Dynatrace Runtime Vulnerability Analytics enables you to detect, visualize, analyze, monitor, and remediate open-source and third-party vulnerabilities, as well as the security vulnerabilities in libraries and first-party code in production and pre-production environments at runtime.
Automatic and continuous protection powered by Davis, the Dynatrace AI causation engine. Davis continuously watches production and pre-production environments to identify any changes in application environments (such as container dynamics, elastic scaling, multi-version deployments, runtime container updates, rollbacks, A/B tests, or blue/green deployments) and provide precise answers about the source, nature, and severity of vulnerabilities as they arise in real time. Davis automatically analyzes and prioritizes alerts.
Continuous analysis of attack vectors to automatically track if vulnerable libraries are called and used at runtime. Dynatrace Application Security is designed to allow you to identify the most relevant vulnerabilities and reduce false positives with Smartscape real-time topology mapping and distributed tracing with PurePath® code-level analysis.
Runtime introspection approach in combination with Snyk and NVD, for automatic vulnerability detection at runtime. Even if security checks aren't integrated into the pipelines across all teams, or if they're deliberately bypassed, Dynatrace can detect what’s running and pinpoint vulnerabilities instantly by automatically opening a vulnerability when one is detected, and close it when the root cause (for example, loading a vulnerable library) is no longer present.
Full coverage across production rollbacks and outdated releases, feature flags, and deployment patterns (canary, blue/green).
Efficient management of vulnerabilities where a fix hasn't been effective, such as if a vulnerability is accidentally reintroduced during a rollback, or if updates haven't been applied correctly.
Precise and automatic risk and impact assessment, with risks prioritized by data access path and actual production execution. From hundreds or thousands of open vulnerabilities, Dynatrace Application Security is designed to pinpoint those that need immediate investigation. It automatically analyzes data access paths and production execution to provide a more precise risk and impact assessment.
Third-party vulnerability detection helps you identify open-source and third-party vulnerabilities in production and pre-production environments at runtime.
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Third-party Vulnerability Analytics, select Enable Third-party Vulnerability Analytics.
To define the default third-party vulnerability detection control for all processes
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Third-party vulnerability Analytics, select one of the Global third-party vulnerability detection control modes:
Monitor—Third-party vulnerabilities are reported.
Do not monitor—Third-party vulnerabilities are ignored.
You can also define custom monitoring rules based on certain process group tags, host tags, and management zones. In this case, the default monitoring mode applies to all processes that are not matched by a rule.
optional
After you enable Third-party Vulnerability Analytics, Dynatrace starts generating vulnerabilities for all supported technologies by default. To control which of these technologies should receive vulnerabilities
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Third-party Vulnerability Analytics, enable or disable technologies as needed.
Runtime technologies (for example, Java, Node.js, and .NET runtimes) are tied to the corresponding main technology (for example, Java and Node.js). If the main technology is disabled, the corresponding runtime technology is automatically disabled. If you enable the main technology, enabling the corresponding runtime technology is optional.
Select Save changes.
optional
For Dynatrace to evaluate the usage of the vulnerable function for Java, you need to enable OneAgent reporting for Java vulnerable functions.
Go to Preferences > OneAgent features.
Find and enable Java vulnerable function reporting.
Try out our Vulnerabilities app to improve your environment's security by quickly addressing vulnerabilities and remediation actions.
OneAgent version 1.259+
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Code-level Vulnerability Analytics, select Enable Code-level Vulnerability Analytics.
Code-level Vulnerability Analytics is designed to carry a production-ready performance footprint. The overhead depends on your application but should be negligible in most cases.
To define the default code-level vulnerability detection control for all process groups
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Code-level Vulnerability Analytics, select the global code-level vulnerability detection control per technology:
Monitor – Code-level vulnerabilities in the selected technology are reported.
Do not monitor – Code-level vulnerabilities in the selected technology are ignored .
You can also define custom monitoring rules based on certain process groups. In this case, custom rules override the global detection control for the selected technology, and Runtime Vulnerability Analytics continues to monitor the code-level vulnerabilities based on your rules.
Select Save changes.
Go to Preferences > OneAgent features.
Filter by code-level vulnerability evaluation and enable the feature for the technologies you want to monitor.
Select Save changes.
Restart your processes.
What's next
After you enable code-level vulnerability detection, you can