Application Security

Dynatrace Application Security enables you to detect, visualize, analyze, monitor, and remediate open-source and third-party vulnerabilities in production and pre-production environments at runtime.

Capabilities

Automatic and continuous protection powered by Davis, the Dynatrace AI causation engine. Davis continuously watches production and pre-production environments to identify any changes in application environments (such as container dynamics, elastic scaling, multi-version deployments, runtime container updates, rollbacks, A/B tests, or blue/green deployments) and provide precise answers about the source, nature, and severity of vulnerabilities as they arise in real time. Davis automatically analyzes and prioritizes alerts.
Continuous analysis of attack vectors to automatically track if vulnerable libraries are called and used at runtime. Dynatrace Application Security is designed to allow you to identify the most relevant vulnerabilities and reduce false positives with Smartscape real-time topology mapping and distributed tracing with PurePath® code-level analysis.
Runtime introspection approach in combination with Snyk and NVD, for automatic vulnerability detection at runtime. Even if security checks aren't integrated into the pipelines across all teams, or if they're deliberately bypassed, Dynatrace can detect what’s running and pinpoint vulnerabilities instantly by automatically opening a vulnerability when one is detected, and close it when the root cause (for example, loading a vulnerable library) is no longer present.
Full coverage across production rollbacks and outdated releases, feature flags, and deployment patterns (canary, blue/green).
Efficient management of vulnerabilities where a fix hasn't been effective, such as if a vulnerability is accidentally reintroduced during a rollback, or if updates haven't been applied correctly.
Precise and automatic risk and impact assessment, with risks prioritized by data access path and actual production execution. From hundreds or thousands of open vulnerabilities, Dynatrace Application Security is designed to pinpoint those that need immediate investigation. It automatically analyzes data access paths and production execution to provide a more precise risk and impact assessment.

Activate

Enable

Configure

Explore

Evaluate

Integrate

Activate

Dynatrace Application Security is licensed based on the consumption of Application Security units. If you’re already a Dynatrace customer and you want to activate Application Security, contact a Dynatrace product specialist via in-product chat or speak to your account executive. Our DevOps team will evaluate your environment and then activate Application Security.

Enable

To start monitoring security issues in your environment, you need to enable the Application Security and OneAgent features. See Get started with Application Security for instructions.

Configure

You can create, reorder, modify, and delete custom monitoring rules for Dynatrace-monitored processes.

Explore

With Application Security, you can:

Get an overview of each vulnerability supported by detailed information that provides additional context, enabling you to dig deeper and examine exposed or affected processes, data storages, libraries, and entities.
Automatically and continuously identify changes, prioritize problems, and get precise answers about the source, nature, and severity of vulnerabilities.
Get insights based on Davis Security Score calculations and Davis Security Advisor recommendations for vulnerabilities.
Get metrics related to vulnerabilities and process groups.

Evaluate

To understand how Application Security identifies vulnerabilities and how it determines their priorities, see Security management.

Integrate

To pass security issues to your teams for alerting and remediation purposes, you need to integrate security notifications with Dynatrace.

Monitoring modes

Full-Stack Monitoring recommended provides complete application performance monitoring, code-level visibility, deep process monitoring, and Infrastructure Monitoring (including PaaS platforms).

On the other hand, Infrastructure Monitoring, where OneAgent is configured to provide physical and virtual infrastructure-centric monitoring,

Prevents Davis AI from adapting the Davis Security Score. In this case, the vulnerability risk can't be lowered, as this can only happen based on the topology information extracted from your environment, and the DSS will be the same as the CVSS base score.
Lacks environmental information, such as reachable data assets or public internet exposure, and limits information on related entities, such as databases and services. A full assessment can be performed only on vulnerabilities which have all related hosts under Full-Stack Monitoring.
- If related hosts are running in infrastructure-only mode, there's not enough data sent by OneAgents to examine whether there's exposure or sensitive data affected, therefore the values for public internet exposure and reachable data assets are set to Not available.
- If all related hosts are running in full-stack mode except one, which runs in infrastructure-only mode, and the vulnerability isn't exposed or affected (based on the hosts in full-stack mode), the values for public internet exposure and reachable data assets are set to Not available. However, if at least one related host is running in full-stack mode and the vulnerability is exposed or affected, the public internet exposure and reachable data assets features are displayed.

Limitations

Application Security isn't supported for Dynatrace Managed in offline mode.