SSCP Cert Prep & Study Notes
Sourav Roy, MAS, BSC, CC
Four possible outcomes for any Vulnerability Report:
True Positive: If a vulnerability scanner reports a finding and that vulnerability exists, that’s a true positive report.
False Positive: If a vulnerability scanner reports a finding and that vulnerability doesn’t exist, that’s a False positive report.
True Negative: If a vulnerability scanner doesn’t report a finding and that vulnerability also doesn’t exist, that’s a True Negative report.
False Negative: If a vulnerability scanner doesn’t report a finding and that vulnerability exist, that’s a False Negative report.
Note: The easiest way I found to remember this is, whenever a vulnerability scanner reports a finding, it will be a Positive report. However, depending on the actual existence of the
vulnerability, a report can be a True or a False report. If vulnerability exists, that’s a True Positive report. If vulnerability doesn’t exist, that’s a False Positive report. On the other hand, if a vulnerability scanner doesn’t report a finding, it will be a negative report. However, depending on the actual existence of the vulnerability, a report can be a True or a False report. If vulnerability exists, that’s a False Negative report. If vulnerability doesn’t exist, that’s a True Negative report.
Comments