[Owasp-leaders] Ruling out false positives from vulnerability scans
jim.manico at owasp.org
Mon Nov 9 17:28:04 UTC 2015
On this note, the most /*senior*/ AppSec teams or departments that I
have seen tend to use a /wide variety of tools/ as opposed to depending
on any one. Even if some tool categories have better false positive
rates, they all have different coverage. Even the same type of tool
(from different vendors or foundations) used against the same app have
widely different coverage in my experience.
So I suggest that instead of throwing one tool or one tool category at
the problem, throw the kitchen sink at it and more - depending on your
budget and resources.
On 11/9/15 5:22 AM, Dave Wichers wrote:
> To many its somewhat obvious, but based on the OWASP Benchmark results
> testing static, dynamic, and runtime (IAST) tools, dynamic and runtime
> tools have far lower false positive rates than static tools because
> they are observing the actual behavior of the app (not just
> theoretical behavior statically). Dynamic tools that do time based
> results might indeed have high false positive rates, as others have
> said, but the Benchmark hasn’t tested for that yet.
> So one option open to you is to change the types of tools you are
> using. That said, there are lots of things static is better at than
> dynamic, and vice versa, so I’m not saying static is bad. But if low
> false positives is really important to you, then using non-static
> might be a way to go.
> From: Laura Guazzelli <laura.guazzelli at owasp.org
> <mailto:laura.guazzelli at owasp.org>>
> Date: Sunday, November 8, 2015 at 6:37 PM
> To: "owasp-leaders at lists.owasp.org
> <mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org
> <mailto:owasp-leaders at lists.owasp.org>>
> Subject: [Owasp-leaders] Ruling out false positives from vulnerability
> I am very curious about either the methodology and/or recommendations
> from leaders on how to separate false positives from real positives
> from vulnerability scans.
> Laura Guazzelli
> _______________________________________________ OWASP-Leaders mailing
> list OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
Global Board Member
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders