Popular vulnerability scanners are only 73 percent accurate
New research from Rezilion finds that there's a high level of inaccuracies and noise created by the market's most popular commercial and open-source scanning technologies.
Researchers examined 20 popular containers on DockerHub, ran them locally, and scanned them using six different, popular vulnerability scanners in the commercial and open-source market. Taking false negatives into account the scanners returned only 73 percent of relevant results out of all vulnerabilities that should have been identified, including those the scanners failed to detect.
"Every day there are a multitude of new vulnerability disclosures across the software ecosystem, driving end-users to rely on vulnerability scanners to detect if these potentially exploitable vulnerabilities exist within their environment," says Yotam Perkal, director of vulnerability research with Rezilion. "With a proven variability in the accuracy of the scanning tools on the market, companies are paying the cost of time spent triaging irrelevant vulnerabilities and worst, in the case of false negative detections, create blind spots for the organization and a false sense of security."
On average, out of the total number of vulnerabilities reported by the scanners, only 82 percent were relevant results (identified correctly), regardless of vulnerabilities that scanners failed to report (18 percent were false positives). Over 450 high and critical-severity vulnerabilities were misidentified across the 20 containers. And on average, across the 20 containers examined, the scanners failed to find (false negative result) more than 16 vulnerabilities per container.
"The primary problem is that the scanner performance data is not transparent and leaves end-users without visibility to accurately evaluate effectiveness of vulnerability scanners," continues Perkal. "With this research, we're committed to driving the industry forward and proactively approaching the issue. Rezilion's ultimate goal is to provide transparency about the performance of the scanners and improve the quality of vulnerability scanning across the board."
In the light of these results it's important that businesses understand their specific scanner's capabilities and limitations, and that they don't blindly trust the results. They should also check thee accuracy of their scanner's output against a software bill of materials to help achieve visibility into software dependencies.
The full report is available from the Rezilion site.
Image credit: Andreus/depositphotos.com