Discover how Dynatrace can help you strengthen your applications' security:
Dynatrace Runtime Vulnerability Analytics (RVA): Identify critical vulnerabilities instantly with automated risk and impact assessments, thanks to in-depth analysis of data access paths and production execution.
Any supported version of Dynatrace. Review the release notes for currently supported versions.
For Application Security to work properly, make sure deep monitoring is enabled in Settings > Processes and containers > Process group monitoring.
For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.
Dynatrace detects third-party vulnerabilities in the following technologies.
For .NET, Go, and Python technologies, you need to manually enable deep monitoring on each host. For details, see Prerequisites.
2
Java on z/OS is currently not supported.
3
Using Webpack or other bundlers might have an impact on automatic vulnerability detection. This is because the software components cannot be detected, as they are hidden behind the bundler configuration and not available at runtime. Only packages that are deployed as external packages can be detected and reported. For details, see Node.js: Limitations.
4
For Python vulnerabilities, Dynatrace can't yet assess internet exposure and reachable data assets or calculate the Davis Security Score. For now, you can prioritize these vulnerabilities based on the CVSS score.
Dynatrace detects code-level vulnerabilities in the following technologies.
By default, once you enable the Security admin group, users can both view and manage vulnerabilities. To restrict the access level to view-only for specific users, so they can view vulnerabilities but not manage them (cannot change their status), you have two options:
To restrict the access of an existing group at the environment or management zone level
On Linux hosts, if there's no information, which can happen in different monitoring modes or because something went wrong, public internet exposure is detected via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
Full-Stack Monitoring mode
recommended
Full-Stack Monitoring mode provides complete application performance monitoring, code-level visibility, deep process monitoring, and Infrastructure Monitoring (including PaaS platforms).
Infrastructure Monitoring mode
Infrastructure Monitoring mode, where OneAgent is configured to provide physical and virtual infrastructure-centric monitoring, provides less complete monitoring than the Full-Stack Monitoring mode. The following functionalities are provided:
System metrics (CPU usage, memory usage, disk usage)
In an Infrastructure Monitoring deployment, Davis® AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
In Infrastructure Monitoring mode, vulnerable function information is supported.
Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
In a Discovery mode deployment, Davis AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
In Discovery mode, vulnerable function information is supported.
Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.