• Home
  • How to use Dynatrace
  • Application Security
  • Manage third-party vulnerabilities

Manage third-party vulnerabilities

After enabling and configuring the Application Security and OneAgent features, you can start monitoring vulnerabilities of your third-party libraries in Dynatrace. Application Security evaluates libraries in use and detects any security problems in these libraries.

  • A spinning radar screen in the upper-right corner of the Security overview and Third-party vulnerabilities pages indicates that your environment is being monitored. If the radar stops, you are warned that Monitoring stopped. Please check settings. Follow the associated link to enable Vulnerability Analytics.
  • The security problems indicator on the Dynatrace top bar displays the number of critical or high-security problems in your environment. Select it to navigate to the Third-party vulnerabilities page.

Application Security overview

For an overview of current security issues in your global environment, in the Dynatrace menu, go to Security overview. The Application Security overview page displays the following information:

  • An infographic of the key features:

    • The number of currently open security problems in your global environment (the total number of open problems, the number of open but muted problems, and, in the foreground, a count of the most severe open problems).

      Note: To display a table of open third-party vulnerabilities of a specific risk level, select the corresponding severity symbol.

    • The host coverage (the percentage of hosts covered by Vulnerability Analytics during the last hour). For instructions on how you can increase host coverage, see Increase host coverage.

  • Risk level: The maximum number of security problems in your global environment that were open each day over the last 30 days, split by risk level. To refine the chart by risk level, select chart legend entries.

  • Vulnerabilities: The third-party vulnerabilities in your global environment over the last 30 days. You can see when a vulnerability was opened, reopened, resolved, or muted. To refine the chart by risk level, select chart legend entries.

  • Affected process groups: The top five affected process groups, their technology, and the number of security problems affecting those process groups.

Limitations

For security reasons, access to this page is restricted to users who are part of the Security admin group for the whole environment, not just for a selected set of management zones.

List third-party vulnerabilities

To see a list of all detected third-party vulnerabilities in your environment, select Third-party Vulnerabilities from the Dynatrace menu. The following information is displayed:

  • A general overview of the key features, with an option to select and filter vulnerabilities by the respective features:

    Note: The numeric values displayed in the overview are management-zone aware.

    • The open vulnerabilities (including the muted ones)

    • The critical and high vulnerabilities

    • The monitored technologies out of the total number of supported technologies

      Note: Select Monitored technologies to navigate to the Vulnerability Analytics: General settings page and change your configuration.

  • N vulnerabilities detected is a list of detected vulnerabilities.

    Note: To sort the list by any item, select the corresponding column heading. To add or remove column headings, select Format table.

    • Vulnerability:

      • Vulnerability name:

        • The Dynatrace vulnerability ID (example: S-3999) +

        • Depending on the vulnerability feed:

          • For SNYK vulnerabilities, the SNYK name (example: Arbitrary File Upload)
          • For NVD vulnerabilities, the CVE ID (example: CVE-2020-2805), or the CWE name, if available (example: Deserialization of Untrusted Data)

        Note: Select the vulnerability name to go to the vulnerability details page.

      • Vulnerable component:

        • For SNYK vulnerabilities, the package name (example: org.apache.tomcat:tomcat-util)
        • For NVD vulnerabilities, the runtime technology (examples: Java runtime, Node.js runtime)

    • Davis Security Score:

      • The risk level (Critical, High, Medium, Low, None) of the vulnerability, based on the Common Vulnerability Scoring System (CVSS) score of the security problem and AI-enhanced to take public internet exposure and reachable data assets into consideration.

        Note: If a vulnerability has been resolved, the symbol color is green.

      • The overall risk assessment (the final score).

      • The symbols for:

        • Public exposure: The vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (Smartscape).

          Note: If the symbol is grayed out and crossed out, there's no public exposure. If the symbol isn't present, there's no data available.

        • Reachable data assets: The vulnerability affects a process that has database access, based on the Dynatrace entity model.

          Note: If the symbol is grayed out and crossed out, there's no reachable data affected. If the symbol isn't present, there's no data available.

        • Vulnerable function: There are vulnerable functions in use by a process.

          Note: If the symbol is grayed out and crossed out, there's no vulnerable function in use. If the symbol isn't present, there's no data available.

        • Public exploit: There's a known malicious code that exploits this vulnerability.

          Note: If the symbol is grayed out and crossed out, there's no public exploit. If the symbol isn't present, there's no data available.

    • Status:

      • Open: The vulnerability is active.

      • Resolved: The vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. A vulnerability is marked as resolved when no process group has been reporting any vulnerable software component for more than two hours.

      • Muted - Open: The vulnerability is active but has been silenced by request.

      • Muted - Resolved: The silenced active vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present.

        Note: A muted security problem that has been closed automatically doesn't change its status to Resolved, but to Muted - Resolved.

    • Technology: The technology of the process affected by the security problem.

    • Affected entities: The entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are affected by the identified third-party vulnerability.

      Note: The affected entities are globally calculated. Management zone filtering doesn't apply.

    • First detected: When the vulnerability appeared.

    • Last update: When the most recent update (for example, a new risk assessment or a new software component with the same vulnerability) was detected.

    • You can expand vulnerability rows for more information, or to perform the following actions:

      • Select Change status to mute or unmute a vulnerability.
      • Select View process group overview to navigate to the overview page of the process groups related to a vulnerability.
      • Select View vulnerability details to navigate to the details page of a vulnerability.

Display vulnerability details

To see details about a third-party vulnerability, select a link in the Vulnerability column of the Third-party vulnerabilities page.

Review a summary of the key features

The third-party vulnerability details page starts with an infographic of the key features of the selected vulnerability:

  • Risk level: Davis Security Score risk level (Critical, High, Medium, Low, None)
  • Public internet exposure: If there's any public internet exposure, or if data isn't available
  • Reachable data assets: If there are any reachable data assets affected, or if data isn't available
  • Vulnerable functions: If there are any vulnerable functions in use, or if data isn't available
  • Exploit: If there's any public exploit available, or if data isn't available
  • Process groups: How many process groups are affected
  • Vulnerable component: The name of the vulnerable component

Note: Select any of these features to jump to the corresponding section on the page.

If you want to mute the vulnerability, select the Mute button on the top-right of the page.

View detailed information

Following the summary is detailed information about the selected vulnerability:

  • Security problem overview:

    • Vulnerability details: A description of the vulnerability, the associated technology, and links to further information.

    • Vulnerable functions: The exact class and function of the security problem, function usage, and the number of affected process groups. The function usage refers to the usage status of the security problem:

      • In use: Any of the related processes uses at least one vulnerable function.
      • Not in use: No related process uses any vulnerable function. In this case, no information about the vulnerable function is provided.
      • Not available: No information is available in the vulnerability database about vulnerable functions for a given vulnerability. In this case, no information about the vulnerable function is provided.

    To display the remediation tracking page for a vulnerable function in use, select the number of affected process groups in the PGs column.

    Note: The information is based on management zones, not on the timeframe.

    • Davis Security Score: A detailed view of how the Davis Security Score for the opened security problem is calculated: starting from the CVSS from SNYK, Davis checks whether there is public internet exposure or reachable data affected and, if so, to what extent. The score is then adjusted as applicable based on the Davis AI calculations.

  • N reachable data assets: The last five database services accessed by affected processes containing the identified vulnerability, based on the last two hours. Select View all to navigate to Databases. For information on how to monitor your database performance, see Databases.

  • Problem evolution: The last five vulnerability status changes (for example, when the vulnerability is first resolved and then reopened) over the last 30 days, and details about the changes.

  • N related entities: The number of entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are related to the identified vulnerability, based on the last two hours, with links to the details page of the related entities.

    Note: The Kubernetes workloads and Kubernetes clusters sections are displayed only if Kubernetes workloads or clusters are detected.

  • N vulnerable components: The libraries that are affected by the identified vulnerability, based on the last two hours.

  • N related container image: The top five related container images, based on the last two hours, sorted by the number of affected processes.

    Note: This information is displayed only if containers are detected.

  • Process group overview: Details about process groups (and processes) that are affected by the identified vulnerability, based on the last two hours, with links to the overview page of the process groups related to the vulnerability, filtered by the respective details. Select View process group overview to navigate to the unfiltered overview page of the related process groups.

    • Process groups in total:/Processes total: The total number of process groups/processes affected by a vulnerability.

    • Vulnerable process groups:/Vulnerable processes: The vulnerable process groups/processes. There are two types of vulnerable processes:

      • Affected processes: The specific processes containing the third-party vulnerability, but which aren't exposed to the public internet.
      • Affected and exposed processes: The specific processes containing the third-party vulnerability and which are exposed to the public internet.

    • Resolved process groups:/Muted process groups: Process groups with resolved or muted status.

    • Most affected process groups: Top five most affected process groups (that have the largest number of affected processes), the number of affected processes out of the total number of processes in a process group, the status of the process group (Vulnerable, Resolved, or Muted), and whether there's any public exposure or any reachable data assets are present.

      Note: Process groups with the same number of affected processes are sorted by status (Vulnerable, then Resolved, and then Muted).

Access shortcut to main topics

The vulnerability details page is organized by the following topics:

  • Problem context

  • Related entities

  • Events

  • Vulnerable components

    You can jump to any of these topics by expanding the button next to Settings on the upper-left side of the vulnerability details page and selecting one of them.

Davis Security Advisor calculations

The Davis Security Advisor is displayed above the vulnerability list on the Third-party vulnerabilities page. It recommends the fixes that would most improve the overall security of your environment. Each recommendation contains the library that needs to be updated, the library technology logo, the number of the most severe vulnerabilities that will be fixed after updating the library, and the total number of vulnerabilities that will be fixed.

Basis for calculation

To calculate recommended fixes, Davis Security Advisor takes into consideration all third-party vulnerabilities that are currently open and not muted; resolved or muted vulnerabilities aren't taken into account. Fixes are tailored to your environment and ranked based on how much they improve the overall security of your environment.

Grouping

Because every third-party vulnerability is triggered by a vulnerable library, those libraries are used for grouping. When calculating the advice, Davis Security Advisor ignores the specific version of the library. All shown libraries contain known vulnerabilities and should be updated to the latest version.

Advice ranking

Advice is ranked based on the severity of the third-party vulnerabilities. Advice regarding a critical vulnerability, for example, is ranked higher than advice for a high severity vulnerability. The severity of a vulnerability is calculated based on Davis Security Score, so you can focus on fixing vulnerabilities that are relevant in your environment, instead of on those that have only a theoretical impact.

Filtering

To filter by recommended fixes, see Filter third-party vulnerabilities by recommended fixes with Davis Security Advisor.