Latest Dynatrace
Vulnerabilities is dedicated to devsecops engineers.
An admin user needs to assign the following IAM policies to the group of users that will access the vulnerability-service
:
Read Entities
Read Security Events
Admin User
, Pro User
, Standard User
(for details, see Default policies.)See below for instructions.
In Account Management, select Identity & access management > Group Management.
Select Group to create the group.
Enter a name (for example, vulnerability-service
) and a description (for example, vulnerability-service group
), then select Create.
Once the group is created, you can view details and assign policies.
Select Permission.
In the drop-down menu of Permission name, select and save the three required policies, one at a time.
Once added, the three policies should be displayed in your list of permissions.
Vulnerabilities detects if the applications in your Dynatrace environment use vulnerable libraries at runtime or vulnerable runtime to execute your code. It helps you prioritize based on context and impact, efficiently addressing remediation actions.
Try Vulnerabilities and share your feedback to help us improve.
Understand essential concepts and key terms for the Vulnerabilities app.
Dynatrace calculates the severity of a vulnerability based on Davis Security Score (DSS), so you can focus on fixing vulnerabilities that are relevant in your environment, instead of on those that have only a theoretical impact.
An enhanced risk-calculation score based on the industry-standard Common Vulnerability Scoring System (CVSS). Davis AI is designed to provide a more precise risk-assessment score by considering additional parameters such as public internet exposure and whether or not data assets are reachable from an affected entity.
Risk-averse: Virtually all security products use the CVSS Base Score to set the severity of security vulnerabilities. CVSS was designed to be risk-averse, which means that, for any given vulnerability, the assigned score assumes the worst-case scenario. The CVSS specification does allow for some modifications based on environmental influences, but this is usually not factored into the risk score calculation, which leads to many high or critical vulnerability scores that the user needs to handle.
Accurate: Davis doesn't assume the worst-case scenario. Instead, Davis adapts the characteristics of the vulnerability to your particular environment, taking into consideration its structure and topology, and advises you as to which elements are at risk and how to handle security issues. With Davis AI, you can find out if the affected entity is reachable from the internet and if there is any data storage in reach of an affected entity.
Efficient: By including additional parameters in its analysis, Davis is designed to leverage data to more precisely calculate the security score and predict the potential risk of a vulnerability to your environment. By reducing the score of vulnerabilities that are considered less relevant for your environment, you gain time to focus on the most critical issues and fix them faster.
Calculation starts from the base CVSS Score, and takes into consideration metrics pertaining to
CVSS v2 is deprecated. For vulnerabilities relying on this data, Davis Security Score can't be assessed.
To influence the security score of a third-party vulnerability based on the public internet exposure, Davis uses the Modified Attack Vector (MAV) metric. This metric reflects the context by which vulnerability exploitation is possible.
To influence the security score of a third-party vulnerability based on reachable data assets, Davis uses the Modified Confidentiality (MC) and Modified Integrity (MI) metrics. These metrics reflect the actual accessibility of a reachable data asset to an affected service.
The score of a code-level vulnerability is always 10
and the risk always Critical
because it's considered to be exploitable at any time.
For example, on a login page where the password hasn't been sanitized before sending it to the database, thus allowing an SQL injection, it's only a matter of time until an attacker finds this vulnerability and exploits it.
The DSS scale ranges between 0.1 (lowest risk) and 10.0 (most critical risk):
The Davis Security Score (DSS) calculation differs between the Vulnerabilities app and the Third-Party Vulnerabilities app.
Thus, the DSS (score and risk level) for vulnerabilities in Vulnerabilities can be lower than in Third-Party Vulnerabilities.
A vulnerability with Critical
severity affects two processes, Process_1
and Process_2
.
Process_1
is exposed to the public internet but has no reachable data assets => DSS lowers the severity to High
.Process_2
isn't exposed to the public internet but has reachable data assets => DSS lowers the severity to High
.Critical
.High
severity, the severity is lowered from the initial Critical
to High
.How to use: You can prioritize vulnerabilities based on DSS.
Understand the risk factors and assessment modes considered when assessing a vulnerability.
One of the risk factors taken into consideration when determining the Davis Security Score. If there is public internet exposure, it means that vulnerabilities affect at least one process that is exposed to the internet.
How to use: You can filter vulnerabilities by Davis Assessment > Public internet exposure
.
Further reading: How is public internet exposure determined?
One of the risk factors taken to consideration when determining the Davis Security Score. If there are any reachable data assets affected it means that vulnerabilities affect at least one process that has database access (runs a database service).
How to use: You can filter vulnerabilities by Davis Assessment > Reachable data assets
.
Third-party vulnerabilities
One of the risk factors to consider when evaluating a vulnerability (yet they are not considered for the DSS calculation). If there are any vulnerable functions in use, there is at least one process using a vulnerable function (this might indicate a higher exploitation risk).
The class that contains the vulnerable function related to the vulnerability.
org.apache.http.client.utils.URIUtils
Shows whether the vulnerable function is being used by your application. Based on whether your application uses the vulnerable function, you can assess the impact on your environment. The usage of a vulnerable function is calculated on the process level and is aggregated to the process group level, which results in a count of affected process groups per function.
In use
, Not in use
, Not available
How to use: You can
Vulnerable functions in use
Further reading:
Third-party vulnerabilities
One of the risk factors to be considered when assessing a vulnerability. If there is any public exploit published, it means that malicious code to exploit this vulnerability is available on the internet.
How to use: You can filter vulnerabilities by Davis Assessment > Public exploit published
.
Determines whether detailed analysis is possible based on your monitoring mode.
How to use: You can filter vulnerabilities by Davis Assessment > Assessment mode
.
The context of internet exposure or reachable data assets cannot be examined due to the lack of information, thus the DSS score can't be lowered.
Learn about the entities affected by and related to vulnerabilities in your environment.
Entities (process groups, processes, and Kubernetes nodes) for which a vulnerability was detected, and are therefore directly affected by the vulnerability.
A process that contains a vulnerable library or runtime.
How to use: You can prioritize vulnerabilities by affected entities.
Entities that are connected to one of the affected entities and, thus, indirectly affected by the vulnerability.
An application associated with the affected processes.
A service that runs directly on a vulnerable process group instance.
A host on which the vulnerable process runs.
A database that is accessed by the vulnerable process or reachable from it. It can be reached via multiple hops.
In Kubernetes environments, the workload or cluster to which the vulnerable process belongs.
In Kubernetes environments, the container image used by the affected processes.
How to use: You can prioritize vulnerabilities by related entities.
Drill down into the source of vulnerabilities for the vulnerable component, entry point, and code location.
Third-party vulnerabilities
A software component (library) or runtime component (for example, a Kubernetes package) that has a vulnerable function causing a vulnerability:
org.apache.tomcat:tomcat-coyote
)Java runtime
, Node.js runtime
)How to use: You can drill down and explore vulnerable components.
Further reading: Why is a fixed vulnerability still showing as open?
Code-level vulnerabilities
A point in the code where an attacker could enter the application, for example, by passing user input fields to the application (such as a login form or search bar).
The path used in the HTTP request to reach and potentially exploit the vulnerability.
/user/1218/bio
The input that is passed to the vulnerable function.
The user-controlled inputs that could be used to exploit the vulnerability. If there's a key for the payload (for example, an HTTP parameter name or an HTTP header name), it's displayed after the colon.
HTTP parameter value: bioText
How to use: You can drill down and explore entry points.
Code-level vulnerabilities
Shows where the actual vulnerability is in the code (the location where the vulnerable function is called from).
SQL injection at DatabaseManager.updateBio():82
How to use: You can drill down and explore code location.
Learn about the resolution and mute status of a vulnerability or affected entity.
How to use: On the Prioritization page, you can filter
By Status to see Open
and Resolved
vulnerabilities
By Mute: Status to see Muted (Open)
vulnerabilities
Resolved vulnerabilities are displayed only once (at the resolution time). Extend the timeframe to include more results. For details, see Timeframe filter.
A muted entity that was closed automatically doesn't change its status to Resolved
, but to Muted (Resolved)
.
How to use: On the overview page of affected process groups or Kubernetes nodes, you can
Affected
or Resolved
Muted (Affected)
or Muted (Resolved)
Format affected entities table by Status
Further reference: Can a vulnerability be resolved while there are still affected entities?