False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don’t have a vulnerability when in fact you do.
A false positive is like a false alarm; your house alarm goes off but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when in reality there is not.
Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process. This helps them ensure that all of the web application attack surfaces are tested properly in a reasonable amount of time. But many false positives tend to break down this process. If the first 20 variants are false, for example, the penetration tester assumes that all the others are false positives as well and ignores the rest. By doing so, there is a good chance that real web application vulnerabilities will be left undetected.