To keep up with the fast pace of modern web application development, vulnerability testing requires automated tools to assist in finding vulnerabilities. Unfortunately, apart from legitimate vulnerabilities, automated scanners can also report false alarms, or false positives, which must be further investigated manually just like real vulnerabilities. As systems and applications grow, the number of false positives can rapidly increase and place a serious burden on developers and security teams, with negative consequences for the development process, application security, and business results.
Small-scale development often relies on manual processes and ad hoc toolkits, which can initially work well and remain manageable, even if the tools used for testing report too many false positives. However, as the number of updates and products grows and workloads increase, the number of false positives can grow exponentially, and manually dealing with each false alarm becomes impractical. When you add automation requirements into the picture, false positives become a major stumbling block for attempts to scale up and streamline vulnerability scanning, verification and resolution processes.
Our whitepaper False Positives in Web Application Security discusses the many problems that false positives can bring all across the organization and shows how Invicti’s Proof-Based Scanning™ technology can help to restore confidence in automated vulnerability scanning, improve workflow automation and web application security, and achieve real business benefits.