In recent years, the volume of reported security vulnerabilities in enterprise software has increased exponentially. At the same time, cloud-native technologies and open-source software have introduced a new level of speed and complexity. While DevSecOps teams focus on detecting and remediating security vulnerabilities as early in the release pipeline as possible, developers are trying to keep pace with the high number of security alerts. Though, it’s typically impossible to remediate all known security vulnerabilities so enterprises need a better solution for identifying those detected security vulnerabilities that present the greatest risk.
Wrong prioritization wastes time without reducing risk
Currently, there is no set standard for effective vulnerability prioritization. Teams struggle to understand which vulnerabilities they should tackle first, especially in dynamic, heterogenous environments.
The approaches that are currently available simply aren’t good enough:
- Many companies use the Common Vulnerabilities Scoring System (CVSS) for prioritization. However, the base CVSS scoring system doesn’t take the actual risk of a vulnerability in a specific environment into account and also doesn’t help to narrow the list of vulnerabilities.
- To reduce their backlogs, some companies focus on the most popular open-source components, and some only address vulnerabilities that appear after a certain date. Both these approaches lead to blind spots.
- Prioritizing vulnerabilities by the ease of remediation also doesn’t ensure focus on the biggest threats (starting with the lowest hanging fruit can come at a price).
- Teams also use information about applications or system architecture for prioritization. However, without automation and AI, this approach isn’t feasible in dynamic application environments.
Therefore, organizations risk working on the wrong things. This wastes time and doesn’t do much to reduce overall business risk.
Introducing Davis Security Advisor: Automatically identify what matters most
In response to these challenges, Dynatrace is proud to introduce Davis Security Advisor to the Dynatrace Application Security module. Davis Security Advisor enables DevSecOps teams to identify the vulnerable libraries that pose the most risk.
Out of the box, Davis Security Advisor pinpoints the open-source components that present the greatest threat. Davis Security Advisor also provides DevSecOps teams with concrete recommendations as to where and how to begin remediation efforts. For each library, Davis Security Advisor exposes the number and severity of detected vulnerabilities and explains how to remediate them. This vulnerability assessment happens in real-time with no manual effort.
Davis Security Advisor leverages unique insights for automatic risk assessment and the prioritization of vulnerabilities:
- The number and severity of vulnerabilities caused by each vulnerable library
Dynatrace Security Advisor considers how vulnerable libraries are actually used in production environments. It identifies and groups all vulnerabilities by root cause. This exposes the risk of the respective open-source component across all versions.
- Davis Security Score provides precise risk assessment of each vulnerability
The CVSS score is risk-averse by design. Dynatrace has extended this score with runtime insights. The result is the Davis Security Score, which precisely assesses the severity of each individual vulnerability. The Davis Security Score enriches the CVSS score with:
- Threat context – Is there a known public exploit for the vulnerability?
- Asset exposure – Is the vulnerability exposed to the public internet?
- Potential business impact – Is sensitive data affected by the vulnerability?
Davis Security Advisor further extends automatic vulnerability management
Dynatrace Application Security was built for cloud-native and hybrid environments, and optimized for Kubernetes. With Davis Security Advisor, Dynatrace Application Security further extends its value with automation and AI at its core:
- Dynatrace automatically detects all vulnerabilities in production and pre-production environments. This is powered by full runtime visibility without the need for configuration or pipeline checks.
- Davis, the Dynatrace AI engine, automatically assesses the risk and potential impact of each vulnerability. It minimizes false positives by continuously monitoring to see if vulnerable libraries are called and used at runtime.
- Davis Security Advisor automatically provides detailed recommendations about which vulnerable components pose the greatest risk to your enterprise.
- The Dynatrace Software Intelligence Platform simplifies DevSecOps collaboration by providing a single source of truth. It combines vulnerability information, observability data, topology information, code level data, and more. Dynatrace makes it easy to identify affected processes, container images, and even the teams who are responsible for remediation.
- Dynatrace provides automatic visibility into the evolution of vulnerabilities in real-time. It automatically opens a security problem whenever a vulnerability is detected and closes the problem once the issue is resolved.
Davis Security Advisor will be available by mid-July 2021.
- If you’re already a Dynatrace customer and want to start using our new Application Security module, just select Security from the navigation menu in the Dynatrace web UI.
- If you’re not using Dynatrace yet, it’s easy to get started in under 5 minutes with the Dynatrace free trial.
For more information, visit our website to watch the demo or read our previous Application Security blog posts. To learn more, see Application Security in Dynatrace Documentation.