I want to submit my app for security review. Since my App is calling some external API security review wizard is prompting to provide below details.
- Burp Scan report
- False positive document
I have generated report using burp tool but I am not sure about what is false positive document. Can any one help me in understand what is false positive document and how can I prepare it.
Thanks
Best Answer
Did the Burp Scan report find anything? Either you should fix it and run the test again or provide justification in a false positives document about why you don't think it is a security risk?
There is a good description of false positives in the Burp Suite Scanner About page.
I've answered a similar question before about scanning external APIs in another question. In my experience, you also need to run the security scan on any website that might be exposed around the API based on the same data. While the API may be reasonably secure, you also need to verify anything else that can expose the data.