Thanks for sharing those results, David.. Of course, if you do subsequently find something that needs addressing, raise a ticket.
Cheers Dan On 12 February 2014 04:16, David Tildesley <[email protected]> wrote: > Hi, > > Good news: sonar owasp plugin picked up only 4 vulnerabilities (of 97 > active OWASP rules) and overall 0.1% OWASP risk factor score (the app under > test based on 1.3.0 ISIS core and 1.3.1 wicket viewer) and those > vulnerabilities may be attributable to the business code we wrote rather > than ISIS core. Can't say any more than that so please don't ask. > > > Similarly I ran an "out of the box" Arachni pen test (anonymous only) and > it didn't pick up anything of note that wasn't caused by our own > implemention > > > However my advice is to always run your own tests - don't rely on the > assertions of others but at least you may draw some comfort in terms of > making an investment with ISIS (and Wicket etc) that it is unlikely to let > you down in this area. > > David. >
