Over the last two decades, application security tools have struggled to produce effective and accurate findings without producings tons of noise and false positives.

The problem

The fundamental problem is that most application security tools struggle to understand the context of the codebase. They are designed to scan code for potentially vulnerable code patterns and surface them as findings. This approach usually produces a deluge of false positives because legacy tools simply can’t know if a potential vulnerability is actually a vulnerability without considering the context within which the code is called.

A recent report by the Ghost Research Team found that over 90% of findings from static analysis tools are false positives. With analysis of some languages resulting in a false positive rate of over 95%.

The Ghost Exorcist engine is designed to solve this problem by analyzing the codebase in the context of the business logic of the application.

The solution

The Ghost Exorcist engine is designed to seek out additional context in a codebase to build the full context necessary to produce accurate findings.