Manage vulnerabilities

After enabling and configuring the Application Security and OneAgent features, you can start monitoring vulnerabilities of your third-party libraries in Dynatrace.

Application Security overview

For an overview of current security issues in your global environment, in the Dynatrace menu, go to Security overview. The Application Security overview page displays the following information:

  • The number of currently open security problems in your global environment (the total number of open problems, the number of open but muted problems, and, in the foreground, a count of the most severe open problems).
  • A chart of the Risk level for currently open security problems in your global environment over the last 30 days. To refine the chart by risk level, select chart legend entries.
  • A chart of the Vulnerabilities in your global environment over the last 30 days. You can see when a vulnerability was opened, reopened, resolved, or muted. To refine the chart by risk level, select chart legend entries.

From here, you can easily explore environment vulnerabilities:

  • To display a table of all vulnerabilities, regardless of risk level or status, select View all vulnerabilities.
  • To display a table of open vulnerabilities of a specific risk level, select the corresponding severity symbol.

Limitations

For security reasons, access to this page is restricted to users who are part of the Security admin group for the whole environment, not just for a selected set of management zones.

List vulnerabilities

To see a list of all detected vulnerabilities in your environment, select Vulnerabilities from the Dynatrace menu. The Vulnerabilities page displays the following information about the listed vulnerabilities:

  • Vulnerability title:

    • The name of the vulnerability.
    • The Dynatrace security problem number (S-<number>) followed by the name of the vulnerable component. Note: To see vulnerability details, select the link in the Vulnerability column.
  • Davis Security Score: Information related to

    • The Davis Security Score:
      • The risk level (Critical, High, Medium, Low, None) of the vulnerability, based on the Common Vulnerability Scoring System (CVSS) score of the security problem and AI-enhanced to take public internet exposure and sensitive data assets into consideration
      • The symbol associated with the risk level Note: If a vulnerability has been resolved, the symbol color is green.
      • The overall risk assessment (the final score)
    • Public exposure: If the vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (Smartscape), the public exposure symbol shows in the Davis Security Score column.
    • Sensitive data: If the vulnerability affects a process that has database access, based on the Dynatrace entity model, the sensitive data symbol shows in the Davis Security Score column.
    • Vulnerable function: If there are any vulnerable functions in use by a process group instance, the vulnerable function symbol shows in the Davis Security Score column.
    • Public exploit: If there's any known malicious code that exploits this vulnerability, the public exploit symbol shows in the Davis Security Score column.
  • Current status:

    • Open means the vulnerability is active.

    • Resolved means the vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. A vulnerability is marked as resolved when no process group has been reporting any vulnerable software component for more than two hours.

    • Muted - Open means the vulnerability is active but has been silenced by request.

    • Muted - Resolved means the silenced active vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present.

      Note: A muted security problem that has been closed automatically doesn't change its status to Resolved, but to Muted - Resolved.

  • Technology - the technology of the process affected by the security problem.

  • Affected entities - entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are affected by the identified vulnerability.

    Note: The affected entities are globally calculated. Management zone filtering doesn't apply.

  • First seen - when the vulnerability appeared.

  • Last change - when the most recent change (for example, a new risk assessment or a new software component with the same vulnerability) was detected.

Display vulnerability details

To see details about a vulnerability, select a link in the Vulnerability column of the Vulnerabilities page.

Review a summary of the key features

The vulnerability details page starts with a summary of the key features of the selected vulnerability:

  • The Davis Security Score risk level
  • Whether there's any public internet exposure
    • If there's no exposure, this information is grayed out.
  • Whether there are any sensitive data assets affected
    • If there aren't any sensitive data assets affected, this information is grayed out.
  • Whether there are any vulnerable functions in use
    • If there's no vulnerable function in use or available, this information is grayed out.
  • Whether there's any public exploit available
    • If there's no public exploit available, this information is grayed out.
  • How many process groups are affected
  • The vulnerable component

Note: If you want to mute the vulnerability, select the Mute button on top-right of the page.

View detailed information

Next, you get detailed information about the selected vulnerability:

  • Exposed processes: Specific processes that are exposed to the public internet.

  • Affected processes:

    • Specific processes containing the vulnerability and their technology.
    • A description of the vulnerability with links to further information.
    • Vulnerable functions identified. A vulnerable function can be
      • In use, if any of the related process group instances uses at least one vulnerable function.
      • Not in use, if no related process group instance uses any vulnerable function. In this case, no information about the vulnerable function is provided.
      • Not available, if there isn't any information available in the vulnerability database about vulnerable functions for a given vulnerability. In this case, no information about the vulnerable function is provided.
  • Sensitive data assets: Data storages (database services) accessed by affected processes containing the identified vulnerability.

  • Related entities: Entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are related to the identified vulnerability, with direct links to those entities. Note: The Kubernetes workloads and Kubernetes clusters sections are displayed only if Kubernetes workloads or clusters are detected.

  • Related container images: The top five related container images sorted by the number of affected processes. Note: This information is displayed only if containers are detected.

  • Problem evolution: Vulnerability status changes (for example, when the vulnerability is first resolved and then reopened).

  • Vulnerable components: Libraries that are affected by the identified vulnerability.

  • Davis Security Score: Detailed view of how the Davis Security Score for the opened security problem is calculated: starting from the CVSS from SNYK, Davis checks whether there is public internet exposure or sensitive data affected and, if so, to what extent. The score is then adjusted as applicable based on the Davis AI calculations.

Access shortcut to main topics

The information on the vulnerability details page is grouped under a list of topics:

  • Problem context
  • Related entities
  • Events
  • Vulnerable components

You can jump to any of these topics by expanding the button next to Settings on top-left side of the vulnerability details page and selecting one of them.