Hi, Good news: sonar owasp plugin picked up only 4 vulnerabilities (of 97 active OWASP rules) and overall 0.1% OWASP risk factor score (the app under test based on 1.3.0 ISIS core and 1.3.1 wicket viewer) and those vulnerabilities may be attributable to the business code we wrote rather than ISIS core. Can't say any more than that so please don't ask.
Similarly I ran an "out of the box" Arachni pen test (anonymous only) and it didn't pick up anything of note that wasn't caused by our own implemention However my advice is to always run your own tests - don't rely on the assertions of others but at least you may draw some comfort in terms of making an investment with ISIS (and Wicket etc) that it is unlikely to let you down in this area. David.
