Why are False Positives a Costly Headache for Enterprises?

Hello World! I’ve recently joined Veracode as a product marketing manager. One of my responsibilities to respond to customer questions about Veracode, what we do and why we do it. So I thought it would be a good idea to blog about some of the common and/or recent questions I’ve been getting. So here goes the first one: Why are false positives a costly headache for enterprises? The short answer is: because the development team has to spend time, expensive time that they can’t afford to waste, figuring out that they don’t need to fix those flaws. Long answer takes some explaining. For those of you confused as to what a false positive is – it is something that looks like a security flaw to an automated testing solution but may not be. Some false positives are flaws that have already been mitigated by the application design or the operating environment. For example, the application may utilize custom validation routines, intrusion detection processes or restricted file access that mitigate the application risk of a flaw. Some false positives are the automated tests running across something new it doesn’t know what to do with. Some are patterns that look very similar to a flaw but aren’t a flaw. So if your tool has false positive rate around 35% - it means that 35% of the flaws listed in the testing reports are not real flaws for one reason or another. Which means your developer or team of developers has to spend time analyzing a lot of flaws just to figure out that they are not really flaws (I think of this as rework). So you can imagine the impact on developer productivity – and more importantly your time to market. What’s worse is that the developers who get really good at doing this are aggressively pursued by security consulting firms – yes, recruiters will find your people and woo them away with sweet promises of more money and flexible hours. Now, I’ll put on my ‘bragging hat’ and tell you that Veracode customers have minimal developer rework (and churn) because our platform and customer success team does the identification work for you. As a cloud provider we analyze many hundreds of apps a month which helps us achieve low our false positive rates. This is good news, especially for Java apps, because it’s being reported that Microsoft detected some 27.5 million attempted Java exploits since the third quarter of 2010. So we’re seeing it all and then some – which we use to create more accurate automated testing. Also for customers that want to drive those rates even lower, the Veracode customer success team works with their developers to identify other false positives and categorize flaws that have already been mitigated. This means when our final report says ‘these are the flaws’ – those really are the real flaws. Since we only report valid flaws to our customers, there is much less developer rework (and churn), and that is why developers love us – well – maybe I’m exaggerating a bit there – let me rephrase – that is why developers adopt and use Veracode solutions on a regular basis. Anyway, don’t just take my word for it – check out our demo and see for yourself.