A vulnerability scan is reporting that patches are missing on a server. After a review, it is determined that the application requiring the patch does not exist on the
operating system.
Which of the following describes this cause?

A.
Application hardening

B.
False positive

C.
Baseline code review

D.
False negative

Explanation:
False positives are essentially events that are mistakenly flagged and are not really events to be concerned about.
Incorrect Answers:
A: The term hardening is usually applied to operating systems. The idea is to “lock down” the operating system as much as is practical. For example, ensure that all
unneeded services are turned off, all unneeded software is uninstalled, patches are updated, user accounts are checked for security, and so forth. Hardening is a
general process of making certain that the operating system itself is as secure as it can be.
C: A baseline represents a secure state and a review of the baseline code is not a vulnerability report that security patches are missing as stated in the scenario.
D: A False negative is exactly the opposite of a false positive. With a false negative, you are not alerted to a situation when you should be alerted.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 28, 52
http://www.cgisecurity.com/questions/falsepositive.shtml