What are false positives & how to work with them?
Vulnerability scanners are built to report every possible vulnerability or potential vulnerability in the application. If certain conditions within the application or server match a known vulnerability, the scanner reports the vulnerability within the dashboard along the description, request, response & steps to fix the vulnerability.
Sometimes, a vulnerability gets reported as it matches all the conditions but doesn't exist upon verification within the application/server. This vulnerability is called a 'False Positive' - essentially a vulnerability that a security scanner think exists but isn't the case upon verification.
False positives are common occurrence with vulnerability scanners, and still a problem under research. With Astra's Pentest Platform, we try hard to ensure there are minimal false positives and also give a unique option of 'vetted' reports.
Vetted Reports are vulnerability assessment reports reviewed by our security engineers to ensure there are no false positives. This helps organizations with lean or no security teams to get an actionable security posture report which they can work on.
With vetted scans by Astra, every vulnerability is reviewed by security experts to ensure you receive a list of vulnerabilities which have no false positives, saving your developers a ton of time.
You can request a 'Automated (Vetted)' scan while initiating the scan.
Want to Read More About False Positives?
Here are a few research papers which talk about false positives in cyber security and propose solutions to tackle them.
https://www.giac.org/paper/gsec/2063/vulnerability-analysis-elimination-false-positives/103552
https://nsuworks.nova.edu/cgi/viewcontent.cgi?article=2096&context=gscis_etd
(the above papers are credited to the institutions and scholars to wrote them)
If you find that a vulnerability reported by the automated scanner is a false positive, you can report it to us and also exclude it from being flagged in subsequent scans. Know More.
Sometimes, a vulnerability gets reported as it matches all the conditions but doesn't exist upon verification within the application/server. This vulnerability is called a 'False Positive' - essentially a vulnerability that a security scanner think exists but isn't the case upon verification.
False positives are common occurrence with vulnerability scanners, and still a problem under research. With Astra's Pentest Platform, we try hard to ensure there are minimal false positives and also give a unique option of 'vetted' reports.
Vetted Reports are vulnerability assessment reports reviewed by our security engineers to ensure there are no false positives. This helps organizations with lean or no security teams to get an actionable security posture report which they can work on.
Which Plans Include Vetted Reports & How Many?
With vetted scans by Astra, every vulnerability is reviewed by security experts to ensure you receive a list of vulnerabilities which have no false positives, saving your developers a ton of time.
| Plan Name | Vetted Reports |
|---|---|
| Scanner Plan | 0 |
| Expert Plan (billed annually) | 4 |
| Pentest Plan | 4 |
You can request a 'Automated (Vetted)' scan while initiating the scan.
Want to Read More About False Positives?
Here are a few research papers which talk about false positives in cyber security and propose solutions to tackle them.
https://www.giac.org/paper/gsec/2063/vulnerability-analysis-elimination-false-positives/103552
https://nsuworks.nova.edu/cgi/viewcontent.cgi?article=2096&context=gscis_etd
(the above papers are credited to the institutions and scholars to wrote them)
Working with False Positives
If you find that a vulnerability reported by the automated scanner is a false positive, you can report it to us and also exclude it from being flagged in subsequent scans. Know More.
Updated on: 19/01/2023
Thank you!