{"slug": "broadcom-beefs-up-spring-security-to-protect-against-ai-enabled-attacks", "title": "Broadcom beefs up Spring security to protect against AI-enabled attacks", "summary": "Broadcom announced a major set of security updates for its Spring and Java ecosystems, including the largest release of Spring security patches in the product's history and an extension of clean-room build architecture for enterprise customers. The company is also scaling its use of AI tools to identify vulnerabilities and validate fixes, while offering Tanzu Spring enterprise customers exclusive zero-day access to validated CVE patch-only releases before they are made available to the open-source community.", "body_md": "Broadcom today announced multiple security investments in its Spring and Java ecosystems that aim to help protect users from AI-enabled threats.\n\nThe company said that, first, it is releasing what it called the largest set of Spring security updates to open source in the product’s history, and, for customers, it is extending its clean-room build architecture to build the Java dependencies for the entire Spring ecosystem.\n\n“[Spring](https://www.broadcom.com/compahttps:/www.infoworld.com/article/4083578/a-fresh-look-at-the-spring-framework.html) is one of the most widely adopted application development frameworks in the world, and as its steward, we have a deep responsibility for its security,” said [Purnima Padmanabhan](https://www.broadcom.com/company/about-us/executives/purnima-padmanabhan), vice president and general manager of Broadcom’s Tanzu Division. “Because we maintain Spring and are the sole committers, we can better secure it at the source for everyone who depends on it. This investment is about two things we will never separate: the health of the Spring community and the security of our customers who trust Spring to run their business.”\n\nThe company also announced that, as the number of security advisories reported by the community has exploded, its engineering team has “significantly scaled” its use of AI tools to help it identify vulnerabilities, assess remediation paths, and validate fixes across the dependency ecosystem. Although Broadcom declined to specify the AI models it’s using in its bug hunting, it is a member of Anthropic’s Project Glasswing, so Claude Mythos is likely part of the effort.\n\nOne perk available only to Tanzu Spring enterprise customers is zero-day access to validated CVE patch-only releases through the [Spring Enterprise Repository](https://techdocs.broadcom.com/us/en/vmware-tanzu/spring/tanzu-spring/commercial/spring-tanzu/spring-enterprise-subscription.html), before they are released to open source. These patches isolate the security fix from any other changes to let customers remediate more quickly.\n\n“By utilizing Tanzu Spring’s private artifact repositories, customers can be confident that the artifacts are the official, validated patches from Broadcom, the steward of Spring,” Broadcom said in its announcement, adding that it will continue to issue CVEs for all versions of every Spring project under open source support, as well as older versions under Tanzu Spring enterprise support.\n\nBroadcom’s Tanzu Spring enterprise support includes:\n\nIn addition, Broadcom said, it has now added:\n\n“This capability gives customers validated dependencies across both current and end-of-life Spring versions, helping customers reduce software supply chain risk while continuing to benefit from the productivity and consistency of Spring Boot’s dependency management model,” the announcement noted.\n\n[Seva Ioussoufovitch](https://www.infotech.com/profiles/seva-ioussoufovitch), senior research analyst at Info-Tech Research Group, sees these moves as mostly positive.\n\n“It’s encouraging to see Broadcom take proactive steps towards dealing with the increase in AI-detected vulnerabilities that many organizations have had to contend with in recent months,” he said. “Announcements like Mythos have made it clear that the industry needs to re-think traditional approaches to security patching.”\n\nIoussoufovitch isn’t surprised at the size of the update release either, noting that it’s consistent with the result of AI scanning and remediation that has been occurring, and will likely continue.\n\n“More meaningful is the provision of validated and secured dependencies,” he said. “This is a critical move in the right direction, especially with the endlessly growing list of supply chain vulnerabilities the industry has been managing in recent months.”\n\nIoussoufovitch is less happy with the restriction of zero-day patches to paying customers.\n\n“Putting security fixes behind a paywall isn’t new, but when there are no drop-in alternatives for an ecosystem as critical as Spring, it just looks like a power move to force more of the open-source community onto the monetization track,” he noted. “Another approach might’ve been to release the CVE fixes to everyone while charging for enterprise-grade packaging, validation, and support, but, given Broadcom’s track record of aggressive monetization in recent years, what they’ve chosen here doesn’t necessarily come as a shock.”", "url": "https://wpnews.pro/news/broadcom-beefs-up-spring-security-to-protect-against-ai-enabled-attacks", "canonical_source": "https://www.infoworld.com/article/4182556/broadcom-beefs-up-spring-security-to-protect-against-ai-enabled-attacks.html", "published_at": "2026-06-08 21:02:55+00:00", "updated_at": "2026-06-12 09:56:57.856777+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-safety", "ai-tools", "ai-products"], "entities": ["Broadcom", "Spring", "Java", "Purnima Padmanabhan", "Tanzu Division"], "alternates": {"html": "https://wpnews.pro/news/broadcom-beefs-up-spring-security-to-protect-against-ai-enabled-attacks", "markdown": "https://wpnews.pro/news/broadcom-beefs-up-spring-security-to-protect-against-ai-enabled-attacks.md", "text": "https://wpnews.pro/news/broadcom-beefs-up-spring-security-to-protect-against-ai-enabled-attacks.txt", "jsonld": "https://wpnews.pro/news/broadcom-beefs-up-spring-security-to-protect-against-ai-enabled-attacks.jsonld"}}