Header background

Advance DevSecOps practices with a vulnerability management strategy

Adding a vulnerability management strategy to your DevSecOps practices can be key to handling threats like Log4Shell.

As organizations struggle to combat vulnerabilities in their IT environments, they need real-time data on performance problems and security issues. At the annual conference Dynatrace Perform 2022, the theme is “Empowering the game changers.” In the Advancing DevOps and DevSecOps track, sessions aim to help security pros, developers, and engineers as they brace for new threats that are costly and time-consuming to address.

In this preview video for Dynatrace Perform 2022, I talk to Ajay Gandhi, VP of product marketing at Dynatrace, about how adding a vulnerability management strategy to your DevSecOps practices can be key to handling threats posed by vulnerabilities.

Consider the Log4Shell vulnerability, which emerged in December 2021 and is estimated to have affected hundreds of millions of systems worldwide. The vulnerability is located in Log4j 2, an open-source Apache Java software used to run logging services in a host of front-end and backend applications. Log4j 2 can grant access to internal networks, and if exploited, makes networks, applications, and devices susceptible to data theft and malware attacks. Because the Log4j 2 library is used so pervasively, it has had a dramatic impact on business.

By integrating runtime vulnerability management into DevSecOps practices, teams can immediately detect and remediate exploitable vulnerabilities like Log4Shell in their environments.

Why DevSecOps practices benefit from vulnerability management

Without a centralized approach to vulnerability management, DevSecOps teams waste time figuring out how a vulnerability affects the production environment and which systems are affected.

A real-time observability platform with code-level application insights can automatically identify vulnerabilities in runtime and production environments. Moreover, modern observability capabilities provide context about activity in an IT environment so teams know what is most critical to address first. As a result, IT teams can quickly prioritize remediation efforts, which can make the difference between a successful and an unsuccessful attack.

“The requirements for vulnerability management have evolved, and Log4Shell has crystallized that,” says Gandhi. “You need more context to be effective in addressing vulnerabilities quickly, precisely, and at scale and being able to prioritize which apps and which code segments need to be addressed first.”

Observability is the game-changer. “What we found is that by combining observability context (which apps are affected and infrastructure monitoring) with security intelligence, Dynatrace AI can prioritize what to focus on first, second, and third and automatically generate a risk assessment. Teams can then identify all affected apps in their environment in real-time.”

A key DevSecOps practice in regard to vulnerability management is not only “shifting left” (moving testing early in the development cycle to identify vulnerabilities) but also “shifting right” (continuously testing software in production to ensure security and quality). As DevSecOps practices mature, teams can benefit from observability that spans the software development cycle to identify vulnerabilities in development and in production.

For our complete Perform 2022 conference coverage, check out our guide.

Register for Perform 2022 today, and check out the Advancing DevOps and DevSecOps track.