[Owasp-leaders] Ruling out false positives from vulnerability scans

Rogan Dawes rogan at dawes.za.net
Mon Nov 9 18:05:53 UTC 2015


My point was to remove the load introduced by the scanning process, and
then use extreme delays, such as 30-60 seconds, and make sure that the
finding is repeatable under those circumstances.

Rogan

On Mon, 9 Nov 2015 19:28 Jim Manico <jim.manico at owasp.org> wrote:

> On this note, the most *senior* AppSec teams or departments that I have
> seen tend to use a *wide variety of tools* as opposed to depending on any
> one. Even if some tool categories have better false positive rates, they
> all have different coverage. Even the same type of tool (from different
> vendors or foundations) used against the same app have widely different
> coverage in my experience.
>
> So I suggest that instead of throwing one tool or one tool category at the
> problem, throw the kitchen sink at it and more - depending on your budget
> and resources.
>
> Regards,
> Jim
>
>
>
>
>
>
> On 11/9/15 5:22 AM, Dave Wichers wrote:
>
> Laura,
>
> To many its somewhat obvious, but based on the OWASP Benchmark results
> testing static, dynamic, and runtime (IAST) tools, dynamic and runtime
> tools have far lower false positive rates than static tools because they
> are observing the actual behavior of the app (not just theoretical behavior
> statically). Dynamic tools that do time based results might indeed have
> high false positive rates, as others have said, but the Benchmark hasn’t
> tested for that yet.
>
> So one option open to you is to change the types of tools you are using.
> That said, there are lots of things static is better at than dynamic, and
> vice versa, so I’m not saying static is bad. But if low false positives is
> really important to you, then using non-static might be a way to go.
>
> -Dave
>
> From: Laura Guazzelli <laura.guazzelli at owasp.org>
> Date: Sunday, November 8, 2015 at 6:37 PM
> To: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
> Subject: [Owasp-leaders] Ruling out false positives from vulnerability
> scans
>
> Hello,
> I am very curious about either the methodology and/or recommendations from
> leaders on how to separate false positives from real positives from
> vulnerability scans.
> Thanks,
> Laura Guazzelli
> _______________________________________________ OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundationhttps://www.owasp.org
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151109/cfab038c/attachment-0001.html>


More information about the OWASP-Leaders mailing list