How False Positives Burn Security Teams Out

Written by

Application security is central to enterprise security for both defenders and attackers. It covers one of the primary attack vectors, accounting for around 70% of security incidents in 2021, a rate that can only increase given that new applications are being developed faster than ever before. In this emerging reality, vulnerability scanners have become an important part of identifying the myriad vulnerabilities and risks that applications contain and produce.

Traditional vulnerability scanners, however, come with one big problem: False positives. They typically throw out tons of faulty alerts that distract security engineers from the real problems. Those short-term annoyances often grow into longer-term consequences. In fact, according to a recent Invicti report, false positives degrade application security on a larger scale and undercut faith in vulnerability reporting.

Wasting Time, Wasting Money

The Invicti 2022 Fall AppSec Indicator surveyed 500 DevSecOps professionals with at least five years of experience in the industry to discover the daily realities of application security.

One of our respondents’ undeniable problems is the prevalence of false positives. Nearly all the respondents – 94% – find false positives in vulnerability reports, while 67% find them often or all the time. At the most basic level, these waste time. When security engineers are alerted to a potential problem within the environment, they often have to investigate and manually verify that alert. If it turns out to be a false positive, verifying it is a time-wasting activity, as it means that that engineer could have used their time and expertise in another, more useful or more pressing area. This can leave teams stretched and worn down when their efforts would be better invested elsewhere.

Another report from 2021 found that an engineer takes an average of one hour to check a vulnerability manually. The report added that if you assume an average of 10,000 vulnerabilities a year and a security engineer’s average wage of $50 an hour, false positives may cost an organization nearly 10,000 working hours a year, with a total cost of $500,000.

Deeper Consequences

The real problem of false positives makes itself clear when we look closer. They produce burnout and diminish security teams’ confidence in vulnerability reporting.

False positives make it harder for security teams to spot real vulnerabilities when they arise. Over two-thirds (68%) of respondents in the 2022 AppSec Indicator said they sometimes or often ignore exploitable issues because they consider them false positives.

In this way, false positives erode broader confidence in reporting vulnerabilities when organizations need to rely on the integrity of their reporting capabilities to ensure the security of their applications.

They also contribute to the burnout of security teams. A survey earlier this year found that 81% of security professionals are anxious about vulnerabilities. Nearly half (41%) spend over five hours a week dealing with those vulnerabilities.

Nearly three-quarters (73%) of the Fall AppSec Indicator respondents say they will increase their application security budgets in 2023. That’s a positive sign, but money on its own won’t be enough, especially if it’s spent on tools that continue to produce a chaotic stream of false positives which only deepen a pre-existing problem.

Proof-Based Scanning offers a solution as it automatically confirms many of the most impactful vulnerabilities to deliver reports that cannot be false positives. Having automated proof of a vulnerability allows engineers and developers to be confident that the reported issue is real and regain trust in security reporting processes.

False positives are far more than a simple annoyance. As vulnerability scanning becomes ever more automated, accuracy is crucial to give security engineers the confidence that the alerts they’re seeing deserve their attention and to cut down on the hours, expenses and headaches that false positives bring.

What’s hot on Infosecurity Magazine?