Documentation versions (currently viewingVaadin 8)

Vaadin 8 reached End of Life on February 21, 2022. Discover how to make your Vaadin 8 app futureproof →

AppSec Kit

AppSec Kit offers seamless security integration into the development of your Vaadin-based applications. It provides comprehensive dependency visibility, earlier remediation of vulnerabilities, and fewer false positives.

Commercial feature

A commercial Vaadin subscription is required to use AppSec Kit in your project.

Comprehensive Dependency Visibility

Managing dependencies is a crucial aspect of any software project, but it can be a complex and time-consuming task. AppSec Kit provides dependency visibility, generating a Software Bill of Materials (SBOM) that offers a comprehensive view of all direct and transitive dependencies used in your application.

The SBOM is generated automatically each time you do a development build — or can be initiated on-demand. This allows you to have complete visibility of the contents of your application.

Earlier Remediation of Vulnerabilities

AppSec Kit further streamlines the remediation process by regularly scanning the SBOM and cross-referencing it with multiple industry-standard vulnerability databases, including National Vulnerability Database and GitHub Security Advisories. It identifies known vulnerabilities in both direct and transitive dependencies and includes detailed information, such as severity and patch versions.

Reports on the results are displayed in Vaadin Development tools, ensuring smooth integration into your Vaadin application development process. This allows you to address vulnerabilities earlier in the development process, ensuring the security of your web applications without compromising development speed.

Fewer False Positives

By identifying and highlighting any false positives associated with Vaadin Flow and its dependencies, AppSec Kit makes it easier for developers to identify the vulnerabilities that actually do need addressing.

AppSec Kit flags any false positive vulnerabilities that were identified in the dependencies of the Vaadin platform. It shows the analysis from Vaadin’s security team, describing why it was considered a false positive. This allows you to focus on true vulnerabilities, what matters.