Application Security

Discover how Dynatrace can help you strengthen your applications' security:

Dynatrace Runtime Vulnerability Analytics (RVA): Identify critical vulnerabilities instantly with automated risk and impact assessments, thanks to in-depth analysis of data access paths and production execution.
Dynatrace Runtime Application Protection (RAP): Defend your applications in real time by detecting and blocking attacks through advanced code-level insights and transaction analysis.

Dynatrace Security Posture Management (SPM): Maintain robust security by assessing, prioritizing, and addressing misconfigurations and compliance violations efficiently.

Any supported version of Dynatrace. Review the release notes for currently supported versions.
For Application Security to work properly, make sure deep monitoring is enabled in Settings > Processes and containers > Process group monitoring.

For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Third-party vulnerability detection

Code-level vulnerability detection

Dynatrace detects third-party vulnerabilities in the following technologies.

Technology

Minimum OneAgent version

Go¹

1.245

Java²

1.221

Java runtimes

1.253

Kubernetes

1.219

.NET¹

1.233

.NET runtimes

1.255

Node.js³

1.231

Node.js runtimes

1.253

PHP

1.231

Python¹'⁴

1.309

Python runtimes

1.309

For .NET, Go, and Python technologies, you need to manually enable deep monitoring on each host. For details, see Prerequisites.

Java on z/OS is currently not supported.

Using Webpack or other bundlers might have an impact on automatic vulnerability detection. This is because the software components cannot be detected, as they are hidden behind the bundler configuration and not available at runtime. Only packages that are deployed as external packages can be detected and reported. For details, see Node.js: Limitations.

⁴

For Python vulnerabilities, Dynatrace can't yet assess internet exposure and reachable data assets or calculate the Davis Security Score. For now, you can prioritize these vulnerabilities based on the CVSS score.

Dynatrace detects SQL injection, JNDI injection, command injection, and SSRF attacks in the following technologies.

Technology

Minimum OneAgent version

SQL injection

Command injection

JNDI injection

SSRF

Java 8 or higher¹

1.241

.NET²'³

1.289

Go³

1.311

Only supported on Windows x86 and Linux x86 systems.

Only .NET Framework 4.5, .NET Core 3.0 or higher, and 64-bit processes are supported.

For .NET and Go technologies, you need to manually enable deep monitoring on each host. For details, see Prerequisites.

Dynatrace Security Posture Management supports the following technologies (more coming soon):

Compliance standards

Minimum Kubernetes¹ version

CIS²

1.28

DORA

1.26

NIST

1.26

STIG

1.26

Support is limited to compatibility with upstream Kubernetes and available for x86-64 CPU architectures only.

Only CIS v1.10 is supported.

For more information, see Supported compliance standards and technologies.

Dynatrace Application Security is licensed based on the consumption of GiB-hours if you're using the Dynatrace Platform Subscription (DPS) licensing model, or Application Security units (ASUs) if you're using the Dynatrace classic licensing.

To get started with Dynatrace Application Security, follow the instructions below.

To activate Application Security, contact a Dynatrace product expert via live chat.

You need to assign the Security admin group to users who will be allowed to view and manage

Vulnerabilities, if you enable Dynatrace Runtime Vulnerability Analytics
Attacks, if you enable Dynatrace Runtime Application Protection

To assign Security admin permission

Go to Account Management > Identity & access management > People. You have the following options.

Add an existing user

Add a new user

To add an existing user to the group

Under Actions, select > Edit user for the user you want to add.
Select Security admin, then select Save.

For more information on user permissions, see Manage user groups and permissions.

optional

By default, once you enable the Security admin group, users can both view and manage vulnerabilities. To restrict the access level to view-only for specific users, so they can view vulnerabilities but not manage them (cannot change their status), you have two options:

Restrict access to an existing group

Create a new group with restricted access

To restrict the access of an existing group at the environment or management zone level

Go to Account Management > Identity & access management > Groups.
Filter for Security admin and then, under Actions, select > View group.
For the Permissions section, select Edit. You have the following options.

Select Environment permissions.
Select your environment, then clear Manage security problems and select View security problems.
Select Save.

Select Management zone permissions.
Filter for and select the management zone you want.
Clear Manage security problems and select View security problems.
Select Save.

Application Security concepts

Understand essential concepts and key terms for Application Security.

The deployed Dynatrace monitoring mode can influence the Application Security results displayed in Dynatrace.

Support overview

Capability

Full-Stack

Infrastructure

Discovery

Third-party vulnerability detection

limited

Code-level vulnerability detection

limited

Runtime Application Protection

Public internet exposure

On Linux hosts, if there's no information, which can happen in different monitoring modes or because something went wrong, public internet exposure is detected via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.

Full-Stack Monitoring mode

recommended

Full-Stack Monitoring mode provides complete application performance monitoring, code-level visibility, deep process monitoring, and Infrastructure Monitoring (including PaaS platforms).

Infrastructure Monitoring mode

Infrastructure Monitoring mode, where OneAgent is configured to provide physical and virtual infrastructure-centric monitoring, provides less complete monitoring than the Full-Stack Monitoring mode. The following functionalities are provided:

System metrics (CPU usage, memory usage, disk usage)
Third-party vulnerability detection
Code-level vulnerability detection
Runtime Application Protection

Infrastructure Monitoring: Characteristics

Third-party vulnerabilities

Code-level vulnerabilities

Attacks

In an Infrastructure Monitoring deployment, Davis® AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
- If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
- If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
In Infrastructure Monitoring mode, vulnerable function information is supported.

Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.

Same capabilities as Full-Stack Monitoring mode.

Infrastructure Monitoring: Consumption

If you're using the Dynatrace Platform Subscription (DPS) licensing model, see Host monitoring (DPS): Infrastructure Monitoring.
If you're using the Dynatrace classic licensing, see Application and Infrastructure Monitoring (Host Units).

Discovery mode

Discovery mode is a lightweight monitoring mode that provides basic monitoring. The following functionalities are provided:

System metrics (CPU usage, memory usage, disk usage)
Third-party vulnerability detection
Code-level vulnerability detection
Runtime Application Protection

For Application Security to work in Discovery mode, after enabling Discovery mode, you also need to enable code-module injection.

Discovery mode: Characteristics

Third-party vulnerabilities

Code-level vulnerabilities

Attacks

In a Discovery mode deployment, Davis AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
- If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
- If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
In Discovery mode, vulnerable function information is supported.

Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.

Exception

Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.

Same capabilities as Full-Stack Monitoring mode.

Discovery mode: Consumption

Discovery mode is only available for the Dynatrace Platform Subscription (DPS) licensing model.

For monitoring consumption information, see Host monitoring (DPS): Foundation & Discovery.

See below for the mechanism that Dynatrace Application Security uses to generate third-party vulnerabilities and code-level vulnerabilities.

Third-party vulnerabilities

To detect third-party vulnerabilities in your environment, Application Security evaluates software components (libraries) and runtime components (for example, Kubernetes packages).

Libraries are reported by OneAgent when a process is loading them. Therefore, only vulnerabilities in libraries that are in use will be reported, thus reducing vulnerability noise. All processes are constantly checked for new library loads.
Kubernetes packages are runtime components used by the Kubernetes cluster. They are reported by OneAgent once the component is in use on a node.
Examples of Kubernetes packages that Dynatrace tracks and scans for vulnerabilities:
- On the control plane node:
  - kube-apiserver
  - etcd
  - kube-scheduler
  - kube-controller-manager
  - cloud-controller-manager
- On the worker node:
  - kubelet
  - kubeproxy

Application Security checks the name and version of the vulnerable software and runtime component.

It does not check:

Configurations
Runtime information
Operating systems

As soon as the vulnerable software or runtime component is used by your application, a vulnerability is issued.

Topology changes

Once Dynatrace finds a new third-party vulnerability, it regularly checks for topology changes (for example, when a new reachable data source is involved).

Third-party vulnerability feeds

Depending on the vulnerable component, Dynatrace uses the following feeds:

Snyk for
- Software components (libraries)
- Runtime components in Kubernetes
NVD for runtime components in
- .NET runtime
- Java runtime
- Node.js runtime

Feeds are checked for updates every five minutes. If there's a new feed available, the information is pushed to the Dynatrace Cluster via Cloud Control/Mission Control. Updated vulnerability feeds are imported into the Dynatrace Cluster within two hours.

Based on the existent vulnerability feeds, Dynatrace searches for new vulnerabilities in your environment every minute.

For vulnerability feed problems, see The feed import isn't working.

Risk assessment

To determine external exposure and affected data assets, Dynatrace considers the following:

Sources: To calculate exposure, Dynatrace analyzes whether incoming web request services and web service calls from the last day come from a public IP address.
Entities: A vulnerable software component is linked to the process of the reporting component, and the running services in that process group are used to calculate the exposure and whether reachable data assets are affected.
Dependencies: To see if data assets are reachable, Dynatrace investigates related services and services that are directly called by those related services. If one of those services is a database, a reachable data asset is affected.

Resolution

A third-party vulnerability is closed automatically when the root cause (for example, loading a vulnerable library) is no longer present. When no process group has been reporting any vulnerable components, such as libraries for more than two hours, the vulnerability is marked as Resolved. There are several reasons why this can happen:

The vulnerability was fixed in the code
The vulnerable component was upgraded or removed
The vulnerable component is no longer used by the application
The application hasn't received any traffic after a restart, therefore the vulnerable component hasn't been loaded (is inactive)
The affected process has been stopped

As long as the affected process is down, a vulnerability isn't considered relevant or impacting the environment. When the process is up again, Dynatrace checks on it immediately and, if the process is affected, the vulnerability is reopened.

Code-level vulnerabilities

Code-level vulnerabilities are identified based on data flows through the application. To gather these insights, OneAgent evaluates all input data that is processed by the application and identifies where user-generated inputs can be used to exploit a vulnerability in the code.

Risk assessment

The risk of a vulnerability is Critical. Additionally, for every code-level vulnerability, all entities related to the affected process group are continuously analyzed. As a result, the code-level vulnerability gets additional information about

Public internet exposure (indicates if there are any affected process group instances reachable from the public internet)
- To find out how Dynatrace determines public internet exposure, see FAQ: How is public internet exposure determined?.
Reachable data assets affected (indicates if there's any database connected to the affected process group instance)

Resolution

A code-level vulnerability is closed automatically if the vulnerable process has been restarted and OneAgent can't detect any more data flows that can lead to the vulnerability. There are several reasons why this can happen:

The root cause (the vulnerable code) has been removed
The process hasn't received any traffic
There are mitigations outside the application
The affected process has been stopped

Frequently asked questions

Latest Dynatrace

Stay on top of your security measures, policies, and practices with Security Posture Management xSPM .

Stay compliant with Security Posture Management

Browse through some of the most relevant topics to get you started with Application Security.

Videos

Dynatrace University tutorials

Blogs

FAQ

What is Dynatrace and how to get started:

What is Dynatrace and how to get started
Elevate security with Dynatrace Davis Anomaly Detection:

Elevating Security with Dynatrace Davis Anomaly Detection
Unguard - An open source application security playground:

Unguard: An open source application security playground
Vulnerability detection and automated risk assessment with Dynatrace Application Security:

Vulnerability Detection and Automated Risk Assessment with Dynatrace AppSec
Remediate vulnerabilities like Log4Shell with Dynatrace:

Remediate Vulnerabilities like Log4Shell with Dynatrace
Protect your applications against attacks:

Protecting your applications against attacks
How to achieve cloud native hyperscale security with Dynatrace:

How to achieve cloud native hyperscale security with Dynatrace

Application Security FAQ

Application Security

Activate Application Security

Assign permissions

Fine-tune permissions

Application Security concepts