only patch releases via the Spring Enterprise Repository, before patches are released to open source. These official, validated patches isolate the security fix from any other change, allowing customers to more quickly remediate the window of exposure.
Looking ahead, it’s clear that the industry must quicken its response mechanisms. As Strohmeyer concluded, “It just means that we have to work with the industry to figure out how to patch faster, because [attacks are] just going to continue to come.”
