Paper Title : Identifying False Positives Result in Security Testing (A Case Study)

ISSN : 2394-2231
Year of Publication : 2020

10.29126/23942231/IJCT-v7i6p16

Authors: Norazrina Abu Haris

         



MLA Style: Norazrina Abu Haris "Identifying False Positives Result in Security Testing (A Case Study) " Volume 7 - Issue 6 November - December,2020 International Journal of Computer Techniques (IJCT) ,ISSN:2394-2231 , www.ijctjournal.org

APA Style: Norazrina Abu Haris "Identifying False Positives Result in Security Testing (A Case Study) " Volume 7 - Issue 6 November - December,2020 International Journal of Computer Techniques (IJCT) ,ISSN:2394-2231 , www.ijctjournal.org

Abstract
This paper presents the experimental design to identify false positives result in security testing. False-positive is a test result that indicates the presence of a vulnerability. However, in the security testing actual scenario, no vulnerability exists and the code's functionality is correct. The noise requires remediation work that is not necessary. Usually, vulnerability occurs during security testing. Understanding and identifying false positives can assist software developers during application development. Thus, the code error could be corrected and removed before the actual code execution.

Reference
[1] Ivo Gomes, Pedro Morgado, Tiago Gomes and Rodrigo Moreira, “An overview on the Static Code Analysis approach in Software Development”, Portugal. [2] Muhammad Nadeem, Byron J. Williams and Edward B. Ellen, “High False Positive of Security Vulnerabilities: A Case Study”, USA, 2012. [3] Jinqiu Yang, Lin Tan, John Peyton and Kristofer A Duer, “Towards Better Utilizing Static Application Security Testing”. USA. [4] Rahma Mahmood and Qusay H. Mahmoud, “Evaluation of Static Analysis Tools for Finding Vulnerabilities in Java and C/C++ Source Code”, Canada. [5] Ulf Mattsson, “A case study - Selecting a code review approach,” SSRN-id1308728. [6] Netsparker Enterprise, “False Positive in Web Application Security”, [Online]. Available: https://www.netsparker.com/false-positives-in-application-security-whitepaper/, Austin, 2020. [7] Netsparker Enterprise, “The Problem of False Positive in Web Application Security and How To Tackle Them”, [Online]. Available: https://www.netsparker.com/blog/web-security/false-positives-web-application-security/, Austin, 2020. [8] Geraint Williams, “Vulnerability scan and false positives: the importance of sanitizing input”, UK, 2012. [9] Dejan Baca1, Kai Petersen, Bengt Carlsson and Lars Lundberg, “Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?”, Conference Paper, 2009. [10] Nuno Antunes and Marco Vieira,” Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services”, Portugal, 2009. [11] DJango, “Source Code for django.contrib.auth.password_validation”, [Online]. Available: https://docs.djangoproject.com/en/2.0/_modules/django/contrib/auth/password_validation/, 2020. [12] Mitre, “Common Weakness Enumeration”, [Online]. Available: https://cwe.mitre.org/index.html/, US, 2020. [13] Doug Hellman, “argparse- Command line option and argument parsing”, [Online]. Available: https://pymotw.com/2/argparse/, 2020. [14] YASCA [Online]. Available: https://sourceforge.net/projects/yasca/, 2020. [15] Benitha Joseph, “Static Analysis Tool | Source Code Review Tools”, [Online]. Available: https://medium.com/@benithajose/static-analysis-tools-source-code-review-tools-a9dedc872bf2, 2020.

Keywords
false positive, security testing, vulnerabilities.