isis-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Tildesley <>
Subject OWASP vulnerability test results
Date Wed, 12 Feb 2014 04:16:11 GMT

Good news: sonar owasp plugin picked up only 4 vulnerabilities (of 97 active OWASP rules)
and overall 0.1% OWASP risk factor score (the app under test based on 1.3.0 ISIS core and
1.3.1 wicket viewer) and those vulnerabilities may be attributable to the business code we
wrote rather than ISIS core. Can't say any more than that so please don't ask. 

Similarly I ran an "out of the box" Arachni pen test (anonymous only) and it didn't pick up
anything of note that wasn't caused by our own implemention

However my advice is to always run your own tests - don't rely on the assertions of others
but at least you may draw some comfort in terms of making an investment with ISIS (and Wicket
etc) that it is unlikely to let you down in this area.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message