Indusface issues a security warning elaborating on the latest findings about the ‘False Positive’ loophole
According to the Ponemon Institute, companies are losing more than $1.3 million to a loophole called False Positive every year, and another 20, 000 plus hours of dedicated manpower assigned with the task of dealing with these false positives. Till date, false positive continues to thrive as the most infamous loophole in the application defense mechanisms. Indusface, a leading provider of application security solutions for web and mobile applications, has issued a warning elaborating on the vulnerability and potential risks of this flaw.
False positives are like false alarms; they occur when security software reports a vulnerability or security issue that does not exist in reality. Think of a watchman whose job is to keep suspicious individuals out of one’s property, but who instead denies access to one’s family members due to some misplaced understanding of what was told to him.
A WAF typically follows certain rules to distinguish the threats from real interactions. But often due to flawed logic or generic signature writing, WAF might prevent genuine interactions with the server. Too many false positives also make the data misleading and cumbersome, and frequent false positive instances lead to loss of valuable traffic.
Not only does a false positive cost in terms of time and money, but it also leads to loss of business as it prevents potential customers and business opportunities from coming your way. With e-commerce sites and online-focused companies, the damage could be even greater as it affects brand reputation, customer loyalty, and conversion of business leads.
Indusface believes that identifying a How a WAF handles false-positives has everything to do with its accuracy and its abilities in blocking accurately your highest risks first. Going back to the security guard analogy, if there is a known threat from a person who should not be allowed to enter your premises, some sort of identification like a photograph will help the watchman perform better. Of course, then there can be more advanced options like identification information, biometrics, and DNA fingerprinting. Additionally, WAF’s accuracy and efficiency has everything to do with its security effectiveness too. Indusface recommends IndusGaurd WAF wherein they test, monitor and customize their WAF rule sets to great depths and keep IndusGuard WAF ahead of the curve and promise zero false positive.