WEBVTT

00:07.280 --> 00:11.600
It's important to understand that when we're utilizing any type of scanning software, whether it's

00:11.630 --> 00:16.640
web application scanning or vulnerability scanning, that scanning is not 100% foolproof.

00:16.640 --> 00:20.630
It doesn't always relay the information exactly true or accurate.

00:20.630 --> 00:23.870
And we call these problems or validation.

00:23.870 --> 00:26.600
When we validate something, we're validating a scan.

00:26.630 --> 00:32.120
We're validating the results of said scan, whether it's a true positive, a false positive, a true

00:32.120 --> 00:37.880
negative or a false negative, we go through and we identify is this vulnerability, is this flaw that's

00:37.880 --> 00:41.900
in the system that we just scan accurate 100%?

00:41.930 --> 00:47.690
When we validate the results of a scan, we often refer to something as being a true positive as a piece

00:47.690 --> 00:48.500
of information.

00:48.500 --> 00:51.260
That's factually true on the scan that we just performed.

00:51.290 --> 00:54.020
We're validating the flaw truly exists.

00:54.020 --> 01:00.050
So when we scan something, we positively identify a flaw that is a positive notion within a flaw or

01:00.080 --> 01:01.760
a vulnerability within the system.

01:01.760 --> 01:07.760
We validate that saying it's a true positive, meaning that the the flaw or the vulnerability positively

01:07.760 --> 01:11.360
exists, and we've defined it as accurate and complete.

01:11.360 --> 01:13.740
That is referred to as a true positive.

01:13.770 --> 01:17.550
Then we have something that's called a false positive within a false positive.

01:17.580 --> 01:22.290
The scanning result came back and it said, hey, this vulnerability exists on the system.

01:22.290 --> 01:27.300
But when we go in to validate it, we find out that that that positive doesn't actually exist.

01:27.330 --> 01:32.430
I've seen this in the past within a Linux server where a vulnerability scanner went through it, scanned

01:32.430 --> 01:37.410
the Linux server, and it found windows vulnerabilities associated with that Linux server.

01:37.440 --> 01:42.660
Obviously, a Linux server is not a windows server, and so having vulnerabilities articulated to a

01:42.660 --> 01:45.720
Linux server that are windows based comes back.

01:45.720 --> 01:47.640
And that is considered a false positive.

01:47.670 --> 01:52.770
Yes, the vulnerability might exist if it was a windows server, but it since it's a Linux server,

01:52.770 --> 01:53.760
that's not accurate.

01:53.790 --> 01:59.610
We call that a false positive, or we have a positive notion of a vulnerability or a flaw in the system

01:59.610 --> 02:02.700
that isn't true, i.e. a false positive.

02:02.730 --> 02:04.890
The next one we have is a true negative.

02:04.920 --> 02:11.130
This occurs when we scan a device or a system and it comes back and there's nothing there There's no

02:11.130 --> 02:14.490
vulnerabilities, there's no flaws, there's no misconfigurations.

02:14.490 --> 02:20.310
We call that a true negative because we validated that those flaws, those vulnerabilities, those misconfigurations,

02:20.310 --> 02:21.240
they don't exist.

02:21.240 --> 02:23.240
And we verified that they don't exist.

02:23.240 --> 02:25.640
Therefore it is a true negative.

02:25.670 --> 02:27.740
Finally, we have what's called a false negative.

02:27.770 --> 02:32.570
A false negative is when the system or the scan comes back and it says, hey, there's no vulnerabilities,

02:32.570 --> 02:36.050
there's no flaws, there's misconfigurations this system is ready to go.

02:36.080 --> 02:41.570
But then we find out, no, there was actually a flaw or a vulnerability within the system, and it

02:41.570 --> 02:45.380
wasn't properly flagged as being a vulnerability.

02:45.410 --> 02:48.350
We call this a false negative because the vulnerability exists.

02:48.350 --> 02:50.030
But the scanner didn't pick it up.

02:50.060 --> 02:53.510
Now of these four, which one do you think is the most dangerous?

02:53.540 --> 02:58.430
Some people would say false positive because the false positive wastes a lot of people's time.

02:58.430 --> 03:01.130
You go through, you scan something, it's a positive.

03:01.160 --> 03:07.310
Then we investigate it and we waste time to verify that, hey, that positive doesn't actually exist.

03:07.490 --> 03:09.320
And so we call that a waste of time.

03:09.320 --> 03:15.080
But I would argue that a false negative is actually the worst case scenario for any system or vulnerability

03:15.080 --> 03:15.830
in the system.

03:15.830 --> 03:19.250
Because we're coming back and we're saying, hey, the scan came back clean.

03:19.250 --> 03:20.660
There's nothing wrong with it.

03:20.660 --> 03:22.670
But there is actually something wrong with it.

03:22.670 --> 03:27.530
There's a vulnerability, a flaw or misconfiguration within that system that we didn't detect.

03:27.560 --> 03:33.380
And if a malicious actor detects it, that could pose some serious consequences for our overall infrastructure.