A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?
Trap 1: Re-scan the application with the same settings to confirm the…
Re-scanning with the same settings will produce the same potentially inaccurate results.
Trap 2: Escalate all critical findings to management immediately.
Escalating without verification may waste management's time on false positives.
Trap 3: Retune the vulnerability scanner to reduce false positives and…
Retuning without understanding the current findings may miss real issues.
- A
Re-scan the application with the same settings to confirm the results.
Why wrong: Re-scanning with the same settings will produce the same potentially inaccurate results.
- B
Manually verify a sample of the findings to confirm true vs. false positives.
Manual verification helps identify false positives and prioritize real vulnerabilities.
- C
Escalate all critical findings to management immediately.
Why wrong: Escalating without verification may waste management's time on false positives.
- D
Retune the vulnerability scanner to reduce false positives and re-scan.
Why wrong: Retuning without understanding the current findings may miss real issues.