OWASP vulnerability test results

[David Tildesley <da...@yahoo.co.nz>]

Hi,

Good news: sonar owasp plugin picked up only 4 vulnerabilities (of 97 active OWASP rules) and overall 0.1% OWASP risk factor score (the app under test based on 1.3.0 ISIS core and 1.3.1 wicket viewer) and those vulnerabilities may be attributable to the business code we wrote rather than ISIS core. Can't say any more than that so please don't ask. 


Similarly I ran an "out of the box" Arachni pen test (anonymous only) and it didn't pick up anything of note that wasn't caused by our own implemention


However my advice is to always run your own tests - don't rely on the assertions of others but at least you may draw some comfort in terms of making an investment with ISIS (and Wicket etc) that it is unlikely to let you down in this area.

David.

Re: OWASP vulnerability test results

[Dan Haywood <da...@haywood-associates.co.uk>]

Thanks for sharing those results, David..

Of course, if you do subsequently find something that needs addressing,
raise a ticket.

Cheers
Dan


On 12 February 2014 04:16, David Tildesley <da...@yahoo.co.nz> wrote:

> Hi,
>
> Good news: sonar owasp plugin picked up only 4 vulnerabilities (of 97
> active OWASP rules) and overall 0.1% OWASP risk factor score (the app under
> test based on 1.3.0 ISIS core and 1.3.1 wicket viewer) and those
> vulnerabilities may be attributable to the business code we wrote rather
> than ISIS core. Can't say any more than that so please don't ask.
>
>
> Similarly I ran an "out of the box" Arachni pen test (anonymous only) and
> it didn't pick up anything of note that wasn't caused by our own
> implemention
>
>
> However my advice is to always run your own tests - don't rely on the
> assertions of others but at least you may draw some comfort in terms of
> making an investment with ISIS (and Wicket etc) that it is unlikely to let
> you down in this area.
>
> David.
>