Skip to content

False positives + false negatives = real costs

False positives + false negatives = real costs

Alert: Somebody’s running reconnaissance on your network. Alarm: You’ve got a malware infection. 

Warning: data exfiltration attempts have been spotted. 

Freak-out time: You’ve got to deal with a new zero day, weak data encryption, unpatched software, multiple logins from the same account, atypical access to areas or programs that XYZ user doesn’t normally try to access, compromised credentials, a denial-of-service (DoS) attack, etc., etc., etc., yadda yadda, on and on and on.  

You’re undoubtedly heard it umpteen times before: Security teams are being deafened by a constant bombardment of alerts, overwhelmed by a flood of alarms streaming in from a hodgepodge of siloed tools. In fact, recent research shows that 59% of surveyed IT decision makers receive more than 500 cloud security alerts per day.

It would be one thing if all these alerts warranted attention because they were accurate. Sadly, far too often, they’re anything but. 

Too many security alerts are bogus or low-priority

Research has found that more than two-fifths — 43% — of organizations have a false-positive rate of 40%. False alarms are far more than simply annoying. In fact, false positives profoundly affect the overall economics of an AppSec program. 

It goes back to the story of the boy who cried wolf. The villagers didn't know whether the wolf was real or not, so every time the miscreant cried “wolf!”, they all had to grab their pitchforks and run out to the field to chase off the perceived threat, whether real or not.  It's the same for AppSec vulnerability false alarms. You don’t know which alarms are real and which are inaccurate, so you have no choice: You have to waste time investigating them all. 

As Contrast Chief Technology Officer and Co-founder Jeff Williams has explained, that’s an enormous time suck. “Figuring out if a tool-reported vulnerability is true or not can take anywhere from 10 minutes (if you're really good) to many hours,” he says. “If you're resource constrained — and just about every company is — then you simply can't investigate every single vulnerability that your tools report.”

Here’s an example: Say you run a static or dynamic scanner on an application and it generates 400 possible vulnerabilities. There will absolutely be truly critical issues in the flood of alerts, and those vulnerabilities do warrant swift attention. The thing is, they’re needles that are obscured in a haystack of irrelevance. In fact, some 65% of organizations say only 10%  of alerts are actually critical. 

That means that out of the 400 possible vulnerabilities you found with the static or dynamic scanner, only 40 are positive vulnerabilities. …

... but you couldn’t know which were true positives and which were false positives, so you had to spend time trying to carve through that pile of vulnerabilities to try to figure out what was real and what was fiction. “Imagine that I only have time to go through 100 of these ‘possibles,’ Jeff suggests. “Even if I'm really fast, it's going to take me 10 minutes to investigate each of these. This adds up to over eight days to do all 400.  But I only have two days, so I'll just analyze 25%. That means I'll confirm 10 true positives and miss the other 30 real vulnerabilities in my application.”

One-fifth of security teams’ days spent reviewing alerts

Research shows that reviewing and prioritizing alerts is taking away an enormous chunk of time that could be better spent: 56% of organizations report that their security teams spend more than 20% of their day reviewing alerts — a chore that requires investigation by security experts — and deciding which ones to prioritize. 

Finding true positives is important, but given numbers like these, it can backfire if they’re buried in a ton of false alarms. You waste so much time trying to separate the real from the irrelevant that you don’t have time to fish out the positive vulnerabilities: “In this case, my tool's false positives prevented me from knowing anything about 75% of the vulnerabilities in my application, much less fixing them,” Jeff notes about his theoretical (but representative) scenario. 

Low-priority alerts = yet another distraction

Even if alerts aren’t flat-out wrong, they can be low priority. As such, they form a distracting buzz that simply doesn’t warrant disrupting security teams’ day-to-day duties: Nearly half — 49% — of IT decision makers say that 40% of their security alerts are low priority. 

In sum, the results of false positives are these:

  • Few true positives get remediated
  • Remediation takes a long time
  • Ever-growing backlogs

There’s got to be a better way 

There’s got to be a simpler way to figure out what’s a real danger vs. what’s a waste of time. Find out how Runtime Security can help: On Tuesday, Dec. 12, at 11am PST/2pm EST, you can tune in to a webinar with Forrester Research and Contrast Security, to learn how Runtime Security is revolutionizing AppSec and strengthening your apps/APIs from the inside out.

Register Now

Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas is a content machine, having spent years churning out reporting and analysis on information security and other flavors of technology. She’s now keeping the content engines revved to help keep secure code flowing at Contrast Security.