A false positive is like a false alarm; your house alarm is triggered and there is no burglar. In web application security a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, but in reality it is not.
Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process, such as ensure that all of the web application’s attack surfaces are tested properly in a fashionable amount of time. Though automated tools can also introduce some problems as well, as explained in this post.
Web application security scanners are known to report false positives, hence a web application penetration test consumes a considerable amount of time because the penetration testers has to go through all the reported vulnerabilities and manually verify them by trying to exploit them. Because of this lengthy process, web application security is unaffordable for many businesses. But costs are not the only problem false positives create.
By nature, we humans tend to start ignoring false alarms rather quickly. Penetration testers are doing the same in a web application penetration tests. For example if a web application security scanner detects 200 cross-site scripting vulnerabilities, if the first 20 variants are false positives the penetration tester assumes that all the others are false positives as well, and ignores all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected.
When the penetration tester has to manually verify the scanner findings, the results of the test are sa good as the tester's knowledge and not on the capabilities of the web application security scanner, which is typically backed by years of professional research. As we have already seen, since penetration testers do not trust web application security scanners they verify every reported web vulnerability the web scanner detects.
If the user using the web security scanner is unable to exploit a particular web application vulnerability due to lack of knowledge or experience, such vulnerability is considered as false positive and will never be fixed.
Business owners and Chief Security Officer might be wondering which is the best option for securing their web applications; invest in a web application security scanner that can be used by own employees or hire a professional penetration tester? And if we invests in a web application security scanner, do we have the right employee to verify its findings?
First it is important to point out that web application security scanners are never going to replace professional penetration testers, but penetration testers will never be as efficient as automated scanners. In a website penetration test both software and humans are required. Though automation and modern technology are allowing us to automate much more, thus penetration tests require much less human intervention.
The most productive and cost effective web application security solution is a web application security scanner with Proof-Based Scanning technology; the scanner can automatically verify its findings by exploiting the identified vulnerabilities and present the user with a proof of exploitation. The benefits of having such a scanner are multifold; security tests will consume much less time and your employees do not need to have years of hacking experience to verify the results.
Netsparker is the first web application security scanner on the market that has such exploitation engine. Also, the exploitation is safe and read-only, so there is no chance of corrupting data or disrupting the website service because of it. With this type of heuristic and automated technology businesses can easily reduce the costs of their web security program while improve the security posture of all their web assets.