Hello World!

I’ve recently joined Veracode as a product marketing manager. One of my responsibilities to respond to customer questions about Veracode, what we do and why we do it. So I thought it would be a good idea to blog about some of the common and/or recent questions I’ve been getting. So here goes the first one:

Why are false positives a costly headache for enterprises?

The short answer is: because the development team has to spend time, expensive time that they can’t afford to waste, figuring out that they don’t need to fix those flaws. Long answer takes some explaining. For those of you confused as to what a false positive is – it is something that looks like a security flaw to an automated testing solution but may not be. Some false positives are flaws that have already been mitigated by the application design or the operating environment. For example, the application may utilize custom validation routines, intrusion detection processes or restricted file access that mitigate the application risk of a flaw. Some false positives are the automated tests running across something new it doesn’t know what to do with. Some are patterns that look very similar to a flaw but aren’t a flaw.

So if your tool has false positive rate around 35% - it means that 35% of the flaws listed in the testing reports are not real flaws for one reason or another. Which means your developer or team of developers has to spend time analyzing a lot of flaws just to figure out that they are not really flaws (I think of this as rework). So you can imagine the impact on developer productivity – and more importantly your time to market. What’s worse is that the developers who get really good at doing this are aggressively pursued by security consulting firms – yes, recruiters will find your people and woo them away with sweet promises of more money and flexible hours.

Now, I’ll put on my ‘bragging hat’ and tell you that Veracode customers have minimal developer rework (and churn) because our platform and customer success team does the identification work for you. As a cloud provider we analyze many hundreds of apps a month which helps us achieve low our false positive rates. This is good news, especially for Java apps, because it’s being reported that Microsoft detected some 27.5 million attempted Java exploits since the third quarter of 2010. So we’re seeing it all and then some – which we use to create more accurate automated testing.

Also for customers that want to drive those rates even lower, the Veracode customer success team works with their developers to identify other false positives and categorize flaws that have already been mitigated. This means when our final report says ‘these are the flaws’ – those really are the real flaws. Since we only report valid flaws to our customers, there is much less developer rework (and churn), and that is why developers love us – well – maybe I’m exaggerating a bit there – let me rephrase – that is why developers adopt and use Veracode solutions on a regular basis. Anyway, don’t just take my word for it – check out our demo and see for yourself.

About Jasmine Noel

At Veracode, Jasmine’s efforts are focused around market research, content development and sales enablement efforts. Previously, Jasmine was a founding partner of Ptak/Noel, an industry analyst and marketing consulting firm. Prior to that she also served as director of systems and applications management at Hurwitz Group, and senior analyst at D.H. Brown Associates. Jasmine holds a bachelor of science from the Massachusetts Institute of Technology and a master of science from the University of Southern California.

Comments (5)

Patrick Florer | December 14, 2011 12:19 pm

Just curious -

What is your false positive rate?

Or better, what is your false positive rate for each of the OWASP Top 10?

Best regards,

Patrick Florer

NRaghavan | December 14, 2011 3:58 pm

We maintain a false positive rate of 15% or lower. We track FP rates for all vulnerability types including the OWASP Top 10 internally but tie our service level objective for customers to a blended rate that applies across all our scans.

Phil Cox | December 14, 2011 4:46 pm

I'd be interested in FP rate for the different frameworks. For example Ruby/Rails as opposed to Java or .NET. My guess is that the FP rate is very different for different frameworks.

Patrick Florer | December 15, 2011 12:07 pm

Thank you, Jasmine!

Ruediger | March 23, 2012 4:46 am

Is there a way to mark known false positives in the code so they get ignored by a (repeated) scan? Something like using a certain pattern? We have a php application where this would be very helpful!

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.