[Owasp-leaders] Ruling out false positives from vulnerability scans

Dave Wichers dave.wichers at owasp.org
Mon Nov 9 15:22:54 UTC 2015


To many its somewhat obvious, but based on the OWASP Benchmark results
testing static, dynamic, and runtime (IAST) tools, dynamic and runtime tools
have far lower false positive rates than static tools because they are
observing the actual behavior of the app (not just theoretical behavior
statically). Dynamic tools that do time based results might indeed have high
false positive rates, as others have said, but the Benchmark hasn¹t tested
for that yet.

So one option open to you is to change the types of tools you are using.
That said, there are lots of things static is better at than dynamic, and
vice versa, so I¹m not saying static is bad. But if low false positives is
really important to you, then using non-static might be a way to go.


From:  Laura Guazzelli <laura.guazzelli at owasp.org>
Date:  Sunday, November 8, 2015 at 6:37 PM
To:  "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
Subject:  [Owasp-leaders] Ruling out false positives from vulnerability

I am very curious about either the methodology and/or recommendations from
leaders on how to separate false positives from real positives from
vulnerability scans.
Laura Guazzelli
_______________________________________________ OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151109/7b4ca524/attachment.html>

More information about the OWASP-Leaders mailing list