The Risks Of False Positives With Web Application Firewalls
In order to stay abreast with the pace of web application development in the current age, automated tools are required for vulnerability testing in order to help with finding such vulnerabilities.
Unfortunately, automated scanners may report not just legitimate vulnerabilities that organizations would be rightly concerned about, but also false alarms, otherwise known as false positives, which will require further manual investigation just like the legitimate vulnerabilities.
In 2018 alone there were two million cyber-attacks all over the world and financial losses caused by such attacks of up to $45 billion, with 95% of those breaches being preventable, making it all too clear why web application firewalls and website security are so crucial for all organizations.
The risks faced by organizations that purchase a Web Application Firewall are often associated with a lack of understanding about the possible impact of false positives. When married with vendors’ own false accuracy metrics, the result can be catastrophic. But the good news is there are ways to deal with the risks posed by false positives.
The reality of Web Application Firewalls
The continued growth of systems and applications can result in a rapid increase of false positives and cause serious issues for security teams and developers alike, with adverse consequences for development, web application security, and the results of the business.
Highly automated processes are used by development teams in the creation, testing, and modification of many different applications and services, with extensive use often being made of open-source libraries and ready application frameworks.
This rapid development has made application security testing much more challenging. Manual testing is impractical across many different applications in addition to being too expensive and taking too long.
It is a practical necessity to make use of automated scanners, but the false positives these tools can generate make dealing with a constantly evolving threat environment even more complicated. Automated tools need to be efficient, reliable, and trustworthy.
Highly automated processes are used by development teams in the creation, testing, and modification of many different applications and services, with extensive use often being made of open-source libraries and ready application frameworks.
This rapid development has made application security testing much more challenging. Manual testing is impractical across many different applications in addition to being too expensive and taking too long.
It is a practical necessity to make use of automated scanners, but the false positives these tools can generate make dealing with a constantly evolving threat environment even more complicated. Automated tools need to be efficient, reliable, and trustworthy.
False positives and vulnerability testing
The two primary false positive types are false negatives – which fail to detect a real vulnerability, and false positives – which indicate security problems that do not actually exist. While the former affects security, the latter can have an impact that echoes throughout an entire organization.
Security testing needs to be an integral part of the development pipeline, while also being mostly automated for quick detection of issues. When a website security scan reports false positives, this can cause extra and unnecessary work, undermining the development process as a whole.
Automated vulnerability testing is supposed to make security testing more effective, but if false positives are so plentiful that they are unmanageable, organizations may need to limit such web application scanning only to their highest priority applications, effectively nullifying the benefits of automation.
What are the consequences of false positives?
Any growing organization will have concerns over scalability, and there are several challenges associated with the scaling up of development processes. Ad hoc toolkits and manual processes are often still used with small-scale development, though the former can still result in an excess of false positives.
But with updates and products growing in number and workloads continuing to increase, there can be an exponential growth in the number of false positives, and it is impossible to deal with them all manually.
The financial consequences can also be serious. Delays can be caused by too much time being spent investigating reports that turn out to be false positives, potentially causing a loss of revenue as well as business opportunities.
Staff may also become too used to dismissing reports due to the sheer number of false positives, thus making it more likely that a real vulnerability will be overlooked and allowed into the production application, again with costly potential consequences.
The trade-off
Any Web Application Firewall solution comes with the tension of knowing that legitimate traffic could be misidentified as an attack, or that malicious web traffic may not be detected. Organizations have often had to make a trade-off by minimizing false positives even if it allows some malicious traffic, which is far from an ideal solution.
The solution – Indusface
The solution to cutting down on false positives while still ensuring that an organization has sufficient protection from real threats is to make use of a more effective approach via a more trustworthy web application firewall.
The fully managed SaaS-based offered by Indusface is able to identify application vulnerabilities and patch them instantly and is always watching out for issues through manual Pen-Testing via a managed security service and automated security scans.
AppTrana Web Application Firewall assures zero false positives via surgically accurate security rules.
Conclusion
Making the right choice of Web Application Firewall can not only save a business from real cyber-attacks but also from the equally severe consequences of false positives including the likes of unnecessary delays and financial losses.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.