Application Security

Latest Dynatrace
How-to guide

Discover how Dynatrace can help you strengthen your applications' security:

Dynatrace Runtime Vulnerability Analytics (RVA): Identify critical vulnerabilities instantly with automated risk and impact assessments, thanks to in-depth analysis of data access paths and production execution.
Dynatrace Runtime Application Protection (RAP): Defend your applications in real time by detecting and blocking attacks through advanced code-level insights and transaction analysis.

Dynatrace Security Posture Management (SPM): Maintain robust security by assessing, prioritizing, and addressing misconfigurations and compliance violations efficiently.

Prerequisites

Any supported version of Dynatrace. Review the release notes for currently supported versions.
For Application Security to work properly, make sure deep monitoring is enabled in Settings > Processes and containers > Process group monitoring.

For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Supported technologies

Third-party vulnerability detection

Code-level vulnerability detection

Dynatrace detects third-party vulnerabilities in the following technologies.

Technology

Minimum OneAgent version

Go¹

1.245

Java²

1.221

Java runtimes

1.253

Kubernetes

1.219

.NET¹

1.233

.NET runtimes

1.255

Node.js³

1.231

Node.js runtimes

1.253

PHP

1.231

Python¹'⁴

1.309

Python runtimes

1.309

For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Java on z/OS is currently not supported.

Using Webpack or other bundlers might have an impact on automatic vulnerability detection. This is because the software components cannot be detected, as they are hidden behind the bundler configuration and not available at runtime. Only packages that are deployed as external packages can be detected and reported. For details, see Node.js: Limitations.

⁴

For Python vulnerabilities, Dynatrace currently supports only two states for reachable data assets: Within range and Not available.

Dynatrace detects SQL injection, JNDI injection, command injection, and SSRF attacks in the following technologies.

Technology

Minimum OneAgent version

SQL injection

Command injection

JNDI injection

SSRF

Java 8 or higher¹

1.241

.NET²'³

1.289

Go³

1.311

Only supported on Windows x86 and Linux x86 systems.

Only .NET Framework 4.5, .NET Core 3.0 or higher, and 64-bit processes are supported.

For .NET and Go technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Supported compliance standards and technologies

Get started

To get started with Dynatrace Application Security, follow the instructions below.

To activate Application Security, contact a Dynatrace product expert via live chat.

You need to assign the Security admin group to users who will be allowed to view and manage

Vulnerabilities, if you enable Dynatrace Runtime Vulnerability Analytics
Attacks, if you enable Dynatrace Runtime Application Protection

To assign Security admin permission

Go to Account Management > Identity & access management > People. You have the following options.

Add an existing user

Add a new user

To add an existing user to the group

Under Actions, select > Edit user for the user you want to add.
Select Security admin, then select Save.

For more information on user permissions, see Manage user groups and permissions.

optional

By default, once you enable the Security admin group, users can both view and manage vulnerabilities. To restrict the access level to view-only for specific users, so they can view vulnerabilities but not manage them (cannot change their status), you have two options:

Restrict access to an existing group

Create a new group with restricted access

To restrict the access of an existing group at the environment or management zone level

Go to Account Management > Identity & access management > Group management.
Filter for Security admin and then, under Actions, select > View group.
For the Permissions section, select Edit. You have the following options.

Select Environment permissions.
Select your environment, then clear Manage security problems and select View security problems.
Select Save.

Select Management zone permissions.
Filter for and select the management zone you want.
Clear Manage security problems and select View security problems.
Select Save.

Monitoring modes

The deployed Dynatrace monitoring mode can influence the Application Security results displayed in Dynatrace.

Support overview

Capability

Full-Stack

Infrastructure

Discovery

Third-party vulnerability detection

limited

Code-level vulnerability detection

limited

Runtime Application Protection

Public internet exposure

On Linux hosts, if there's no information, which can happen in different monitoring modes or because something went wrong, public internet exposure is detected via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.

Full-Stack Monitoring mode

recommended

Full-Stack Monitoring mode provides complete application performance monitoring, code-level visibility, deep process monitoring, and Infrastructure Monitoring (including PaaS platforms).

Infrastructure Monitoring mode

Infrastructure Monitoring mode, where OneAgent is configured to provide physical and virtual infrastructure-centric monitoring, provides less complete monitoring than the Full-Stack Monitoring mode. The following functionalities are provided:

System metrics (CPU usage, memory usage, disk usage)
Third-party vulnerability detection
Code-level vulnerability detection
Runtime Application Protection

Infrastructure Monitoring: Characteristics

Third-party vulnerabilities

Code-level vulnerabilities

Attacks

In an Infrastructure Monitoring deployment, Davis® AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
- If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
- If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
In Infrastructure Monitoring mode, vulnerable function information is supported.

Infrastructure Monitoring mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

If related hosts are running in Infrastructure Monitoring mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack mode except one, which runs in Infrastructure Monitoring mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.

Same capabilities as Full-Stack Monitoring mode.

Infrastructure Monitoring: Consumption

If you're using the Dynatrace Platform Subscription (DPS) licensing model, see Host monitoring (DPS): Infrastructure Monitoring.
If you're using the Dynatrace classic licensing, see Application and Infrastructure Monitoring (Host Units).

Discovery mode

Discovery mode is a lightweight monitoring mode that provides basic monitoring. The following functionalities are provided:

System metrics (CPU usage, memory usage, disk usage)
Third-party vulnerability detection
Code-level vulnerability detection
Runtime Application Protection

For Application Security to work in Discovery mode, after enabling Discovery mode, you also need to enable code-module injection.

Discovery mode: Characteristics

Third-party vulnerabilities

Code-level vulnerabilities

Attacks

In a Discovery mode deployment, Davis AI cannot adapt the Davis Security Score. In this case, the vulnerability's risk value can't be reevaluated, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.
- If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
- If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.
Exception
Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.
In Discovery mode, vulnerable function information is supported.

Discovery mode lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities that have all related hosts under Full-Stack Monitoring.

If related hosts are running in Discovery mode, not enough data is sent by OneAgents to examine whether there's exposure or sensitive data affected, so the values for public internet exposure and reachable data assets are set to Not available.
If all related hosts are running in Full-Stack Monitoring mode except one, which runs in Discovery mode, and the vulnerability isn't exposed or affected (based on the hosts in Full-Stack Monitoring mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in Full-Stack Monitoring mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.

Exception

Public internet exposure is detected on Linux hosts running in Discovery mode via eBPF. Potential states are Public network and Not detected. Davis Security Score isn't influenced by either of these states.

Same capabilities as Full-Stack Monitoring mode.

Discovery mode: Consumption

Discovery mode is only available for the Dynatrace Platform Subscription (DPS) licensing model.

For monitoring consumption information, see Host monitoring (DPS): Foundation & Discovery.

Consumption

Dynatrace Application Security is licensed based on the consumption of GiB-hours if you're using the Dynatrace Platform Subscription (DPS) licensing model, or Application Security units (ASUs) if you're using the Dynatrace classic licensing.

Further resources

Browse through some of the most relevant topics to get you started with Application Security.

Videos

Dynatrace University tutorials

Blogs

FAQ

What is Dynatrace and how to get started:

What is Dynatrace and how to get started
Elevate security with Dynatrace Davis Anomaly Detection:

Elevating Security with Dynatrace Davis Anomaly Detection
Unguard - An open source application security playground:

Unguard: An open source application security playground
Vulnerability detection and automated risk assessment with Dynatrace Application Security:

Vulnerability Detection and Automated Risk Assessment with Dynatrace AppSec
Remediate vulnerabilities like Log4Shell with Dynatrace:

Remediate Vulnerabilities like Log4Shell with Dynatrace
Protect your applications against attacks:

Protecting your applications against attacks
How to achieve cloud native hyperscale security with Dynatrace:

How to achieve cloud native hyperscale security with Dynatrace