9 comments

[ 3.6 ms ] story [ 29.6 ms ] thread
How can you have blind-/boolean based SQL injection without any false positives? I would at least expect some level of false positives for these methods as they generally imply causation from correlation.
How can you have any kind of system without false positives? Even medical tests have false positives, and there is a lot more review than this stuff.

But, copy writing is art and science. Keep the fluff away from HN skeptics, and you should be fine. :-)

Well, if you don't have any positives . . .
Yes, the word Free is also highlighted in bold on the homepage, while False-Positive isn't. I assumed it was a free service for a good 5 seconds. If that was intentional or not, I can't tell.
I already using Netsparker for 3 years, they're best solution
4 months on HN and this is your first comment? Hmmmmmmmm.
I'm flagging this. The submitter looks suspicious and so does the first commenter.
I already using Νetsparker fοr 3 years, they're best solutiοn
False positives are only a part of a matrix of statistical results known as [sensitivity and specificity](https://en.wikipedia.org/wiki/Sensitivity_and_specificity):

* True positive = correctly identified

* False positive = incorrectly identified

* True negative = correctly rejected

* False negative = incorrectly rejected

Using these four values, we can actually calculate the likelihood of a given event.

However, to have high specificity (low false positives) you must lower sensitivity (false negatives). So what you are doing is reducing a type 1 error in exchange for an increase of a type 2 error. Sensitivity is related to ability to identify positive results!

This particularly disastrous in security, since we can determine likelihood from good statistics; and use this in our risk management 'risk = impact * likelihood.'