[Owasp-leaders] Ruling out false positives from vulnerability scans
John Patrick Lita
john.patrick.lita at owasp.org
Tue Nov 10 01:59:56 UTC 2015
Combination of Automated and Manual Testing
since we use automation and get the Results we still need to verify if the
result for the Positive or not,
and better to remove the false positives results.
*Note: we need to use the right tool in the right application*
On Tue, Nov 10, 2015 at 2:05 AM, Rogan Dawes <rogan at dawes.za.net> wrote:
> My point was to remove the load introduced by the scanning process, and
> then use extreme delays, such as 30-60 seconds, and make sure that the
> finding is repeatable under those circumstances.
> On Mon, 9 Nov 2015 19:28 Jim Manico <jim.manico at owasp.org> wrote:
>> On this note, the most *senior* AppSec teams or departments that I have
>> seen tend to use a *wide variety of tools* as opposed to depending on
>> any one. Even if some tool categories have better false positive rates,
>> they all have different coverage. Even the same type of tool (from
>> different vendors or foundations) used against the same app have widely
>> different coverage in my experience.
>> So I suggest that instead of throwing one tool or one tool category at
>> the problem, throw the kitchen sink at it and more - depending on your
>> budget and resources.
>> On 11/9/15 5:22 AM, Dave Wichers wrote:
>> To many its somewhat obvious, but based on the OWASP Benchmark results
>> testing static, dynamic, and runtime (IAST) tools, dynamic and runtime
>> tools have far lower false positive rates than static tools because they
>> are observing the actual behavior of the app (not just theoretical behavior
>> statically). Dynamic tools that do time based results might indeed have
>> high false positive rates, as others have said, but the Benchmark hasn’t
>> tested for that yet.
>> So one option open to you is to change the types of tools you are using.
>> That said, there are lots of things static is better at than dynamic, and
>> vice versa, so I’m not saying static is bad. But if low false positives is
>> really important to you, then using non-static might be a way to go.
>> From: Laura Guazzelli < <laura.guazzelli at owasp.org>
>> laura.guazzelli at owasp.org>
>> Date: Sunday, November 8, 2015 at 6:37 PM
>> To: " <owasp-leaders at lists.owasp.org>owasp-leaders at lists.owasp.org" <
>> owasp-leaders at lists.owasp.org>
>> Subject: [Owasp-leaders] Ruling out false positives from vulnerability
>> I am very curious about either the methodology and/or recommendations
>> from leaders on how to separate false positives from real positives from
>> vulnerability scans.
>> Laura Guazzelli
>> _______________________________________________ OWASP-Leaders mailing
>> list OWASP-Leaders at lists.owasp.org
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>> Jim Manico
>> Global Board Member
>> OWASP Foundationhttps://www.owasp.org
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
John Patrick Lita
*Chapter Leader OWASP Manila*
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders