Skip to main content

Results

At Fluid Attacks we decided to test our primary automated software vulnerability detection tool, this solution is included in all of our plans of the Continuous Hacking service.

Long story short, this is how we compare to other vulnerability detection tools:

Fluid Attacks Score

Base image taken from the OWASP Benchmark results comparison, retrieved in 2021-04-12

Statistically, the results can be divided into the following groups:

  • True positives: Real impacts to your business reported by the tool

    Very nice! this is what you are looking for

  • False negatives: Real impacts to your business not reported by the tool

    Undesirable: the tool fails to identify vulnerabilities. This gives you a false sense of security and you will likely deploy undiscovered vulnerabilities to production

  • False positives: False impacts to your business reported by the tool

    Undesirable: the tool makes you waste time in filtering the false information out

  • True negatives: False impacts to your business correctly omitted by the tool

    very nice! you don't want a tool lying to you

Sensitivity and Specificity

In the OWASP Benchmark this is measured with two key values:

  • True Positives Rate (TPR) also known as sensitivity: How much of the vulnerable code is reported to you
  • False Positives Rate (FPR) also known as specificity: How much of the safe code is identified as really safe

Sensitivity and Specificity

Statistically, you can compare different tools by using the Youden's J statistic:

Sensitivity and Specificity

When our automated vulnerability detection tool is run over the code of the OWASP Benchmark, we score a clean 100% True Positives Rate and 0% False Positives Rate.

This accounts for a total OWASP Benchmark Score of 100%, four times higher than the commercial (paid) average score in the study, and more than two times higher than the best non-commercial (free) vulnerability detection tool.

What is most important, Fluid Attacks cares about what you care:

  • Finding all the vulnerabilities before they impact your business
  • Keeping your team fast with zero false positives