Rezilion Vulnerability Scanner Benchmark Report Finds Top Scanners Only 73% Accurate
BE’ER SHEVA, Israel, (October 26) — Rezilion, an automated vulnerability management platform accelerating software security, announced today the release of the company’s Vulnerability Benchmark Report, which provides visibility into the inaccuracies and noise that are created by the market’s most popular commercial and open-source scanning technologies.
“Every day there are a multitude of new vulnerability disclosures across the software ecosystem, driving end-users to rely on vulnerability scanners to detect if these potentially exploitable vulnerabilities exist within their environment,” said Yotam Perkal, Director of Vulnerability Research with Rezilion. “With a proven variability in the accuracy of the scanning tools on the market, companies are paying the cost of time spent triaging irrelevant vulnerabilities and worst, in the case of false negative detections, create blind spots for the organization and a false sense of security.”
Inconsistent Results in Scanners are Common
In this first-of-its-kind benchmark and root cause analysis, Rezilion researchers examined 20 popular containers on DockerHub, ran them locally, and scanned them using six different, popular vulnerability scanners in the commercial and open-source market.
Each vulnerability scanner reported a different number of vulnerabilities, equating to less than 50 percent of common findings, exposing an exceptional amount of false positives and negatives. As a result, Rezilion has opened issues/support tickets for the misidentification of over 1600 different CVEs.
- Recall: Compared to the ground truth (i.e., taking false negatives into account), scanners returned only 73% of relevant results out of all vulnerabilities that should have been identified, including those the scanners failed to detect.
- Precision: On average, out of the total number of vulnerabilities reported by the scanners, only 82% were relevant results (identified correctly), regardless of vulnerabilities that scanners failed to report (18% were false positives).
- Over 450 high and critical-severity vulnerabilities were misidentified across the 20 containers.
- On average, across the 20 containers examined, the scanners failed to find (false negative result) more than 16 vulnerabilities per container.
“The primary problem is that the scanner performance data is not transparent and leaves end-users without visibility to accurately evaluate effectiveness of vulnerability scanners,” continued Perkal. “With this research, we’re committed to driving the industry forward and proactively approaching the issue. Rezilion’s ultimate goal is to provide transparency about the performance of the scanners and improve the quality of vulnerability scanning across the board.”
- Understand your specific scanner’s capabilities and limitations and ensure your scanner of choice matches your specific needs.
- Be mindful of the root causes for misidentification as presented in the research, and don’t trust your scanner’s results blindly.
- Utilize a Software Bill of Materials (SBOM) to validate the accuracy of your scanner output and achieve visibility into your software dependencies.
To download the full report, please visit: https://www.rezilion.com/lp/scanning-the-scanners-what-vulnerability-scanners-miss-and-why/.
Rezilion’s platform automatically secures the software you deliver to customers. Rezilion’s continuous runtime analysis detects vulnerable software components on any layer of the software stack and determines their exploitability, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable vulnerabilities across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours while giving DevOps teams time to build.
Learn more about Rezilion’s software attack surface management platform at www.rezilion.com and get a 30-day free trial.