How does Acunetix go about cutting down false positives?

Many customers ask us how we tackle false positives. Many people who do not understand the true nature of web application scanning often get confused and fear the phrase "false positives". This problem is compounded by the media.

Heuristics are one way of reducing false positives. Acunetix Web Vulnerability Scanner (WVS) is an heuristic web application scanner rather than a signature matching engine. This is an extremely important distinction. Signature matching engines behave in a fashion similar to most anti-virus products. Standard antivirus products scan for thousands of known viruses including old known viruses even ones that were created for old Windows 3.x systems. In this day and age you would rarely encounter this OS but in the minds of consumers what is most important is "how many viruses does this software detect"?. In reality having the latest AV will give you protection for all but the viruses running in the wild. And it is these viruses that create the greatest damage.

True web vulnerability scanning does not hinge on establishing a vulnerability definition database of exploitable vulnerabilities of known applications/servers/systems against which a website and applications are tested. This is a common misconception and, unfortunately, the majority of web vulnerability scanners operate in this way. It is easy to research and maintain a strong vulnerability database - a quick search in the Internet yields massive volumes of regularly updated vulnerabilities - the results will help little in assessing whether your custom web applications are truly vulnerable to the likes of aggressive hackers interested in the pay-offs from stealing (not just disrupting) your data.

What is needed then is greater intelligence and automation, in essence creating a tool that emulates a hacker’s behavior and includes the full repertoire of techniques used. For example, signature matching scanners first check whether you have application Brand X version 2.1 and then alert you that release Brand X 2.1.1 is out which patches against a SQL injection vulnerability. This model is more prone to false positives.

On the other hand, heuristic scanners will launch SQL Injection attacks on your web app to ensure whether your application is actually vulnerable to the hacking technique.

It is only a handful of products that deploy rigorous and heuristic technologies to identify the real threats. Before automation all this was done manually and was therefore a laborious and time consuming project. Automation assisted web application developers and security consultants to reduce the time that they spent on “pen-testing”.

Automation is an invaluable aid and the accuracy of a scan depends on (a) how well your site is crawled to establish its structure and various components and links, and (b) on the ability of the scanner to leverage intelligently the various hacking methods and techniques against web applications.

Automated scanning will lead to false positives. Of course, this level of technological complexity does not lead to zero false positives. That is impossible. An automated scan will always generate false positives whichever product you use.

We always recommend automated scans to be supplemented with manual scans – this is probably one of the points that all security experts emphasize. Sadly, companies do not recognize the importance of the manual input. If you want your web applications to be secure you must spend a considerable amount of time checking the automated side of things. This is not to say that automation is inaccurate – on the contrary, it is very accurate and has cut down on much of the work. The automated scan will help you flag the possible problems including the false positives and prompt further manual investigation.

In this light, our philosophy is to prefer having a false positive than no flag at all.