"Popular Vulnerability Scanners Are Only 73 Percent Accurate"

According to new research conducted by Rezilion, the most popular commercial and open-source scanning technologies produce a high level of inaccuracy and noise. Researchers analyzed 20 popular DockerHub containers, ran them locally, and scanned them with six different commercial and open-source vulnerability scanners. Taking into account false negatives, the scanners returned only 73 percent of relevant results out of all vulnerabilities that should have been identified, including those that the scanners missed. According to Yotam Perkal, director of vulnerability research at Rezilion, there are many new vulnerability disclosures across the software ecosystem every day, forcing end-users to rely on vulnerability scanners to detect if these potentially exploitable vulnerabilities exist within their environment. Only 82 percent of the total number of vulnerabilities reported by scanners were relevant results (identified correctly). Across the 20 containers, more than 450 high and critical-severity vulnerabilities were misidentified. Furthermore, the scanners failed to detect (false negative result) more than 16 vulnerabilities per container on average across the 20 containers examined. Perkal adds that the primary issue is that scanner performance data lacks transparency, leaving end-users unable to accurately evaluate the effectiveness of vulnerability scanners. This article continues to discuss key findings from Rezilion's research on the effectiveness of popular vulnerability scanners in the commercial and open-source market.

BetaNews reports "Popular Vulnerability Scanners Are Only 73 Percent Accurate"