Documentation versions (currently viewingVaadin 14)

You are viewing documentation for an older Vaadin version. View latest documentation

AppSec Kit

Identify and manage security vulnerabilities in third-party dependencies.
Commercial feature

A commercial Vaadin subscription is required to use AppSec Kit in your project.

AppSec Kit offers seamless security integration to the development of Vaadin-based applications. It provides comprehensive dependency visibility, earlier remediation of vulnerabilities, and fewer false positives.

Comprehensive Dependency Visibility

Managing dependencies is a crucial aspect of any software project, but it can be a complex and time-consuming task. AppSec Kit provides dependency visibility, generating a Software Bill of Materials (SBOM) that presents a comprehensive view of all direct and transitive dependencies used in your application.

The SBOM is generated automatically each time you perform a development build — or can be initiated on-demand. This allows you to have complete visibility of your application’s contents.

Earlier Remediation of Vulnerabilities

AppSec Kit further streamlines the remediation process by regularly scanning the SBOM, and cross-referencing it with multiple industry-standard vulnerability databases, including National Vulnerability Database and GitHub Security Advisories. It identifies known vulnerabilities in both direct and transitive dependencies and includes detailed information, such as severity and patch versions.

Reports on the results are displayed in Vaadin Development tools, ensuring smooth integration in your Vaadin application development process. This allows you to address vulnerabilities earlier in the process, ensuring the security of your web applications without compromising development speed.

Fewer False Positives

By identifying and highlighting any false positives associated with Vaadin Flow and its dependencies, AppSec Kit makes it easier for developers to identify the vulnerabilities that actually need addressing.

AppSec Kit flags any false positive vulnerabilities that were identified in the dependencies of the Vaadin platform. It shows the analysis from Vaadin’s security team, describing why it was considered a false positive. This allows you to focus on true vulnerabilities, on what matters.