Broadcom today released a number of updates to its open-source Spring framework for building Java applications, primarily to address a series of vulnerabilities discovered by researchers using artificial intelligence (AI) tools.
At the same time, Broadcom is also adding managed services that allow organizations to secure thousands of Spring dependencies for organizations building applications using distributions of the Spring framework. The service is based on the Bitnami clean room technology that Broadcom uses to create secure images and Tanzu Buildpacks that automatically convert source code into images based on the Open Container Image (OCI) format.
Broadcom gained access to that platform as part of its acquisition of VMware, and the Spring framework is now part of Broadcom’s Tanzu division, with a focus on Java application development and the open source Cloud Foundry Platform-as-a-Service (PaaS) environment, where Buildpack was originally developed.
Kevin Strohmeyer, director of marketing for Broadcom’s Tanzu division, said these efforts, taken together, highlight Broadcom’s continued commitment to the Spring framework and willingness to provide additional services to help organizations secure their Java supply chains.
As security researchers discover more vulnerabilities using the latest generation of Frontier models, Broadcom today revealed that the number of monthly security advisories reported to Broadcom by the Spring community increased by more than 1,700% from March to April of this year. As a result, enterprise IT organizations now look to Broadcom to provide additional services to ensure that patches created to fix these zero-day vulnerabilities are validated and applied as quickly as possible, Strohmeyer said.
It’s unclear how the sudden discovery of thousands of zero-day vulnerabilities is impacting DevSecOps workflows, but the time required to create an exploit continues to rapidly decrease in the AI era. In many cases, exploits begin to be created even before patches are available.
Ultimately, organizations will need to readjust their level of risk appetite. In the past, most organizations were concerned that patches could be more serious than the disease, since applications could be taken offline after a patch was applied. However, in the age of AI, it is clear that cybercriminals and other adversaries can now exploit vulnerabilities within hours. If a breach occurs, the costs can be more devastating than a temporary application unavailability.
Of course, there are applications that generate millions of dollars in revenue per minute, so the challenge is to assess the risk. In these cases, you might think that the level of risk associated with zero-day vulnerabilities is not that high.
But regardless of the approach, one thing is certain: how vulnerabilities were managed in the past will never be the same in the AI era. In fact, many DevSecOps teams may end up continually patching their applications to stay one step ahead of the cybercriminals that will forever be on their heels.
