28 - False Positives
False Positives are findings which indicate the presence of vulnerabilities but which in fact are not vulnerabilities.
Such false positives could be due to incorrect assumptions or simplifications in analysis which do not correctly consider all the factors required for the actual presence of vulnerabilities.
- False positives require further manual analysis on findings to investigate if they are indeed false or true positives
- High number of false positives increases manual effort in verification and lowers the confidence in the accuracy of the earlier automated/manual analysis
- True positives might sometimes be classified as false positives which leads to vulnerabilities being exploited instead of being fixed
- Incorrectly Flagged Vulnerabilities
- Incorrect Assumptions or Analysis Simplifications
- Increases Effort
- Decreases Confidence
- True vs False Postives