• Home
  • How to use Dynatrace
  • Application Security
  • Manage third-party vulnerabilities

Manage third-party vulnerabilities

After enabling and configuring the Application Security and OneAgent features, you can start monitoring vulnerabilities of your third-party libraries in Dynatrace. Application Security evaluates libraries in use and detects any security problems in these libraries.

A spinning radar screen in the upper-right corner of the Security overview and Third-party vulnerabilities pages indicates that your environment is being monitored. If the radar stops, you are warned that Monitoring stopped. Please check settings. Follow the associated link to enable runtime vulnerability detection.

Application Security overview

For an overview of current security issues in your global environment, in the Dynatrace menu, go to Security overview. The Application Security overview page displays the following information:

  • An infographic of the key features:

    • The number of currently open security problems in your global environment (the total number of open problems, the number of open but muted problems, and, in the foreground, a count of the most severe open problems).

      Note: To display a table of open third-party vulnerabilities of a specific risk level, select the corresponding severity symbol.

    • The host coverage (the percentage of hosts covered by runtime vulnerability detection during the last hour). For instructions on how you can increase host coverage, see Increase host coverage.

  • Risk level: The maximum number of security problems in your global environment that were open each day over the last 30 days, split by risk level. To refine the chart by risk level, select chart legend entries.

  • Vulnerabilities: The third-party vulnerabilities in your global environment over the last 30 days. You can see when a vulnerability was opened, reopened, resolved, or muted. To refine the chart by risk level, select chart legend entries.

  • Affected process groups: The top five affected process groups, their technology, and the number of security problems affecting those process groups.

Limitations

For security reasons, access to this page is restricted to users who are part of the Security admin group for the whole environment, not just for a selected set of management zones.

List third-party vulnerabilities

To see a list of all detected third-party vulnerabilities in your environment, select Third-party Vulnerabilities from the Dynatrace menu. The following information is displayed:

  • Vulnerability:

    • The vulnerability name, with a link to the vulnerability details page.
    • The Dynatrace security problem number (S-<number>) followed by the name of the vulnerable component.

  • Davis Security Score:

    • Davis Security Score:

      • The risk level (Critical, High, Medium, Low, None) of the vulnerability, based on the Common Vulnerability Scoring System (CVSS) score of the security problem and AI-enhanced to take public internet exposure and sensitive data assets into consideration.

      • The symbol associated with the risk level.

        Note: If a vulnerability has been resolved, the symbol color is green.

      • The overall risk assessment (the final score).

      • The symbols for:

        • Public exposure: The vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (Smartscape).

          Note: If the symbol is grayed out and crossed out, there's no public exposure. If the symbol isn't present, there's no data available.

        • Sensitive data: The vulnerability affects a process that has database access, based on the Dynatrace entity model.

          Note: If the symbol is grayed out and crossed out, there's no sensitive data affected. If the symbol isn't present, there's no data available.

        • Vulnerable function: There are vulnerable functions in use by a process group instance.

          Note: If the symbol is grayed out and crossed out, there's no vulnerable function in use. If the symbol isn't present, there's no data available.

        • Public exploit: There's a known malicious code that exploits this vulnerability.

          Note: If the symbol is grayed out and crossed out, there's no public exploit. If the symbol isn't present, there's no data available.

  • Status:

    • Open: The vulnerability is active.

    • Resolved: The vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. A vulnerability is marked as resolved when no process group has been reporting any vulnerable software component for more than two hours.

    • Muted - Open: The vulnerability is active but has been silenced by request.

    • Muted - Resolved: The silenced active vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present.

      Note: A muted security problem that has been closed automatically doesn't change its status to Resolved, but to Muted - Resolved.

  • Technology: The technology of the process affected by the security problem.

  • Affected entities: The entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are affected by the identified third-party vulnerability.

    Note: The affected entities are globally calculated. Management zone filtering doesn't apply.

  • First detected: When the vulnerability appeared.

  • Last change: When the most recent change (for example, a new risk assessment or a new software component with the same vulnerability) was detected.

Display vulnerability details

To see details about a third-party vulnerability, select a link in the Vulnerability column of the Third-party vulnerabilities page.

Review a summary of the key features

The third-party vulnerability details page starts with an infographic of the key features of the selected vulnerability:

  • Davis Security Score risk level (Critical, High, Medium, Low, None)
  • If there's any public internet exposure, or if data isn't available
  • If there are any sensitive data assets affected, or if data isn't available
  • If there are any vulnerable functions in use, or if data isn't available
  • If there's any public exploit available, or if data isn't available
  • How many process groups are affected
  • The vulnerable component

Note: If you want to mute the vulnerability, select the Mute button on the top-right of the page.

View detailed information

Following the summary is detailed information about the selected vulnerability:

  • Exposed processes: The specific processes that are exposed to the public internet.

  • Affected processes: The specific processes containing the third-party vulnerability.

    • Vulnerability details: A description of the vulnerability, the associated technology, and links to further information.

    • Vulnerable functions: The exact function and class of the security problem, function usage, and the number of affected process groups.

      • The function usage refers to the usage state of the security problem:

        • In use: Any of the related process group instances uses at least one vulnerable function.
        • Not in use: No related process group instance uses any vulnerable function. In this case, no information about the vulnerable function is provided.
        • Not available: No information is available in the vulnerability database about vulnerable functions for a given vulnerability. In this case, no information about the vulnerable function is provided.

      • To display the remediation tracking page for a vulnerable function in use, select the number of affected process groups in the PGs column.

      Note: The information is based on management zones, not on the timeframe.

  • Sensitive data assets: The data storage (database services) accessed by affected processes containing the identified vulnerability.

  • Related entities: The entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are related to the identified vulnerability, with direct links to those entities.

    Note: The Kubernetes workloads and Kubernetes clusters sections are displayed only if Kubernetes workloads or clusters are detected.

  • Related container images: The top five related container images sorted by the number of affected processes.

    Note: This information is displayed only if containers are detected.

  • Problem evolution: The last five vulnerability status changes (for example, when the vulnerability is first resolved and then reopened) over the last 30 days.

  • Vulnerable components: The libraries that are affected by the identified vulnerability.

  • Davis Security Score: A detailed view of how the Davis Security Score for the opened security problem is calculated: starting from the CVSS from SNYK, Davis checks whether there is public internet exposure or sensitive data affected and, if so, to what extent. The score is then adjusted as applicable based on the Davis AI calculations.

Access shortcut to main topics

The vulnerability details page is organized by the following topics:

  • Problem context
  • Related entities
  • Events
  • Vulnerable components You can jump to any of these topics by expanding the button next to Settings on the upper-left side of the vulnerability details page and selecting one of them.

Davis Security Advisor calculations

The Davis Security Advisor is displayed above the vulnerability list on the Third-party vulnerabilities page. It recommends the fixes that would most improve the overall security of your environment. Each recommendation contains the library that needs to be updated, the library technology logo, the number of the most severe vulnerabilities that will be fixed after updating the library, and the total number of vulnerabilities that will be fixed.

Basis for calculation

To calculate recommended fixes, Davis Security Advisor takes into consideration all third-party vulnerabilities that are currently open and not muted; resolved or muted vulnerabilities aren't taken into account. Fixes are tailored to your environment and ranked based on how much they improve the overall security of your environment.

Grouping

Because every third-party vulnerability is triggered by a vulnerable library, those libraries are used for grouping. When calculating the advice, Davis Security Advisor ignores the specific version of the library. All shown libraries contain known vulnerabilities and should be updated to the latest version.

Advice ranking

Advice is ranked based on the severity of the third-party vulnerabilities. Advice regarding a critical vulnerability, for example, is ranked higher than advice for a high severity vulnerability. The severity of a vulnerability is calculated based on Davis Security Score, so you can focus on fixing vulnerabilities that are relevant in your environment, instead of on those that have only a theoretical impact.

Filtering

To filter by recommended fixes, see Filter third-party vulnerabilities by recommended fixes with Davis Security Advisor.