Application Security FAQ

See below for answers to some of the most frequently asked questions about Dynatrace Application Security, grouped by topics.

Detection and monitoring

How can I detect security risks?

With Dynatrace Application Security, you can not only identify and monitor vulnerabilities in applications (third-party libraries, application runtimes, custom code) in your production and pre-production environments, but also detect and block attacks on your applications automatically and in real time.

To get started

  1. Activate and enable Application Security.
  2. Select any of the options below:

What's the impact of enabling Application Security?

What should I consider before enabling Application Security? Can it impact anything?

When you enable Application Security:

Can I manually start a security scan?

Does Application Security perform a scheduled job? What's the scheduled time interval? Can I manually start a security scan after deploying our changes in the environment?

There are no scheduled scans. Once you enable any Dynatrace Application Security functionality, your environment is automatically monitored for the selected functionality continuously and in real time.

Latest Dynatrace Does the Snyk container scan detect vulnerabilities in libraries?

Does the Snyk container scan detect vulnerabilities in libraries? In the DevSecOps Lifecycle Coverage with Snyk app, what are the differences between the vulnerabilities detected in container images by Snyk and the ones detected by Runtime Vulnerability Analytics?

DevSecOps Lifecycle Coverage with Snyk monitors your container workload devtime and runtime coverage. It doesn't detect vulnerabilities.

  • A container image is considered covered if it has been scanned by Snyk. The coverage results are displayed in DevSecOps Lifecycle Coverage with Snyk, while the results of the Snyk scans are displayed on the Snyk side.
  • A running container is considered covered if all of its processes are monitored by Application Security. The coverage results are displayed in DevSecOps Lifecycle Coverage with Snyk, while the results of Application Security monitoring are displayed on the Third-party vulnerabilities page.

Restrict permissions

How can I give someone view-only access to vulnerabilities?

To restrict specific users to view-only access, so they can view but not manage vulnerabilities, see Fine-tune permissions.

Resolution

Does Dynatrace resolve vulnerabilities?

Will Dynatrace resolve vulnerabilities or do I need to take any action to fix them?

Dynatrace Application Security does not resolve vulnerabilities. It identifies and monitors vulnerabilities in applications in your production and pre-production environments, and it helps you determine the root cause by providing rich context and information that helps you take the appropriate actions. For more information about capabilities, see

Once the root cause is gone, the vulnerability is automatically resolved. For more information about vulnerability resolution, see:

How do I fix detected vulnerabilities?

The rich and precise context and details provided on the vulnerabilities pages help you identify and understand vulnerabilities, prioritize them by risk, and automatically monitor and alert on newly discovered vulnerabilities. Based on this information, you can determine what actions are needed to fix the vulnerabilities.

For example, for third-party vulnerabilities, you can

Why is a fixed vulnerability still showing as open?

I removed the vulnerable component, but the vulnerability still shows as open. Why?

A vulnerability is marked as Resolved when no process group or Kubernetes node has been reporting any vulnerable components for more than two hours.

Why is my vulnerability still open if there's no affected process group anymore?

A vulnerability is still reported if it's still present in other management zones. To see the affected process groups, select All in the management zone filter.

Can a vulnerability be resolved while there are still affected entities?

No. A vulnerability is resolved if there are no longer any affected entities.

Why are some vulnerabilities resolved without any mitigation?

After enabling Runtime Vulnerability Analytics, 19 critical vulnerabilities were found. Now they are down to three without any mitigation from our side. Why are some vulnerabilities resolved without any mitigation?

A vulnerability is resolved automatically if the root cause is no longer present. To learn more, see Third-party vulnerability resolution/Code-level vulnerability resolution.

Why do some vulnerabilities keep being resolved and reopened?

A vulnerability keeps being resolved and reopened when a process using the vulnerable library isn't running all the time:

  • When the process is terminated, the vulnerability is resolved.

  • When the process is restarted, the vulnerability is reopened.

For details about the reasons why vulnerabilities are resolved and reopened, see Resolution.

To determine which processes are affected, access the remediation tracking for processes.

Why do resolved vulnerabilities show up in every management zone?

Management zone information is not directly attached to a vulnerability. It derives from the vulnerable entities that are affected by the respective vulnerability: a process in a management zone that uses a vulnerable library causes a third-party vulnerability in the respective management zone.

A vulnerability is resolved if there are no vulnerable entities anymore. In the vulnerability list, all resolved vulnerabilities displayed are not filterable by management zone anymore, as that information is not attached to them.

Why am I getting zero resolved process groups for resolved vulnerabilities in my management zone?

For resolved vulnerabilities, I would like to examine resolved process groups to understand which entities were previously affected, but there are zero resolved process groups in my management zone. Why?

On the Vulnerabilities pages, in the Process group overview section, if there are zero resolved process groups displayed for a resolved vulnerability in your management zone, it means that none of the entities that were previously affected and resolved are in that management zone. To find the respective entities, switch the management zone filter to All.

Restart required

Is restart required after enabling or disabling an Application Security feature or functionality?

See below the restart requirements by functionality.

Why is there a "Restart required" notification on some Application Security pages?

OneAgent version 1.279+

See How can I know if information about vulnerable functions is outdated and what can I do about it?.

Notifications

How can I get notifications for vulnerabilities open for a long time?

You can configure Dynatrace to send notifications for vulnerabilities only in two cases:

  • When the vulnerability is closed and reopened
  • When a new process group is affected by the vulnerability

To configure Dynatrace to send notifications on your desired channels, you can

  • Set up notifications for Vulnerability (re)opened (alerts when vulnerability is reopened) and New Management zone affected (alerts whenever a new process group in a management zone is affected by the vulnerability)

  • Latest Dynatrace Set up a workflow to create and automate notifications, allowing you to control this aspect more granularly. For examples of how to set up a workflow, see Workflows use cases.

How can I stop receiving notifications for an irrelevant or false-positive vulnerability or entity?

If you think a vulnerability or an entity isn't relevant or is a false positive, you can mute (silence) it.

For instructions, see

Why do we keep receiving notifications for the same vulnerability?

We have configured security notifications through email, but every day we receive notifications for the same vulnerability ID, with the same process group, entity name, and entity link. We have other vulnerabilities detected, but no extra notifications are sent. Why do we keep receiving notifications for the same vulnerability?

A process that does not run all the time might be using a vulnerable library. For details, see Why do some vulnerabilities keep being resolved and reopened?. To stop receiving notifications for this vulnerability, you can

Create, export, and share reports

How can I create reports for vulnerabilities?

How can I export and share a vulnerability report?

Can I export a report with the vulnerability information so I can share it with developers?

There are several ways to share vulnerability information:

Host coverage

How can I see which hosts are covered by Application Security?

Go to Security Overview. In the Host coverage section, select Monitored hosts to go to the Hosts page filtered by monitored hosts. For details, see Basic concepts: Host coverage and Application Security overview: Host coverage.

Limit monitoring

How can I limit Application Security monitoring to a specific management zone?

Create a monitoring rule that says Do not monitor if the management zone does not equal <your-management-zone>. After you add, edit, or remove a rule, allow up to 15 minutes for your changes to take effect.

How can I exclude hosts, management zones, process groups, or processes from monitoring with Application Security?

  • For third-party vulnerabilities, you can create monitoring rules to exclude specific hosts, management zones, or processes from monitoring.

  • For code-level vulnerabilities, you can create monitoring rules to exclude specific process groups from monitoring.

Change status

If a vulnerability is muted, are the affected entities muted as well?

No. The MUTE state does not automatically transfer to its affected entities; there is no interdependence between the two when assessing this state.

Status updates

What does "last update" on vulnerabilities list pages refer to?

On the third-party and code-level vulnerabilities list pages, does "Last update" refer to the last time when Dynatrace provided an update? How can I request an update for a vulnerability which was last updated two days ago?

Last update refers to the last time when a vulnerability had a status change. It does not refer to the last time when Dynatrace provided an update. For details, see FAQ: Can I manually start a security scan?.

What are status changes

Different values

Why are there different values on the vulnerabilities page versus Data Explorer?

In Third-Party Vulnerabilities, on the Third-party vulnerabilities list page, when I filter for resolved vulnerabilities over the last seven days, I get 3 vulnerabilities. When I use the metric query (builtin:security.securityProblem.resolved.new.global) in Data Explorer, I get 25. Why are there different values on the vulnerabilities page versus Data Explorer?

The vulnerability list shows the current state (the total count of vulnerabilities that are currently resolved), while using the metric query in Data Explorer shows the change over time.

For example, if two vulnerabilities are open and resolved several times over a period of time, the Data Explorer chart shows only one spike (which is the maximum over the given timeframe) while the vulnerabilities page shows two (because there are currently two resolved vulnerabilities).

To find out how many vulnerabilities were resolved in the given timeframe using the metric query

  1. In Data Explorer, set the visualization type to Single value.

  2. Expand Settings and set Fold transformation to Value.

    This shows how many times the vulnerabilities were resolved during the selected timeframe.

example Data Explorer fold transformation setting

Why are there different values on the Third-party vulnerabilities and vulnerability details pages?

There can be two reasons why values on these pages don't match:

Different number of affected entities

In Third-Party Vulnerabilities, the number of affected entities (process groups or hosts) on the Third-party vulnerabilities page (in the Affected entities column for a specific vulnerability) may differ from the number of affected entities on the vulnerability details page for the following reasons:

  • On the Third-party vulnerabilities page:

    • Affected entities aren't filtered by management zone.

    • Calculations take place every 15 minutes.

  • On the vulnerability details page:

    • Affected entities are filtered by management zone.

    • Current data is considered.

Different risk factors

In Third-Party Vulnerabilities, the assessment of risk factors (Public exploit, Public internet exposure, Reachable data assets, Vulnerable functions in use) in the infographic on the vulnerability details page and the Davis Security Score column on the Third-party vulnerabilities page may be different from the assessment of risk factors on the vulnerability details page (in the Vulnerability details section) for the following reason:

For the infographic on the vulnerability details page and the Davis Security Score column on the Third-party vulnerabilities page, calculations take place every 15 minutes For the Vulnerability details section on the vulnerability details page, current data is considered.

Why does my vulnerability have a different risk assessment and Davis Security Score than its affected entities?

A vulnerability is an aggregation of all its affected entities in your environment; therefore, it can have different values (risk assessment and Davis Security Score) than its affected entities. For example, the risk score of an affected entity might be 8.0, while the score of the aggregated vulnerability is 9.0. At the same time, if at least one affected entity is exposed to the internet, the aggregated vulnerability is also exposed to the internet.

Why am I seeing different vulnerabilities in production vs non-production environment?

You have the same vulnerabilities in two environments only if all of the following are the same in both environments:

  • Deployment (including the OneAgent version)
  • Settings
  • Application usage
  • Traffic

Public internet exposure

How is public internet exposure determined?

Vulnerable libraries

Does Dynatrace detect vulnerable libraries that aren't in use?

Runtime Vulnerability Analytics focuses on the runtime aspect, aiming to provide a prioritized list of vulnerabilities that are relevant to your running environments. For this purpose, Dynatrace only reports libraries that are actively used.

Where can I see the origin of a vulnerable library?

On the remediation tracking pages for process groups and processes affected by a vulnerability, you can see where the software component has been loaded from.

This feature is only displayed for vulnerable Java and .NET software components.

Note that to display the origin of .NET software components, the minimum OneAgent version required is OneAgent version 1.301+.

Example:

load-origins-pg

For information on how to navigate there, see Remediation tracking.

Vulnerable functions

How are vulnerable functions determined?

  • If the Snyk feed provides information about the vulnerable function, and OneAgent monitoring for Java vulnerable functions is enabled, OneAgent determines whether the vulnerable function is in use.

  • If the Snyk feed provides information about the vulnerable function, but the OneAgent feature is disabled, the number of vulnerable functions is displayed as Not available.

Why is there no information on vulnerable functions?

There are two cases when information about vulnerable functions is not available:

  • If no vulnerable function information is provided by Snyk or the Dynatrace security research team.
  • For runtime vulnerabilities, which are based on the NVD feed.

Why is there no data available for vulnerable functions?

How do I know which processes to restart?

If you see the Restart required notification on the details page of a vulnerability, follow the steps below to determine which processes you need to restart:

  1. On the Process group overview card, select View all process groups.
  2. Filter by Vulnerable functions: Restart required.
  3. For each of the resulting process groups, select Details, then select the link provided in the Restart required notification to navigate to the list of processes that require a restart.

Select the processes that need to be restarted

Example result:

Filter by Vulnerable functions: Restart required

After a process restart, it takes about a minute for the updated information to be displayed.

This feature only works if OneAgent monitoring for Java vulnerable functions is enabled.

Why does my process still need to be restarted after I already restarted it?

If you followed the instructions to identify the process and restarted it, and the process still requires a restart (the same Restart required notification shows up, and the information about vulnerable functions is unchanged), this can happen in Kubernetes deployments if there's no persistent storage.

To fix this issue, add persistent storage by mounting file storage that isn't deleted when restarting your pods.

How can I know if information about vulnerable functions is outdated and what can I do about it?

OneAgent version 1.279+

If new information about a vulnerability's vulnerable functions is available, a process restart is required so that OneAgent can pick up and use the new data. In this case, a Restart required notification or symbol is displayed on

Snyk feed

Why is the Snyk link missing for some vulnerabilities?

Why don't some vulnerabilities contain a link to Snyk, even though I can find the same CVE in Snyk?

To fetch data about vulnerabilities, Dynatrace Application Security uses either Snyk or NVD, depending on the vulnerable component.

A vulnerability with a CVE that is listed in Snyk but that doesn't have any Snyk-related information in Dynatrace is using the NVD feed. For more information, see Third-party vulnerability feeds.

Attacks

How does Dynatrace actually block attacks?

Selecting Block attack for an attack doesn't automatically block the respective attack; it takes you to the Settings page where you can create a monitoring rule to block that attack in the future. Dynatrace is configured to block future exploit situations, not the current ones. The request (thread) with the exploit throws an exception in the running code. All other users who aren't attacking are unaffected.
Dynatrace detects when a user-supplied attack payload finds its way to a line of code that uses an insecure way of

  • Talking to the database (SQL injection)
  • Talking to the operating system (command injection)
  • Doing a JNDI lookup (JNDI injection, such as Log4Shell)

The vulnerability is identified with or without an attack. If the data sent by the client includes characteristics of an attack that reaches this line of code, it's deemed an exploit, and Dynatrace alerts or blocks it.

How is an attacker's IP determined?

In Runtime Application Protection, to determine an attacker's IP, Dynatrace verifies

  • Specific HTTP headers, such as X-Client-IP or X-Forwarded-For.

    For a complete list, see the default header list (before modifying any client IP headers) in Settings > Web and mobile monitoring > IP determination.

  • The client IP of the socket connection (if the HTTP headers mentioned above aren't available).

    For details, see Client IP address detection.

Latest Dynatrace Threat exposure template

What is Exploitation Risk Score?

Early Adopter

Exploitation Risk Score (ERS) is a dynamic, weighted score that leverages the Davis Security Score (DSS) of each vulnerability and the actual number of vulnerabilities per risk level. ERS represents the likelihood of a potential attacker exploiting open vulnerabilities from the filtered scope. You can examine the vulnerability ERS using the Threat exposure template for Dashboards.

How ERS is calculated

  1. DSS average and vulnerability counts are calculated per risk level (critical, high, etc.).
  2. A weighted function is applied per risk level to adjust the averages to the respective vulnerability counts.
  3. All scores are aggregated in an iterative manner starting with the highest risk level to derive a single score out of 100.

Higher scores represent higher risk. Scores above 90 involve critical vulnerabilities.

ERS examples

  • For one critical vulnerability with a score of 9.1 and 100 low vulnerabilities with an average score of 2.2, the resulting Exploitation Risk Score is 90.
  • For 100 low vulnerabilities with an average score of 2.2, the resulting Exploitation Risk Score is 5,7.
  • For 100 critical vulnerabilities with an average score of 9.1, the resulting Exploitation Risk Score is 91.

Data retention

What's the data retention period for vulnerabilities, events, and attacks?

Vulnerabilities

  • Open third-party and code-level vulnerabilities are stored as long as they are open, regardless of the timeframe.

  • The storage time for resolved third-party and code-level vulnerabilities depends on when vulnerabilities are resolved:

    • If a vulnerability is resolved before 365 days since it was first opened, it's deleted after 365 days.
    • If a vulnerability is resolved after 365 days since it was first opened, it's deleted on its closest anniversary of the date when it was first opened.

    Examples:

    First opened
    First resolved
    Reopened
    Resolved again
    Delete date
    2022-05-12
    2023-05-06
    2023-05-13
    2022-05-12
    2023-08-06
    2024-05-13
    2022-05-12
    2023-08-06
    2024-01-01
    2024-02-08
    2024-05-13

Events

  • Vulnerability evolution events are stored for 365 days and can only be queried up to the timestamp of when the vulnerability was first detected.

First detected timestamp

Attacks

Attacks are stored for approximately 550 days.

Consumption

How can I check which hosts consume DPS/ASUs and how much they consume?

Find the hosts consuming DPS/ASUs

In Security Overview, go to the Host coverage section for third-party and code-level vulnerabilities and select Monitored hosts. The resulting list of hosts are the hosts in your environment which consume DPS/ASUs. For more information, see Host coverage.

Find out how much your hosts consume