A false positive is like a false alarm; your house alarm is triggered and there is no burglar. In web application security a false positive is when a web application security scanner indicates that your website is vulnerable to a web vulnerability such as SQL Injection, while in reality it is not.
Web security experts and penetration testers use automated tools such as web application security scanners to ease the job of a web application penetration testing. Web application security scanners are used to ensure that all of the web application’s input vectors are tested properly in a fashionable amount of time.
Unaffordable Web Application Security because of False Positives
Web application security scanners are known to report false positives, hence a web application penetration test consumes a considerable amount of time because the penetration testers has to go through all the reported vulnerabilities and verify them by trying to exploit them manually. Because of this, web application security is unaffordable for many businesses.
Unfortunately people working in the web application security industry are accepting the fact that web application security scanners tend to report false positives. So they are trying to learn to live with them rather than pushing security software vendors to develop better web vulnerability scanners. Apart from costs, false positives bring around new problems.
Ignoring the Real Web Application Vulnerabilities
By nature, we humans tend start ignoring false alarms rather quickly. Penetration testers are doing the same in a web application penetration test. For example if a web application security scanner detects 200 cross-site scripting vulnerabilities, if the first 10 variants are false positives the penetration tester assumes that all others are as well and ignores all the rest. By doing so, there chances that a real web application vulnerability is missed are quite high.
Lack of knowledge from Pen Testers means Scanners Report a lot of False Positives
The penetration test of your web applications depends on the knowledge of the penetration tester you hired rather than the capabilities of the web application security scanner. As we have already seen, since penetration testers do not trust web application security scanners they verify every reported web vulnerability the web scanner detects.
If the penetration tester, or the employee using the web security scanner is unable to exploit a particular web application vulnerability due to lack of knowledge or experience, such vulnerability is classified as false positive and will never be fixed.
Web Application Security Scanner vs Penetration Tester
Web application security scanners are not exactly the cheapest software you can buy, but neither are professional penetration testers. Business owners and Chief Security Officer might be wondering which is the best option to secure their web applications; invest in a web application security scanner that can be used by own employees or hire a professional penetration tester? And if we invests in a web application security scanner, do we have the right employee to verify its findings?
False Positive Free Web Application Security Scanner
The most productive and cost effective web application security solution is a false positive free web application security scanner which can be used by any of your technical employees. The benefits of having such a scanner is that web application penetration tests will consume much less time and your employees do not need to have years of hacking experience to verify the results.
Netsparker is the first web application security scanner on the market that is shipped with an exploitation engine which is automatically triggered when a web application vulnerability is detected. Exploitation is safe and read-only, so there is no chance of corrupting data or disrupting the website service because of it. Upon finding a vulnerability Netsparker automatically tries to exploit it and if it manages, it means that the vulnerability is definitely not a false positive. Netsparker will clearly report it to the user, so user can trust the results and doesn’t need to spend time to confirm it manually.
With this type of proactive and heuristic web application security scanning businesses do not need to hire expensive penetration testers to verify the findings of a web application security scan. Any developer taking care of your websites and web applications can quickly launch a web application security scan with Netsparker, analyse the findings and fix vulnerabilities.