[ngneer]

Spot on. Vulnerability scanners that make up an organizational Security Score (TM) tend to operate at the wrong level of abstraction, flagging some library somewhere that never runs and has nothing to do with your production flow or architecture, or some test keys with zero security impact. Go explain that to management, because obviously the security tools are right and you are wrong. This sad state of affairs is unfortunately the best that the security industry has been able to deliver. Trying to wrangle complexity by adding more complexity is the craziest notion to me. Yes, no scoring scheme is perfect, but when the scheme introduces more noise, what have we gained (well, security vendors gain, but what have organizations gained).

[nikanj]

And it's not enough to explain it to management, you also need to explain it to your ISO auditors, your customers et cetera ad nauseam.

[selfmodruntime]

This is my research field. Do you have any input you can think of at the top of your head?

[ngneer]

That's very cool. You probably know more about it than I do, then, but my advice is to articulate the exact problem you try to solve.

I expect your field is probably teeming with AI proposals or offers on how to manage vulnerabilities, but that is doubtful the way, because again it is adding complexity, and no classifier is perfect, especially when scanners fail to understand scanned applications and their threat models or environment.

Stop selling external scanners, start simplifying code? This will never work, of course, because security vendors sell the promise of security to those willing to buy it, in the form of add-on products and capabilities.

Empower people to ignore scanner reports without so much red tape? That would never work either, because megacorp wants compliance and reduced liability.

Build secure systems as opposed to cataloging and scoring flaws? That would never work, because building secure systems is hard, nature tends to favor otherwise.

Charge people for adding complexity and credit them for removing complexity? Sadly, there is no way to do that, especially since products must ship and quality is hard to observe, since it is often invisible and only surfaces when things are broken.

Off the top of my head, would be nice to require proof of exploitation, by adding CTF-like capabilities to apps, such that only if the flag is captured do we consider the report real. This places more burden on scanners, in that it is no longer enough to report an outdated library. Requiring some proof of exploitability reduces noise and increases SNR, reducing false positives. Naturally, not all vulnerabilities have working exploits, and scanners can never fully simulate an adversary, so we may get more false negatives, but at least we would not have to waste so much time upgrading pointless modules and breaking applications to appease a false report. So the idea is "here is a dummy asset, show me how you leaked or compromised it". Adding the dummy asset should be cheap, but would force scanners to better simulate an attack.

At the very least, there ought to be a knob to decrease scanner sensitivity.