CompTIA Security+ Exam SY0-601: Identifying Incorrectly Identified Vulnerabilities

Source Code Review and Incorrect Vulnerability Identification

Prev Question Next Question

Question

An organization is using a tool to perform a source code review.

Which of the following describes the case in which the tool incorrectly identifies the vulnerability?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

When an organization uses a tool to perform a source code review, the tool scans the source code for potential vulnerabilities or weaknesses. In some cases, the tool may identify a vulnerability that does not actually exist, or it may fail to identify a vulnerability that does exist.

When the tool fails to identify a vulnerability that exists, it is called a "false negative." False negatives can be dangerous, as they can leave the organization vulnerable to attack. It is important for the organization to perform additional testing or manual review to ensure that all vulnerabilities are identified and addressed.

When the tool incorrectly identifies a vulnerability that does not actually exist, it is called a "false positive." False positives can also be problematic, as they can lead to unnecessary and costly remediation efforts. It is important for the organization to carefully review each identified vulnerability and determine whether it is a true positive or a false positive before taking any action.

In summary, the answer to the question is C. False positive describes the case in which the tool incorrectly identifies the vulnerability.