False Positives & Negatives
      Back to home
      1. Help Center
      2. Vulnerability Management
      3. False Positives & Negatives

      What is the process for investigating false-positive & false-negatives?

      Edgescan validates that vulnerabilities presented in the platform actually pose a risk to your scoped assets.

      Version Number: v1.0.1

      Published Date: 14 May 2024

      ____________________________________________________________________________

      Process for investigating false negatives

      • Gather relevant information
        • What is the vulnerability
        • Where was it identified (URL, host/port etc.)
        • When was it identified
        • How was is identified (manual testing techniques/automated scanning)
      • What level of scanning and testing does the target receive in edgescan
        • Does the currently assigned license cover the level of testing that would be required to identify such a vulnerability.
        • Are there any bespoke exclusions in place on the asset which could limit the coverage.
      • Review assessment(s) that overlap with when the vulnerability is likely to have been present
        • Which automated tools were used
        • What manual testing steps were performed
      • Determine whether or not the location was discovered during crawling/discovery
        • If the location was not explored during crawling, check that the resource was in scope.
        • If not in scope, check if the resource was required to interact with an in scope component.
        • Are there any bespoke exclusions which could have omitted this from crawling.
        • If asset is authenticated, does our test account have permission to access the vulnerable resource.
      • Determine whether or not the specific vulnerability was tested for
        • Does our automated scanner have any test for the vulnerability in question
        • Does our scanner have a test that may be incomplete, or may have failed to detect due to some custom/bespoke element of the target environment
        • If a manual test, does it fall into our existing methodology
      • If we conclude that it was missed by one of our scanners:
        • Escalate with scan maintenance team to see if it’s possible to create a new test (or enhance an existing one)
        • Determine timelines (to allow for preprod testing, QA, deployment)
      • If we conclude that is was missed during manual testing:
        • Ensure any methodology gaps are filled in and documented for future tests
        • Roll out appropriate training to update the pentesting team

       

      Process for investigating false positives

      • Gather relevant information
        • On what basis is the veracity of the vulnerability being contested
      • Determine if we agree with the case being made
        • If it relates to mitigations/controls that we cannot see, then we can close the issue based on the clients testimony (and we note the reason for closure in the vulnerability).
        • If it relates to an imperfect test or testing methodology (and if we can prove that is the case), then we update our methodology accordingly.