In a perfect world, your software testing strategy would surface all of the security risks that exist inside your environment, and nothing more.
But we don't live in a perfect world. Sometimes, the security issues that software testing tools flag turn out to be false positives. That means that they're not actually problems, even though the software security testing process identified them as such. False positives create distractions that make it harder for security teams to detect and address actual security risks.
Why do false positives occur in software testing, and what can teams do about them? This article discusses those questions by explaining common causes of false positives and how to mitigate them.
For example, imagine that you scan a container image for security vulnerabilities. The scanner identifies a vulnerability associated with a dependency that the scanner believes your container image requires. In actuality, however, the image doesn't include the dependency; the scanner just thinks it does because it misread the dependency data. As a result, no vulnerability exists, although your scanner says one does.
It's worth noting that you may also run into false negatives. A false negative is a security problem that exists but that your security testing tools do not detect. False negatives are arguably even worse than false positives, because security issues that you overlook could be exploited by attackers. It's better to waste time addressing a false positive than it is to suffer a breach that stems from a false negative.