The impact of false positives on web application security scanners
As regards the other web application security scanners, I think all of us, including Netsparker should start focusing a bit more on finding new and innovative ways on how to verify our findings and avoid reporting false positives. Web vulnerability scanners are not what they used to be 5 years ago, they came a long way. Many of them can detect vulnerabilities that 5 years ago we didn’t think it was possible to detect using automated means. So from that aspect, all web security scanners as a whole improved. But by increasing automation, false positives also increased. So, what’s the point in increasing automation when penetration testers and web security experts still have to verify a scanner’s findings?

To me it seems as if most software vendors are looking in the wrong direction. I think it is a good to improve coverage and report more vulnerabilities, but the industry should listen to what the market wants; Identifying the most common web vulnerabilities without having to verify them. Else false positives will always be a stigma for automated web application security scanners.

Spotlight

Email scammers stole $215M from businesses in 14 months

Posted on 29 January 2015.  |  In 14 months there have been nearly 1200 US and a little over 900 non-US victims of BEC scams, and the total money loss reached nearly $215 million.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Jan 30th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //