The impact of false positives on web application security scanners
Bookmark and Share
As regards the other web application security scanners, I think all of us, including Netsparker should start focusing a bit more on finding new and innovative ways on how to verify our findings and avoid reporting false positives. Web vulnerability scanners are not what they used to be 5 years ago, they came a long way. Many of them can detect vulnerabilities that 5 years ago we didnít think it was possible to detect using automated means. So from that aspect, all web security scanners as a whole improved. But by increasing automation, false positives also increased. So, whatís the point in increasing automation when penetration testers and web security experts still have to verify a scannerís findings?

To me it seems as if most software vendors are looking in the wrong direction. I think it is a good to improve coverage and report more vulnerabilities, but the industry should listen to what the market wants; Identifying the most common web vulnerabilities without having to verify them. Else false positives will always be a stigma for automated web application security scanners.

Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //