Does Vaadin meet the top 10 OWASP requirements


One of my client who work in the Banking industry is thinking of rewriting all his UI application with Vaadin 7. They need to follow a number of security rules including OWASP

I want to know if Vaddin 7 support the top 10 owasp requirements ?

I’ve actually held a few conference speeches about this particular topic together with my colleague Leif. I think our speech from GWT.create from last December will be published on youtube at some point (it’s not there yet).

Most of the top10 list are issues that cannot be handled on a UI framework level, such as injection attacks, but rather are specific to the application being written and its business logic. When it comes to vulnerabilities that can be handled on a UI framework level, such as CSRF, XSS or direct object references, then yes, Vaadin takes care of those for you (for most parts, you still can introduce XSS vulnerabilities by explicitly allowing HTML content).

To put it short, yes, Vaadin is “OWASP Top 10 compatible”, but it doesn’t mean that developers do not need to do anything proactive about security themselves - just as with any other framework. Please see for more details.