In our increasingly digital world, the speed of innovation is key to business success. Cloud-native technologies, including Kubernetes and OpenShift, help organizations accelerate innovation. Open source has also become a fundamental building block of the entire cloud-native stack. While leveraging cloud-native platforms, open-source and third-party libraries accelerate time to value significantly, it also creates new challenges for application security.
Why cloud-native applications, Kubernetes, and open source require a radically different approach to application security
Open source and Kubernetes introduce a new level of speed and complexity. Organizations are rushing towards cloud-native application stacks for agility. Teams are embracing new technologies and continuously deploying code. As a result, existing application security approaches can’t keep up with speed and variability of modern development processes.
In addition, cloud-native environments with containers, microservices, and platforms like Kubernetes are highly dynamic. It’s beyond human ability to keep track of all services and their interdependencies. This results in web-service integrations perforating firewalls, network content not being captured by intrusion detection and vulnerability scanners missing what’s running in production.
Cloud-native applications are, therefore, breaking old security models that focus on protecting the perimeter. Current security tools were purpose-built for waterfall-based development, and so they bottleneck DevOps. They’re time-consuming, not developer-friendly, and riddled with false positives, leaving you with a choice of slow and safe or fast and dangerous.
As a result, a constantly increasing number of vulnerabilities introduced by open-source and third-party libraries can easily go undetected without reliable tooling. According to Gartner, 80% of vulnerabilities are introduced via transitive dependencies. Affected applications might be deployed to multiple public cloud platforms, with thousands of microservices running on thousands of containers. Research by the Enterprise Strategy Group in 2020 shows 60% of reported breached production applications in the past 12 months involved a known and unpatched vulnerability.
Traditional approaches break, and even today’s container security scanners fail to provide comprehensive answers to new challenges
DevSecOps must wrap their heads around new challenges in the new cloud-native world, specifically regarding the containers, microservices, and Kubernetes platforms these environments are built on:
- How can I be confident everything running in production is secure in dynamic environments that change in seconds? Can pure pre-production scanning be good enough?
- Do I have full runtime visibility? Can I be certain nothing bypasses my pipeline checks? What about issues identified after deployment or legacy versions?
- How do I integrate scan tools within the build pipeline, across multiple teams, without creating massive work for the initial implementation and maintenance of the scan setup?
- With potentially hundreds or thousands of vulnerabilities in big application ecosystems, how can I keep my team from wasting time chasing false positives and ensure that I am prioritizing effectively?
- With DevSecOps processes having shifted security testing “left”, will the teams have enough time to manually analyze, assess, and manage risks based on sampled or scheduled scan results?
But what if you could see what’s running in production in real-time, continuously analyzing all services for vulnerabilities, and prioritizing those based on what code is called?
Dynatrace Application Security enables fast and secure app delivery
To address these challenges, Dynatrace is happy to announce it has entered the Application Security market. The new Dynatrace Application Security module was built for hybrid cloud and enterprise environments and optimized for Kubernetes. It inherits the automation, AI, scalability, and enterprise-grade robustness of the Dynatrace platform. The new module extends our Software Intelligence Platform to modern cloud Runtime Application Self-Protection (RASP) use cases from the beginning and will extend to further use-cases over time.
From the moment it’s enabled in your monitoring environments, Dynatrace Application Security enables you to automatically detect, assess, and remediate open-source and third-party vulnerabilities. With its new approach, the Dynatrace Software Intelligence Platform enables DevSecOps to deliver and run digital services with speed and confidence.
Automatic and continuous protection powered by AI introduces a new era in RASP security
So how does the Dynatrace Application Security module put you in a unique position to tackle the security challenges of cloud-native, hybrid cloud and enterprise environments?
Dynatrace is already providing automatic and intelligent observability into the world’s largest environments. With new RASP capabilities of the Dynatrace OneAgent, the same trusted approach extends the Dynatrace platform to application security: automatic, intelligent, highly scalable. Dynatrace combines RASP and observability for automatic and continuous analysis of applications, libraries, and code runtime in production and pre-production to detect, assess and manage vulnerabilities.
Dynatrace provides the C-suite with confidence about the security of their cloud-native ecosystem. Development teams can accelerate DevSecOps processes through automation and the elimination of mundane work.
This automation is powered by Dynatrace’s AI engine, Davis®. Davis continuously watches entire production and pre-production environments to identify any changes and provide precise answers about the source, nature, and severity of any vulnerabilities as they arise in real-time. Davis automatically analyzes and prioritizes alerts and eliminates false positives, helping teams to focus on what matters, and understand risks in context.
- Gain 100% runtime visibility: Dynatrace enables full visibility into everything running from pre-production to production, independent of pipeline checks.
- Automate precise risk and impact assessment. Vulnerabilities are prioritized by real exposure: is a library actually used in production, is the vulnerability exposed to the public internet, is sensitive data affected?
- One single platform drives efficient DevSecOps collaboration and automated vulnerability management.
- Discover a fully automatic approach to vulnerability detection with no configuration required.
Let’s dig a bit deeper into those topics to show you how Dynatrace Application Security makes your life easier—and your apps safer.
100% visibility into production and pre-production enables automatic detection of vulnerabilities at runtime
In traditional approaches developers run their security scans in pre-production only, getting sampled or scheduled scan results. Those vulnerability scanners provide a static view at a single point in time.
More modern tools can provide runtime insights into certain platforms, like Kubernetes or containers, but are still limited in their ability to detect which libraries are actually used vs. those that are present, but unused. They also can’t provide deep insights unless you have source code access.
But to release confidently in modern dynamic environments, it’s key to have full visibility into everything running, from pre-production to production. Dynatrace and its patented OneAgent and PurePath technologies already provide those insights down to individual transactions with code–level detail with almost no overhead. The new application security module builds on these platform strengths to include:
- Automatic and continuous vulnerability detection with 100% runtime visibility
Vulnerabilities are detected in real-time at runtime. Even if security checks are not integrated into the pipelines across all teams, or if the checks are bypassed deliberately, Dynatrace will detect what’s running and pinpoint vulnerabilities instantly.
- Deep insights into production execution, including open source components as well as closed-source software and containers
Dynatrace PurePath provides full insight into your applications, not only for your own code and open-source libraries but also for transactions that involve third-party applications where you have no source code access. PurePath can identify (open source) libraries included in, for example, third party containers, and assess if those libraries are executed. Dynatrace is the only solution which automatically covers the entire dependency tree of open-source or third-party libraries.
- Full coverage across production rollbacks and outdated releases, feature flags, canary and blue/green deployments
Unlike traditional approaches Dynatrace will uniquely enable you to stay on top of vulnerabilities which are accidentally reintroduced in rollbacks or are – while known and even fixed – still posing a threat because your customers didn’t apply certain updates and are using outdated components. You will know exactly which libraries are currently in use in your entire production environment and which vulnerabilities are still out there.
With Dynatrace monitoring all your environments from pre-production to production, full visibility into hybrid enterprise cloud, Kubernetes, and every container and workload comes with zero configuration. Dynatrace Application Security uses the runtime introspection approach in combination with the Snyk vulnerability database for automatic vulnerability detection at runtime.
Automatic and precise risk and impact assessment avoids false positives and helps you focus on what matters most
Identifying vulnerabilities is only the first step. To set the right priorities requires understanding the gravity of a vulnerability. But exclusively relying on the Common Vulnerability Scoring System (CVSS) rating will keep your team busy chasing false positives and make it hard to prioritize effectively. In production, only a subset of libraries is ever loaded. For example, a test library is never deployed to production. But to assess if a vulnerability poses a real problem, and prioritize accordingly, it requires you to know if the library in question is actually loaded and actively used.
Other approaches fail to provide this context and bury DevSecOps teams in false positives without answers to questions like:
- Is this vulnerability a real problem?
- How does it impact my environment?
- Does it impact production or development?
Not knowing this context leads teams to fix things that don’t actually expose risk or force them to maintain manual exception lists to rule out thousands of lines of code from conventional vulnerability scans.
Dynatrace knows critical details about the application in addition to the CVSS of a vulnerability; its real-user sessions, if it’s connected to a database, if it’s reachable from the public internet, if it has heavy or low traffic, and which other services it’s talking to.
This real-time awareness enables Dynatrace Application Security to rate the severity of vulnerabilities fully, automatically, and much more precisely. Combining the gravity of the vulnerability with exposure information answers the crucial context questions: is a vulnerable library loaded, is it used, and how relevant is it in the context of the environment?
For DevSecOps teams this means that from hundreds or thousands of open vulnerabilities, Dynatrace Application Security pinpoints those which really need immediate investigation. It automatically analyzes data-access-paths and production execution to provide an automatic and precise risk and impact assessment:
- Automatically keeps up with real-time changes with no configuration required
Dynatrace automatically and continuously auto-detects changes in application environments, such as container dynamics, elastic scaling, multi-version deployments, runtime container updates, rollbacks, A/B tests, or blue/green deployments. –
- Dramatically reduces false positives and pinpoints biggest risks with automatic and precise risk and impact assessment
Dynatrace continuously analyzes attack-vectors to automatically track if vulnerable libraries are called and used at runtime. It identifies the biggest security problems and avoids your team chasing false positives by combining two unique technologies: PurePath distributed tracing and Smartscape, the automatically generated real-time topology map of all components of your containerized microservice architecture, including their interdependencies.
- Automatic “crown jewel” protection and comprehensive CISO reporting
With its automatic service flow analysis from publicly available data, Dynatrace helps you automate the protection of your mission-critical information assets, or “crown-jewels,” and helps you understand the potential business impact of a vulnerability in context, including comprehensive risk reporting for your Chief Information Security Officer (CISO).
DevSecOps collaboration and automation simplify vulnerability management and accelerate the secure delivery of digital services
Once vulnerabilities are detected and prioritized, the next challenge is to remediate issues effectively. Security teams often use a wide range of vulnerability scanners without any integration into a workflow management platform. For example: when the security team finds a new vulnerability, they still need to translate the findings into actionable items, generate a ticket, find the responsible developer, and manually check if the vulnerability is fixed in the next build.
Also, lack of continuity between build scans requires teams to manually create, track and verify the evolution of a vulnerability from when it was detected to if and when the problem was resolved. For a fast and secure approach, it’s mandatory teams have automatic real-time visibility into the security problem evolution using a closed feedback loop.
Without an automated check of the security evolution and verification that the vulnerability has been fixed, teams might end up viewing 100+ pages of PDF reports and tracking the remediation status in endless spreadsheets.
- Automatic vulnerability management from detection to closure
Dynatrace provides automatic runtime detection and risk assessment, as well as real-time visibility into the evolution of vulnerabilities, automatically opening a security problem when a vulnerability is detected and closing it when it was resolved.
- Effective collaboration across teams enables fast resolution
Dynatrace provides the only automatic and intelligent observability platform for business, development, and operations, and now also security teams. It enables teams to collaborate more effectively using a single source of truth that offers different perspectives for the various teams, including real-time vulnerability impact data and forensic analytics down to code level for developers and security specialists.
- Continuous visibility throughout the DevSecOps lifecycle
Built for continuous delivery and automated cloud with an “API first” mindset Dynatrace simplifies “shifting left,” so teams can detect issues earlier and drive automation from development to production.
How to get started with Application Security Monitoring
Unlocking all the features described in this blog post will help you to develop, deploy and run your apps quickly and securely. You’ll get full production visibility, precise risk assessment, and automated vulnerability management without additional effort.
Following a Preview program, Dynatrace Application Security has already been deployed within numerous Dynatrace customer production environments. The current release of Dynatrace Application Security detects, assesses, and manages Java vulnerabilities. However this is just the beginning as we have many other enhancements in the works.
If you’re already a Dynatrace customer and you want to enable Application Security, please contact a Dynatrace product specialist via in-product chat or speak to your account executive. Our DevOps team will evaluate your environment and then turn on Application Security, regardless of whether you have a Full-Stack or an Infrastructure Monitoring deployment.
If you’re not using Dynatrace yet, it’s easy to get started with the Dynatrace free trial.
Dynatrace Application Security is licensed based on the consumption of Application Security units, in a model that’s similar to the consumption of host units for application and infrastructure monitoring.
Stay tuned – this is only the start
This is only the first step on our mission to provide higher confidence to CTOs, CISOs, Chief Digital Officers that applications and digital services are protected. In future releases, we will focus on:
- Support for additional language beyond Java. Next up: node.js.
- Out-of-the-box support for Kubernetes platform vulnerabilities.