Artificial Intelligence
As a child, I showed early signs of geekiness, preferring toy robots to dolls. I started my computer career in 1982, as a Field Service Engineer for Digital Equipment Corporation. Over the years, I have worked as an Instructor, System Administrator, Wide Area Network Engineer and Application Security Specialist. For the last 20 years, my focus has been Cyber Security and the ways computer systems can be attacked and defended,
Most organizations use automated tools to identify and manage vulnerabilities. These tools scan applications and systems to detect issues and are a critical part of the overall Risk Management Process.
When interpreting scan results, there can be some disagreement about the meaning of some findings. This report aims to clarify the differences between vulnerabilities and false positives and discusses the purpose of mitigation and the residual risk that remains after mitigation.
The more likely it is that a threat event will occur, the greater the risk. When written as a formula, risk can be defined as follows:
Threat * Vulnerability = Risk
(This formula is presented in the official (ISC)2 CISSP Body of Knowledge.)
As a remediation methodology, mitigations such as Web Application Firewalls, Whitelists, Input Validation, are typically recommended as best practices to reduce threat when a vulnerability cannot be removed. Reducing the threat by implementing mitigations can decrease the amount of risk to the system but does not eliminate the vulnerability entirely. New ways of bypassing mitigation attempts and exploiting security vulnerabilities are ever-present and are being discovered every day. This is one of the reasons that the Federal Government has adopted a policy of Continuous Monitoring of information systems.
The scanning tool reported this in its findings:
“There is a cross-site scripting high vulnerability that is easily exploitable, making the threat level also high. The overall risk rating for this vulnerability is high”
This is the risk formula for the finding:
High (Threat) * High (Vulnerability) = High (Risk)
Applying the right mitigations to reduce the risk brought the threat level down to moderate and reduced the overall risk:
Moderate (Threat) * High (Vulnerability) = Moderate (Risk)
This can be seen in the
The vulnerability is still High, but reducing the threat brought the risk down to an acceptable level while still complying with the FEMA Risk Management requirements.
To designate a vulnerability detected during a scan a “False Positive” requires proof that the vulnerability never existed in the first place. True False Positives are rare. Applying mitigations to detected vulnerabilities, on the other hand, is part of a mature Risk Management strategy and can greatly improve overall security of the system.
Mitigations do not eliminate a vulnerability but can help to make it manageable.
Terminology used throughout this post are taken from National Institute of Standards and Technology (NIST) and Committee on National Security Systems (CNSSI):
Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.
An alert that incorrectly indicates that a vulnerability is present.
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
Portion of risk remaining after security measures have been applied.
The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. It is an assessment of probability, possibility, or chance.
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service
The Problem of False Positives in Web Application Security and How to Tackle Them.
OWASP Top 10 Mitigation Techniques.