Discover how Dynatrace can help you strengthen your applications' security:
Dynatrace Runtime Vulnerability Analytics (RVA): Identify critical vulnerabilities instantly with automated risk and impact assessments, thanks to in-depth analysis of data access paths and production execution.
Using Webpack or other bundlers might have an impact on automatic vulnerability detection. This is because the software components cannot be detected, as they are hidden behind the bundler configuration and not available at runtime. Only packages that are deployed as external packages can be detected and reported. For details, see Node.js: Limitations.
Dynatrace detects code-level vulnerabilities in the following technologies.
By default, once you enable the Security admin group, users can both view and manage vulnerabilities. To restrict the access level to view-only for specific users, so they can view vulnerabilities but not manage them (cannot change their status), you have two options:
To restrict the access of an existing group at the environment or management zone level
Enter a name and a description for the group, and then select Next. You have the following options.
Select Environment permissions.
Select your environment, then select View security problems.
Select Next > Next and then select Create group.
Select Management zone permissions.
Filter for and select the management zone you want, and then select View security problems.
Select Next > Next and then select Create group.
Application Security concepts
Understand essential concepts and key terms for Application Security.
The deployed Dynatrace monitoring mode can influence the Application Security results displayed in Dynatrace.
Full-Stack Monitoring mode
recommended
Full-Stack Monitoring mode provides complete application performance monitoring, code-level visibility, deep process monitoring, and Infrastructure Monitoring (including PaaS platforms).
Infrastructure Monitoring mode
Infrastructure Monitoring mode, where OneAgent is configured to provide physical and virtual infrastructure-centric monitoring, provides less complete monitoring than the Full-Stack Monitoring mode. The following functionalities are provided:
System metrics (CPU usage, memory usage, disk usage)
In an Infrastructure Monitoring deployment, Davis® AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Infrastructure Monitoring mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
In Infrastructure Monitoring mode, vulnerable function information is supported.
Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Infrastructure Monitoring mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
In a Discovery mode deployment, Davis AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
In Discovery mode, vulnerable function information is supported.
Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
To detect third-party vulnerabilities in your environment, Application Security evaluates software components (libraries) and runtime components (for example, Kubernetes packages).
Libraries are reported by OneAgent when a process is loading them. Therefore, only vulnerabilities in libraries that are in use will be reported, thus reducing vulnerability noise. All processes are constantly checked for new library loads.
Kubernetes packages are runtime components used by the Kubernetes cluster. They are reported by OneAgent once the component is in use on a node.
Examples of Kubernetes packages that Dynatrace tracks and scans for vulnerabilities:
On the control plane node:
kube-apiserver
etcd
kube-scheduler
kube-controller-manager
cloud-controller-manager
On the worker node:
kubelet
kubeproxy
Application Security checks the name and version of the vulnerable software and runtime component.
It does not check:
Configurations
Runtime information
Operating systems
As soon as the vulnerable software or runtime component is used by your application, a vulnerability is issued.
Topology changes
Once Dynatrace finds a new third-party vulnerability, it regularly checks for topology changes (for example, when a new reachable data source is involved).
Third-party vulnerability feeds
Depending on the vulnerable component, Dynatrace uses the following feeds:
Feeds are checked for updates every five minutes. If there's a new feed available, the information is pushed to the Dynatrace Cluster via Cloud Control/Mission Control. Updated vulnerability feeds are imported into the Dynatrace Cluster within two hours.
Based on the existent vulnerability feeds, Dynatrace searches for new vulnerabilities in your environment every minute.
To determine external exposure and affected data assets, Dynatrace considers the following:
Sources: To calculate exposure, Dynatrace analyzes whether incoming web request services and web service calls from the last day come from a public IP address.
Entities: A vulnerable software component is linked to the process of the reporting component, and the running services in that process group are used to calculate the exposure and whether reachable data assets are affected.
Dependencies: To see if data assets are reachable, Dynatrace investigates related services and services that are directly called by those related services. If one of those services is a database, a reachable data asset is affected.
Resolution
A third-party vulnerability is closed automatically when the root cause (for example, loading a vulnerable library) is no longer present. When no process group has been reporting any vulnerable components, such as libraries for more than two hours, the vulnerability is marked as Resolved. There are several reasons why this can happen:
The vulnerability was fixed in the code
The vulnerable component was upgraded or removed
The vulnerable component is no longer used by the application
The application hasn't received any traffic after a restart, therefore the vulnerable component hasn't been loaded (is inactive)
The affected process has been stopped
As long as the affected process is down, a vulnerability isn't considered relevant or impacting the environment. When the process is up again, Dynatrace checks on it immediately and, if the process is affected, the vulnerability is reopened.
Code-level vulnerabilities
Code-level vulnerabilities are identified based on data flows through the application. To gather these insights, OneAgent evaluates all input data that is processed by the application and identifies where user-generated inputs can be used to exploit a vulnerability in the code.
Risk assessment
The risk of a vulnerability is Critical.
Additionally, for every code-level vulnerability, all entities related to the affected process group are continuously analyzed. As a result, the code-level vulnerability gets additional information about
Public internet exposure (indicates if there are any affected process group instances reachable from the public internet)
Reachable data assets affected (indicates if there's any database connected to the affected process group instance)
Resolution
A code-level vulnerability is closed automatically if the vulnerable process has been restarted and OneAgent can't detect any more data flows that can lead to the vulnerability. There are several reasons why this can happen:
The root cause (the vulnerable code) has been removed