[Owasp-leaders] Ruling out false positives from vulnerability scans

Jim Manico jim.manico at owasp.org
Mon Nov 9 17:28:04 UTC 2015


On this note, the most /*senior*/ AppSec teams or departments that I 
have seen tend to use a /wide variety of tools/ as opposed to depending 
on any one. Even if some tool categories have better false positive 
rates, they all have different coverage. Even the same type of tool 
(from different vendors or foundations) used against the same app have 
widely different coverage in my experience.

So I suggest that instead of throwing one tool or one tool category at 
the problem, throw the kitchen sink at it and more - depending on your 
budget and resources.

Regards,
Jim





On 11/9/15 5:22 AM, Dave Wichers wrote:
> Laura,
>
> To many its somewhat obvious, but based on the OWASP Benchmark results 
> testing static, dynamic, and runtime (IAST) tools, dynamic and runtime 
> tools have far lower false positive rates than static tools because 
> they are observing the actual behavior of the app (not just 
> theoretical behavior statically). Dynamic tools that do time based 
> results might indeed have high false positive rates, as others have 
> said, but the Benchmark hasn’t tested for that yet.
>
> So one option open to you is to change the types of tools you are 
> using. That said, there are lots of things static is better at than 
> dynamic, and vice versa, so I’m not saying static is bad. But if low 
> false positives is really important to you, then using non-static 
> might be a way to go.
>
> -Dave
>
> From: Laura Guazzelli <laura.guazzelli at owasp.org 
> <mailto:laura.guazzelli at owasp.org>>
> Date: Sunday, November 8, 2015 at 6:37 PM
> To: "owasp-leaders at lists.owasp.org 
> <mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org 
> <mailto:owasp-leaders at lists.owasp.org>>
> Subject: [Owasp-leaders] Ruling out false positives from vulnerability 
> scans
>
> Hello,
> I am very curious about either the methodology and/or recommendations 
> from leaders on how to separate false positives from real positives 
> from vulnerability scans.
> Thanks,
> Laura Guazzelli
>
> _______________________________________________ OWASP-Leaders mailing 
> list OWASP-Leaders at lists.owasp.org 
> <mailto:OWASP-Leaders at lists.owasp.org> 
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151109/1d538c24/attachment.html>


More information about the OWASP-Leaders mailing list