Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Auto vulnerability scanners turn up many false positives, but that's still good

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

March 14, 2016

According to NCC Group security engineer Clint Gibler, automated vulnerability scanners turn up mostly false positives, but even the wild goose chase that results can still be less costly for businesses than manual processes and the bad publicity that a security breach can entail.

At the Nullcon security conference in Goa, India, Gibler said he pointed an unnamed automated scanner at 100 of NCC's enterprise customers across ten industry sectors.

The result of that effort was some 900,000 security-related red flags, and a false positive rate of 89 percent in some industries.

Even the scanner's best result produced around 50 percent of false positives. Yes, that's a high number but it still serves a purpose.

The scans were conducted between February 2014 and May 2015, scanning each company four times with results manually vetted by the NCC Group staff.

Gibler told conference participants that he estimated the resources used chasing false positives is huge, but still says that automated scanners are worth it for most companies, nevertheless.

His assertion is based on a security engineer being paid a salary of US $75,000 and taking less than a minute to assess each security flaw discovered by an automated scanner.

“The amount of time people would waste vetting these false positives ranges between one and nine weeks which is a huge amount of time, no matter how you look at it,” Gibler added.

“In a best-case scenario, you're spending US $1000 in staff time to vet these issues, including true positives, and in the worse case about US $10,000 to $16,000.”

“Most people when purchasing tools look at the price but there are these hidden factors they don't consider about how long it takes to detect those results and how many are actually useful.”

But Gibler told the audience that automated scanning tools are still very valuable because they help bridge the gap between expensive penetration tests.

The 10,000+ discovered cross-site scripting vulnerabilities were the largest class of security issues NCC's tests found, among the 9000 different security flaws uncovered in the scans.

The majority of the results affected companies in the leisure and media sector with 25,769 results and public sector education with 15,550 results.

Gibler added that companies didn't necessarily repair high-severity flaws faster than lower risk security issues.

Source: The NCC Group.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer