False positives | Fluid Attacks Help

False positives

Definition of false positives

A false positive is an erroneous alert indicating that a vulnerability is present. False positives are a serious problem in software development projects, as investigating them may take longer than looking into correct alerts, and developers' morale may be affected by changes in their priorities in favor of these alerts.

Report false positives

Fluid Attacks' Continuous Hacking offers very low rates of false positives, for example, having achieved a false positive rate of 0% in the OWASP Benchmark Project. However, when your organization determines that a report is a false positive, or that a vulnerability does not represent any risk, you can request Fluid Attacks' evaluation of the case from the platform. This capability is called Request zero risk. To learn how to use it, refer to Request a vulnerability be dismissed as Zero Risk.

The following sections describe when zero risk requests are accepted and when rejected.

Reasons to accept zero risk requests

  1. Overlooked context: Upon reviewing the context of the vulnerability, an inherent mitigation was identified that had not been previously considered.
  2. CVE expiration: The reported vulnerability is associated with an expired Common Vulnerabilities and Exposures (CVE) entry.
  3. Misreport: The report is erroneous or the vulnerability does not represent any risk.
  4. Report duplication: The report is a duplicate.

Reasons to reject zero risk requests

  1. Obfuscation by countermeasure: The vulnerability exists but is obfuscated or mitigated by a countermeasure (e.g., a WAF).
  2. Reference to remediation: The assertion that there is no remediation available for the identified vulnerability, or that the remediation is too complex, is not a valid reason to dismiss an existent vulnerability.
  3. Reference to exploitability: Low exploitability or lack thereof is not a valid reason to dismiss an existent vulnerability.
  4. Reference to scope: Whether the report falls outside the intended scope of testing (i.e., it should be reported in a group where it is within the scope) does not mean that it is a false positive or does not represent risk.
  5. Incorrect procedure: A zero risk request was submitted when the correct procedure would have been to request a reattack.
  6. Inactivity: Discussions with the client about the report fail to progress because the client does not provide additional details, leading to the rejection of the zero risk request.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.