Third-party tools such as IBM Security AppScan Enterprise attempt to analyze security issues for a product by recording requests to the application and then manipulating those requests. These tests are performed and results are analyzed based on generic patterns. Sometimes the tools do not have enough information to understand that the conclusions being drawn based on the limited results presented are incorrect. These issues are known as false positive results.

Logon applications such as the SAS Logon Manager (https://<server>/SASLogon/login) frequently generate a false positive because they are designed to always return the logon page when an incorrect login occurs. A false positive result for a logon process might also be a result of misconfiguration of the automation tool. For example, a false positive can occur when the tool tests a page that is not authenticated.

SAS has seen results in IBM Security AppScan Enterprise reports that flag potentially high severity security vulnerabilities associated with "Blind SQL Injection" in the SAS Logon Manager code. In the SAS implementation of logon, there is no database access backing the logon authentication, so there is no place to inject SQL. Because there is no place to inject SQL, SAS has assessed results from IBM Security AppScan Enterprise that flag potential SQL injection issues for SAS Logon Manager as false positives.

For users running IBM Security AppScan Enterprise, additional information about running the tool and interpreting results is available from IBM (Troubleshooting False Positives in AppScan Enterprise). Specifically, refer to (Common causes for a "Blind SQL Injection" false positive in AppScan Enterprise) for issues with testing logon pages and verifying that login was properly recorded.

Operating System and Release Information