The methodology of reverse benchmarking is built around the concept of active false positive solicitation, that is, the intentional generation of false positives by a target application designed to cause false positives when it is scanned by an application security scanner. By coding the application to have certain false positive causing characteristics, it is possible to generate a significant number of false results in both commercial and open source technology.
These results can then be analyzed, and categorized, and a working taxonomy of false positive types can be created. Provided the research into the taxonomy results in a sufficiently detailed and granular categorization system, this in turn can educate developers on how to avoid the common pitfalls when coding a security scanning solutions. Additionally, those working as security professionals can learn from the taxonomy and thereby improve their efficiency in virtue of being able to spot false positives more easily when they occur.
Application security scanning solutions play a key role in enterprise security, and Reverse Benchmarking may prove to be a methodology and tool to improve not only automated security scanners, but better educate security professionals and consultants in the complex and rarely studied topic of common false positive types and their properties.
Reverse Benchmarking when applied makes use of a specially designed web application, a web application designed with various characteristics that cause false positives in any automated scanner used to assess the Reverse Benchmark target. Think of the process of subjecting the scanner to a "road test" or "crash test." The properties of the target application, when scanned, trigger the scanner to falsely detect vulnerabilities. This set of deliberately generated false results sheds light on the actual conditions which can cause these false reports to occur.