Dynatrace Runtime Vulnerability Analytics enables you to detect, visualize, analyze, monitor, and remediate open-source and third-party vulnerabilities, as well as the security vulnerabilities in libraries and first-party code in production and pre-production environments at runtime.
Capabilities
Automatic and continuous protection powered by Davis, the Dynatrace AI causation engine. Davis continuously watches production and pre-production environments to identify any changes in application environments (such as container dynamics, elastic scaling, multi-version deployments, runtime container updates, rollbacks, A/B tests, or blue/green deployments) and provide precise answers about the source, nature, and severity of vulnerabilities as they arise in real time. Davis automatically analyzes and prioritizes alerts.
Continuous analysis of attack vectors to automatically track if vulnerable libraries are called and used at runtime. Dynatrace Application Security is designed to allow you to identify the most relevant vulnerabilities and reduce false positives with Smartscape real-time topology mapping and distributed tracing with PurePath® code-level analysis.
Runtime introspection approach in combination with Snyk and NVD, for automatic vulnerability detection at runtime. Even if security checks aren't integrated into the pipelines across all teams, or if they're deliberately bypassed, Dynatrace can detect what’s running and pinpoint vulnerabilities instantly by automatically opening a vulnerability when one is detected, and close it when the root cause (for example, loading a vulnerable library) is no longer present.
Full coverage across production rollbacks and outdated releases, feature flags, and deployment patterns (canary, blue/green).
Efficient management of vulnerabilities where a fix hasn't been effective, such as if a vulnerability is accidentally reintroduced during a rollback, or if updates haven't been applied correctly.
Precise and automatic risk and impact assessment, with risks prioritized by data access path and actual production execution. From hundreds or thousands of open vulnerabilities, Dynatrace Application Security is designed to pinpoint those that need immediate investigation. It automatically analyzes data access paths and production execution to provide a more precise risk and impact assessment.
For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.
2
Java on z/OS is currently not supported.
3
Using Webpack or other bundlers might have an impact on automatic vulnerability detection. This is because the software components cannot be detected, as they are hidden behind the bundler configuration and not available at runtime. Only packages that are deployed as external packages can be detected and reported. For details, see Node.js: Limitations.
4
For Python vulnerabilities, Dynatrace currently supports only two states for reachable data assets: Within range and Not available.
Dynatrace detects code-level vulnerabilities in the following technologies.
Only supported on Windows x86 and Linux x86 systems.
2
Only .NET Framework 4.5, .NET Core 3.0 or higher, and 64-bit processes are supported.
3
For .NET and Go technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.
Code-level vulnerability detection for backends that use database ORMs is also supported.
Get started
Third-party vulnerability detection helps you identify open-source and third-party vulnerabilities in production and pre-production environments at runtime.
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Third-party Vulnerability Analytics, select Enable Third-party Vulnerability Analytics.
To define the default third-party vulnerability detection control for all processes and Kubernetes nodes
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Third-party vulnerability Analytics, select one of the Global third-party vulnerability detection control modes:
Monitor—Third-party vulnerabilities are reported.
Do not monitor—Third-party vulnerabilities are ignored.
You can also define custom monitoring rules based on certain criteria. In this case, the default monitoring mode applies to all processes and Kubernetes nodes that are not matched by a rule.
optional
After you enable Third-party Vulnerability Analytics, Dynatrace starts generating vulnerabilities for all supported technologies by default. To control which of these technologies should receive vulnerabilities
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Third-party Vulnerability Analytics, enable or disable technologies as needed.
Runtime technologies (for example, Java, Node.js, and .NET runtimes) are tied to the corresponding main technology (for example, Java and Node.js). If the main technology is disabled, the corresponding runtime technology is automatically disabled. If you enable the main technology, enabling the corresponding runtime technology is optional.
Select Save changes.
This step is required only to monitor vulnerabilities in Python technology.
Enable Dynatrace monitoring for Python: In Monitoring > Monitoring technologies, find Python and enable Monitor Python.
Enable OneAgent monitoring: In Preferences > OneAgent features, find and enable Python software component reporting, then restart your processes.
optional
To enable OneAgent monitoring for Java vulnerable functions
Go to Settings and select Preferences > OneAgent features.
Find and enable Java vulnerable function reporting.
For details on how Dynatrace evaluates third-party and code-level vulnerabilities, see Vulnerability evaluation.
Try out our Vulnerabilities app to improve your environment's security by quickly addressing vulnerabilities and remediation actions.
OneAgent version 1.259+
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Code-level Vulnerability Analytics, select Enable Code-level Vulnerability Analytics.
Code-level Vulnerability Analytics is designed to carry a production-ready performance footprint. The overhead depends on your application but should be negligible in most cases.
To define the default code-level vulnerability detection control for all process groups
Go to Settings and select Application Security > Vulnerability Analytics > General settings.
Under Code-level Vulnerability Analytics, select the global code-level vulnerability detection control per technology:
Monitor – Code-level vulnerabilities in the selected technology are reported.
Do not monitor – Code-level vulnerabilities in the selected technology are ignored.
You can also define custom monitoring rules based on certain process groups. In this case, custom rules override the global detection control for the selected technology, and Runtime Vulnerability Analytics continues to monitor the code-level vulnerabilities based on your rules.
Select Save changes.
Go to Settings and select Preferences > OneAgent features.
Filter by code-level vulnerability evaluation and enable the feature for the technologies you want to monitor.
Select Save changes.
Restart your processes.
OneAgent version 1.309 To detect SSRF code-level vulnerabilities, you also need to enable SSRF code-level vulnerability evaluation. See below for instructions.
Go to Settings and select Preferences > OneAgent features.
Find and enable Java SSRF code-level vulnerability and attack evaluation.
Select Save changes.
Restart your processes.
What's next
After you enable code-level vulnerability detection, you can