Security is a False Positive Problem - by Jonathan Price
Security is a false positive problem. We are drowning in them. By false positive, I mean anything that we (or our scanners, tools, intel feeds, senior engineers, interns, LLMs, whatever) identify as a potential threat when it never actually was or was going to be. A true positive would be something we identified as a threat, and it totally was.
Vulnerabilities come from your first-party code, its dependencies, the 3rd party systems you run (your databases, other infra, hopefully not MOVEit), and the software dependencies in the containers and server OS that run your software.
Some vulnerabilities are very bad 1 . The point of security is to prevent them, or at least mitigate them so they can't be exploited. It's our job, and we, as security practitioners, have devoted a lot of effort (and frantic pings to engineers) to managing them. Many consider vulnerability management the most important job of security teams.
This focus usually comes without looking at the data, though. If you do, it turns out most vulnerabilities are not bad for us: While there were 26,447 identified vulnerabilities in 2023 (a huge number!), only 109 were actually exploited and ended up on CISA's Known Exploited Vulnerabilities (KEV) list. 2 That's a much smaller number. Only 0.41% of vulnerabilities are actually being exploited, and this is a consistent trend. That’s a 99.59% false positive rate for your vulnerability management program. It's usually even higher! If you're a cloud-based, SaaS-based company running on AWS, use Macs and Google, and don't use Cisco, Fortinet, or something else silly, only like 8 of those exploited vulns would apply to you. If you primarily run your own software, it’s even less: only 2% of software dependency vulns are even theoretically reachable for attack. Your best possible false positive rate is 98%, a distressingly high number, and the actual exploitable percentage will be far, far lower.
