The impact of false positives on web application security scanners
However the situation is even worse if the user is not an experienced web application security tester. Vulnerability scanners employ very advanced checks, send complicated attacks with different encodings to bypass blacklisting protection etc. So when inexperienced users try to reproduce the identified vulnerability they might fail to replay the exact same attack, or simply cannot manually exploit the identified vulnerability. Since half of the issues reported by the scanner were false positives, when a non seasoned user cannot manually confirm a vulnerability he or she tends to ignore it and mark it as false positive. This obviously diminishes the value of the scanner, and this is the big part of the web application security scanners who cried wolf too often.

What are you doing in Netsparker to eradicate false positives?

When we started designing Netsparker Web Application Security Scanner we wanted to build a tool that helps penetration testers find vulnerabilities without the need to verify detected vulnerabilities, by guaranteeing a false positive free scan.

How do we guarantee false positive free scans? It is the same with what penetration testers are doing manually. Try to exploit the identified vulnerability and if the exploitation is successful, then it is not a false positive. So we included an exploitation engine in Netsparker that automatically exploits detected vulnerabilities in a safe and read only way. If the vulnerability is exploitable Netsparker flags the vulnerability as a real vulnerability therefore penetration testers do not have to manually verify it.

And we didn’t stop there. To confirm that we are on the right track, and that the Netsparker exploitation engine works as advertised we made plenty of tests, i.e. security scans of live web applications and compared the findings to that of other well known scanners. We are proud to say that Netsparker was the only scanner that did not report any false positives, not to mention that it was also the scanner that detected most exploitable vulnerabilities. In fact the team reported several zero day vulnerabilities in open source web applications such as Joomla, MediaWiki and Twiki.

Apart from guaranteeing false positive free web security scans, are there any other advantages in having an exploitation engine in Netsparker?

There are several other advantages in having an exploitation engine in Netsparker.

For example, just like many other professions “showing” instead of “telling” works better. When you show the actual impact an exploited vulnerability might have to the management or to the developers, they will immediately understand how important the problem is. However they tend to ignore you when you only talk about vulnerabilities in a hypothetical level.

Secondly, developers can use the Netsparker exploitation engine to better understand how the vulnerability works. By learning more about detected vulnerabilities and the different ways they can be exploited, developers will get better at remediating them and also in writing more secure code in future projects.

Last but not least, since users do not need to verify the vulnerability scanner findings, web security scans can be performed by junior members of the team, thus senior members of the development team can focus on more important issues, such as fixing reported vulnerabilities.

What is the way forward for Netsparker and other web application security scanners?

Netsparker is already able to automatically exploit and verify the most commonly exploited vulnerabilities such as SQL injection, Cross-site scripting (XSS), Remote code execution, Remote file inclusion and many others. Therefore if Netsparker detects any of these vulnerabilities, rest assured that they are not false positives. Though there are some other vulnerabilities that at this stage Netsparker is still unable to verify automatically; therefore a lot of research is being done to discover new ways on how to automatically verify more types of web application vulnerabilities. And of course at the same time also find new ways to improve the existing verification checks.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th