The Problem of False Positives in Web Application Security and How to Tackle Them

This web application security blog post explains what are False Positives in web application security and what negative impact they have on web security experts. It also explains why common automated web security tools generate false positives and how Netsparker Web Application Security Scanner does not report any false positives at all.

A false positive is like a false alarm; your house alarm is triggered and there is no burglar. In web application security a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, but in reality, it is not.

Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process, such as to ensure that all of the web application's attack surfaces are rapidly and properly tested. Though automated tools can also introduce some problems as well, as explained in this post.

Unaffordable Web Application Security because of False Positives

Web application security scanners are known to report false positives, hence a web application penetration test consumes a considerable amount of time because the penetration testers have to go through all the reported vulnerabilities and manually verify them by trying to exploit them. Because of this lengthy process, web application security is unaffordable for many businesses. But costs are not the only problem false positives create.

Ignoring the Real Web Application Vulnerabilities

By nature, we humans tend to start ignoring false alarms rather quickly. Penetration testers are doing the same in a web application penetration tests. For example, if a web application security scanner detects 200 cross-site scripting vulnerabilities, if the first 20 variants are false positives the penetration tester assumes that all the others are false positives as well, and ignores all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected.

Lack of knowledge from Pen Testers means Scanners Report a lot of False Positives

When the penetration tester has to manually verify the scanner findings, the results of the test are as good as the tester's knowledge and not on the capabilities of the web application security scanner, which is typically backed by years of professional research. As we have already seen, since penetration testers do not trust web application security scanners they verify every reported web vulnerability the web scanner detects.

If the user using the web security scanner is unable to exploit a particular web application vulnerability due to lack of knowledge or experience, such vulnerability is considered as false positive and will never be fixed.

Web Application Security Scanner vs Penetration Tester

Business owners and Chief Security Officer might be wondering which is the best option for securing their web applications; invest in a web application security scanner that can be used by own employees or hire a professional penetration tester? And if we invest in a web application security scanner, do we have the right employee to verify its findings?

First, it is important to point out that web application security scanners are never going to replace professional penetration testers, but penetration testers will never be as efficient as automated scanners. In a website penetration test, both software and humans are required. Through automation and modern technology are allowing us to automate much more, thus penetration tests require much less human intervention.

Proof-Based ScanningTM Technology

The most productive and cost effective web application security solution is a web application security scanner with Proof-Based ScanningTM technology; the scanner can automatically verify its findings by exploiting the identified vulnerabilities and present the user with a proof of exploitation. The benefits of having such a scanner are multifold; security tests will consume much less time and your employees do not need to have years of hacking experience to verify the results.

Netsparker is the first web application security scanner on the market that has such exploitation engine. Also, the exploitation is safe and read-only, so there is no chance of corrupting data or disrupting the website service because of it. With this type of heuristic and automated technology, businesses can easily reduce the costs of their web security program while improving the security posture of all their web assets.


Your Information will be kept private.