Broadcom expands Spring security for AI threat surge

Broadcom has expanded its security investment in the Spring and Java ecosystem, with a broad set of Spring security updates and new support measures for enterprise customers.

Its Tanzu unit has released what it described as the largest batch of Spring security updates to open source in the framework's 23-year history. Broadcom is also extending the clean-room build approach used in Bitnami to create Java dependencies across the Spring ecosystem for customers.

Spring is one of the most widely used Java application development frameworks and, according to Broadcom, is relied on by more than half of Fortune 500 companies. The company presented the latest changes as a response to a sharp rise in security threats identified with the help of artificial intelligence tools.

Broadcom said the number of monthly security advisories reported to it by the Spring community rose by more than 1700% from March to April 2026. It said advances in foundation models had increased the pace of vulnerability discovery and shortened the time between disclosure and attempted exploitation.

Broadcom is increasing the use of AI-assisted security analysis within its Spring engineering team. This includes model-based scanning and validation workflows designed to identify vulnerabilities, test remediation paths and verify fixes across linked dependencies.

Purnima Padmanabhan, Vice President and General Manager of the Tanzu Division at Broadcom, outlined the company's position on the framework's role and its security obligations.

"Spring is one of the most widely adopted application development frameworks in the world, and as its steward, we have a deep responsibility for its security," said Purnima Padmanabhan, Vice President and General Manager of the Tanzu Division at Broadcom.

"Because we maintain Spring and are the sole committers, we can better secure it at the source for everyone who depends on it. This investment is about two things we will never separate: the health of the Spring community and the security of our customers who trust Spring to run their business," Padmanabhan said.

Patch access

For paying customers, Tanzu Spring will now provide day-zero access to validated CVE patch-only releases through the Spring Enterprise Repository before those same patches are issued to open source users. Broadcom said these patch-only releases separate security fixes from other code changes, which could help customers apply remediation more quickly.

It will continue issuing CVEs for all versions of each Spring project still under open source support, as well as older versions covered by Tanzu Spring enterprise support. Enterprise support also includes access to dependent Java binaries, automated upgrade recommendations through Spring Application Advisor, additional governance and security components, and round-the-clock support.

Supply chain focus

A second part of the announcement centres on the Java software supply chain behind Spring. Tanzu Spring customers will gain access to Java dependencies built through a secured software supply chain validated at SLSA Level 3, Broadcom said.

That coverage spans the full transitive dependency graph managed by the Spring Boot bill of materials. Broadcom said Spring Boot 4.0 alone manages 1,768 dependencies and that, across the full supported Spring portfolio, this amounts to more than 100,000 validated dependency builds.

The clean-room-built model will cover both current and end-of-life Spring versions that remain under support, giving customers a verifiable source for dependencies used across their application estates. The aim is to reduce software supply chain risk in a part of the Java market where dependency management can span large numbers of libraries and older codebases.

Broadcom also linked the announcement to a broader industry problem: the pace of finding vulnerabilities is rising faster than the pace of fixing them. It pointed to recent US federal action to create a national clearinghouse for coordinating and prioritising software vulnerability remediation as a sign that remediation speed has become the main constraint.

It is also trying to help customers apply fixes more quickly once they are available. Broadcom said its tools can assess application estates in both source code and live environments, then recommend or implement upgrades in a deterministic way.

That work extends to products including Tanzu Platform, Tanzu Build Service and buildpacks, which Broadcom said can strengthen security in the build and deployment of Java applications and allow a single fix to be propagated across multiple applications. The latest measures show how major software suppliers are trying to adapt established development frameworks to a threat environment increasingly shaped by AI-assisted vulnerability discovery and faster exploit cycles.