What are false positives in web application security?
False positives are like false alarms; they occur when security software reports a vulnerability or security issue that in reality does not exist. In the web application industry false positives are frequently associated with web application security scanners, which are also known as web security scanners or web vulnerability scanners. False positives are also common in several other IT industries and they are always associated with automated tools.
Why web application security scanners typically generate false positives?
False positives in web application security scanners are typically caused by weak signature patterns used in the scanner’s vulnerability checks. For example when the web vulnerability scanner is analyzing the HTTP response and trying to determine if a vulnerability exists or not, it tries to match the content of the HTTP response to the predefined signature pattern. If some text in the HTTP response matches the signature pattern it means that the page in question is vulnerable.
If the web security scanner’s predefined signature pattern is weak, some legitimate text patterns in the HTTP response might trigger the web vulnerability check and the scanner will report a false positive.
What is the impact of false positives in a web application security scan?
The impact that false positives have on web security scans and penetration tests is very negative. To start off with, automated tools such as web application security scanners are used to eliminate the repetitive processes during a penetration test to leave the tester or penetration tester enough free time to concentrate on other tasks, such as identifying logical vulnerabilities. If the security scanner used is known to report a lot of false positives, the tester will be wasting his time manually verifying the scanner findings.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.