Enterprise organizations may require that their product adhere to strict security requirements or undergo extensive vendor due diligence at onboarding. Technical analysis of the product, code or software via scanning or testing is often a step in this process. While a security assessment is a crucial component of any vendor management program, security assessments of a product can sometimes indicate risk when there is no risk. A typical example is when code scans or penetration tests are conducted by an outside party that flag "false positives."