Should False Positives Exist in 2023?
False positives are a useful indication that your tool is detecting problems and vulnerabilities with a high degree of scrutiny, however the results can be extensive.
Whether or not false positives should still exist in pen testing process in 2023 depends on what you want to define as a false positive.
Tools should be flagging things with a level of scrutiny and caution that exceeds the potential threat, but what that information is used for should be dictating whether or not the tools are performing well, ideally. More false positives generally equals a better and more rigorous tool.
These tools should be picking up on issues and vulnrabilities that are very unlikely to be a real risk to the business, and then those tools should be feeding down into other more specialist tools that are capable of determining whether or not the vulnerability is legitimate in the context of the environment.
What this teaches us is that if we ask to only see and use tools that are 100% accurate, what we end up with is a tool that misses loads of important information. Equally, if you choose to only use a tool that flags every piece of information as vulnerable, you end up with too much noise and an overload of work for your development teams.
Therefore, the optimal way to test for vulnerabilities in your code is to take a very noisy, wide range tool and use it alongside tools that are capable of greater refinement. This way, you will find yourself in the safest and most structured situation when it comes to testing.
Get a Free Trial From Cytix
Haven’t tried Cytix yet? Try our free trial to see how it works.Get a Free Trial
Start Detecting Vulnerabilities Others Miss Today
- Detect Vulnerabilities Faster
- Patch Vulnerabilities Faster
- Be more compliant