Security consulting for
Vaadin & REST.
Direct, code-level work with your engineers. No slide decks, no audits-for-the-sake-of-audits — just shipping the security model your application actually needs.
Six places where consulting moves the needle
Pick one focused area or combine them. The deliverable is always code in your repository — never a 40-page document nobody reads.
Architecture review
Threat-model your auth and authorization design before you ship. Roles, permissions, session handling, REST surface, audit gaps — reviewed against the production patterns the library implements.
SPI integration
Wire AuthenticationService, AuthorizationService,
custom annotations, and AccessEvaluator into your existing
Vaadin or REST application. Working code, not a starter template.
Bootstrap hardening
First-run admin setup, password policy, PBKDF2 tuning, secrets handling, operator workflow. Production-grade, not demo-grade — including the bits the README politely glosses over.
Permission model design
Move from role-only to fine-grained permissions without breaking
existing views and handlers. Migration plan included. Aligns
cleanly with the new ActionAuthorizationService SPI.
REST authorization
Subject resolution, bearer-token strategies, server-side operation
filtering, brute-force protection, 401/403 mapping
that doesn't leak internals — wired through the same library.
Security review of changes
Pre-merge review of security-sensitive PRs — login flow, role mapping, evaluator logic, audit emissions, error handling. Turns "is this safe?" into a written answer your team can act on.
From first email to follow-up — four steps.
Initial call (free, ~30 min)
Quick scope alignment. What's the application, what's the security posture today, what are the open questions. We decide together whether consulting is the right shape, or whether a self-service walkthrough of the docs is enough.
Written proposal
Concrete deliverables, time estimate, and a fixed budget or hourly rate. You decide whether it's a one-shot review, a defined sprint, or on-demand support.
Engagement
Pair-programming sessions, async PR reviews, or dedicated workshop days — whichever fits your team. Output is your code in your repo, plus a short written summary at the end.
Follow-up
One free 30-min check-in 4–6 weeks after delivery to make sure the recommendations stuck and answer follow-up questions.
Pick the shape that fits.
Security review
Fixed-scope review of an existing application or a planned design. Written report + walkthrough call.
Integration sprint
1–2 weeks of focused integration work. SPI wiring, bootstrap hardening, custom permissions — together with your team.
On-demand support
Retainer for ad-hoc questions, PR reviews, and incident support. Slack / email / PR comments.
Workshop
On-site or remote workshop on Vaadin / REST security for your engineering team. Hands-on, code-driven.
Direct line to the author.
Drop a short email.
No long form. Send three things and I'll come back with a concrete next step.
- A one-paragraph description of your application.
- The current security stack — Spring Security, Jakarta Security, in-house, or none.
- What you'd like to achieve in the next 4–8 weeks.
I usually reply within two business days.