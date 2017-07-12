In the medical field, false positives present a considerable risk. The outcome can often be good news, for example, when a patient is incorrectly diagnosed with a life-threatening disease. But at the same time, false positives can also have an unintended negative impact on patients, families and physicians alike.

While the human impact of false positives may be less when dealing with web application vulnerability scanners, the effects can be equally far-reaching. From a business perspective, dealing with false positive web application vulnerabilities present a multitude of risks.

In this article, we’re going to take a closer look at why false positives occur, the specific risks associated with false-positives and how you can mitigate those risks by choosing the appropriate web application vulnerability scanner.

Why False Positives Occur

One of the biggest benefits of web application vulnerability scanners is time savings. In fact, the proliferation and increasing complexity of web applications have made automated scanners an essential part of the vulnerability elimination process. For a penetration tester, trying to eliminate all vulnerabilities manually would be a near impossibility.

The problem that arises with some web vulnerability scanners is that they have the potential to produce false positive results — that is, identifying a vulnerability where one does not actually exist. Larger and more complex web applications often result in a greater number of false positives.

Most of the time, this happens as a direct result of how the scanner goes about the process of identifying and more importantly, testing (or failing to test) suspected vulnerabilities.

Vulnerability scanners scan a web application or website using an algorithm — much in the way that Google crawls a website and ranks it in the SERPS. If the scanner identifies a vulnerability, it then uses check logic (for example a response that includes the attack payload, an error message or a specific HTTP response) for confirmation. If the majority of checks line up, then the scanner signals that a vulnerability has been found.

And therein lies a large part of the problem. The check logic, which varies by scanner, can not properly identify or confirm every possible scenario. Each application, environment and programming style can have slight variations that mimic vulnerabilities or trigger a false positive response.

The Potential Negative Impact of False Positives

As a patient, it’s relatively easy to imagine how a false positive result might impact your life. Being diagnosed with a communicable disease or terminal illness can set off a series of life changing events. False positives in the medical field are a major problem that cost billions of dollars per year (Over 4 billion for mammogram results alone). Even more frustrating is the fact that many of these false positive results are difficult if not impossible to eliminate.

When it comes to false positive results from web application vulnerability scanners, the negative impact can be more cut and dry. Still, it’s important to understand their potential impact, particularly when evaluating different web vulnerability scanning solutions:

False positives increase the time and effort requirements of live pen testers. The need to manually analyze scanner results in search of false positives can result in a dramatic increase in labor hours and eventually the likelihood of human error. Web application vulnerability scanners, when effective, can save a tremendous amount of time and money. However, if you don’t trust the results or spend an inordinate amount of time verifying those results, you’re essentially paying for a tool that isn’t being used to its full potential. This simply doubles down on the expense side of the equation. Although it sounds counter-intuitive, false positives, over time, will increase the likelihood of undetected vulnerabilities. The key issue here is trust. If the team in charge of managing web application vulnerabilities does not trust the results generated by the scanner, it won’t be long before the real vulnerabilities are lumped together with the false positives. Instead of verifying and adequately testing a suspected vulnerability, the incorrect assumption will be made that it’s “just another false positive”. Over time, and rather quickly, this assumption will increase your overall threat vectors.

How Can You Eliminate False Positives?

Our natural inclination is to assume that it’s impossible to eliminate false positives. At least in the medical field, it’s a multi-billion dollar problem — the resolution of which surely offers a handsome reward.

In one sense, you’d be correct. It’s impossible to eliminate false-positive results. On the other hand, your assumption would be largely incorrect. Here’s why:

Although a vulnerability scanner may produce a false positive as a result of something as benign as static page text, there is technically nothing to prevent that same vulnerability scanner from verifying the results prior to reporting them to the end user. Essentially eliminating the need to manually confirm the vulnerability yourself.

Although automatically verifying web vulnerabilities is not easy to accomplish, some vendors have already developed it. The vast majority of vulnerabilities that you would want to test for with a web application vulnerability scanner, such as SQL injection, Cross-site Scripting and Command Injection can be physically exploited and confirmed. If you can identify a potential vulnerability and then confirm it through actual exploitation, you have essentially eliminated the potential for a false positive result.

For those vulnerabilities where exploitation isn’t possible, it can be helpful to understand whether a result is high-probability or low-probability.