Monitor Application Security

Application Security is a Dynatrace product feature designed to help you detect, visualize, analyze, monitor, and remediate open-source and third-party vulnerabilities in production and pre-production environments at runtime.

Prerequisites

  • Dynatrace SaaS/Managed version 1.206+
  • OneAgent version 1.185+
  • Java (any version)
  • Assign Security admin permission to users who are allowed to view and manage security problems

Enable Application Security

You can enable Application Security globally or at the process group level.

Note: You need to restart all affected processes before these settings will take effect.

List vulnerabilities

To list vulnerabilities of third-party libraries in your environment, select Security from the navigation menu. The Security page displays the following information about the listed vulnerabilities:

  • Vulnerability title:
    • The externally provided vulnerability title for SNYK vulnerabilities or the CVE ID for NVD vulnerabilities.
    • The Dynatrace problem number (S-<number>) followed by either a description of the security problem (for CVE vulnerabilities) or by the name of the affected package of the security problem (for SNYK vulnerabilities).
      To see vulnerability details, select the link in the Vulnerability column.
  • Risk/CVSS score - the risk level (Critical, High, Medium, Low, None) of the security problem, based on all data related to the vulnerability and the environment in which it occurs, and the Common Vulnerability Scoring System (CVSS) score of the security problem.
  • Current status:
    • Open means the problem is active.
    • Resolved means the problem has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. A security problem is marked as resolved when no process group has been reporting any affected software component for more than two hours.
    • Muted - Open means the problem is active but has been silenced by request.
    • Muted - Resolved means the silenced active problem has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present.
      Note: A muted problem that has been closed automatically doesn't change its status to Resolved, but to Muted - Resolved.
  • Public exposure - whether the vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (SmartScape).
  • Sensitive data - whether the vulnerability affects a process that has database access, based on the Dynatrace entity model.
  • Public exploit - whether there's any known malicious code that exploits this vulnerability.
  • Technology - the technology of the security problem.
  • First seen - when the vulnerability appeared.
  • Last change - when the most recent change (for example, a new risk assessment or a new software component with the same vulnerability) was detected.

Display vulnerability details

To see details about a vulnerability, select a link in the Vulnerability column of the Security page. The vulnerability details page displays the following information about the selected vulnerability:

  • Exposed processes - specific processes that are exposed to the public internet.
  • Affected processes - specific processes containing the identified vulnerability, their description, and the technology to which they belong.
  • Sensitive data assets - data storages (database services) affected by processes containing the identified vulnerability.
  • Affected entities - entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are affected by the identified vulnerability, with direct links to those entities.
    Note: The Kubernetes workloads and Kubernetes clusters sections are displayed only if Kubernetes workloads or clusters are detected.
  • Affected container images - the 15 most affected container images by number of processes.
    Note: This information is displayed only if containers are detected.
  • Recent events - problem status changes (for example, when the problem is first resolved and then reopened).
  • Vulnerable components - libraries that are affected by the identified vulnerability.

Filtering options

  • You can filter vulnerabilities by vulnerability details, global timeframe, and management zone. You can combine any of these filters.
  • You can mute (silence) vulnerabilities that you don't consider important.

See below for details.

Filter by vulnerability details

On the Security page, you can filter the vulnerabilities table by the following:

  • Risk level (Critical, High, Medium, Low, None)
  • Status (Open, Resolved, Muted)
  • Vulnerability (CVE ID or SNYK ID) Note: If you filter by CVE ID, it must be a perfect match.
  • Risk assessment (Public internet exposure, Sensitive data affected, Public exploit available)
  • Technology (Java, Node.js)
  • Vulnerable component (part of the vulnerable component name)
  • Affected entity (select and enter any combination of the following: Process group name, Host name, Kubernetes workload name, Kubernetes cluster name, Tag; you can't add an entity more than once)
    For Tag, you can use tags on host, process group, and process group instance, with the syntax key:value or key.

Note: If a security problem affects more than 1000 processes, the Affected entity filter may not be able to find all security problems affected by the entered affected entity.

Filter by global timeframe

You can use the global timeframe selector to filter vulnerabilities on the Security page and on the vulnerability details page.

  • The Security page displays vulnerabilities that were open within the selected global timeframe. However, the data displayed about an entry reflects the current state of the entry, not the historical state.
  • The vulnerability details page displays entities that were affected and libraries that were vulnerable during the selected global timeframe. An affected entity or a vulnerable component is shown:
    • If it was already affected or vulnerable during the selected timeframe
    • If it's still affected or vulnerable

Filter by management zone

You can use the management zones filter on the Security page and on the vulnerabilities details page. Note that for each case, the filter applies to different components:

  • On the Security page, filtering by management zone applies to vulnerabilities. The management zone filter doesn't affect the other vulnerability fields, such as Public internet exposure or Sensitive data affected; other than Vulnerability, all values on this page are based on the whole environment.
  • On the vulnerability details page, filtering by management zone applies to vulnerable components and affected entities (processes, process groups, hosts, services, etc.). The management zone filter doesn't affect the majority of data on the infographic; other than Affected entities, all values on this page are based on the whole environment.

Note:

  • When a vulnerability stops affecting a management zone, it won't show up when you filter for that management zone.
  • When a vulnerability is resolved (when it has stopped affecting the whole environment), it shows up regardless of the selected management zone.

For more information on how to set up and apply management zones, and about the rules that define and limit the entities that can be accessed within a management zone, see Management zones.

Management zone calculation is based on processes (process group instances). Management zones are calculated when a security problem is opened and every 15 minutes after that until the security problem is resolved. A management zone is affected by a security problem if a process (process group instance) of the management zone uses a software component that has the reported vulnerability.

Mute problems

If you determine that a problem isn't serious and you want to filter it out from the list of security problems, you can mute (silence) it. Dynatrace analyzes muted problems periodically, but you can filter them out by Open or Resolved status.

To mute a problem

  1. Go to the details page of the vulnerability and select Mute problem in the upper-right corner.
  2. Select a reason for muting the problem and, optionally, provide additional information.
  3. Select Save.

Note: You need to wait up to a minute for the change to take effect. Refresh the page to see your change.

Muted problems don't appear on the list of security problems unless you filter for them.

The status change of the problem is logged under the Recent events section of the vulnerability details page. Select Details to see who muted the problem, the reason for muting, and any additional comments. Note that Recent events shows only the last five events that occurred within the last 30 days.

events

You can unmute a problem anytime by selecting Unmute problem on the details page of the respective vulnerability. Unmuting a problem makes it active again - its status changes back to Open.

Note: You won't be able to mute/unmute a problem if

  • Muting/unmuting is already in progress
  • Required permissions are missing
  • The problem status is Resolved
  • The problem status is Muted - Resolved

Hover over Mute problem/Unmute problem to see why muting/unmuting isn't possible.

Adjust reporting of OneAgent features

You can control the OneAgent feature sending software component libraries by enabling or disabling Java Software Component Reporting.

  1. Go to Settings > Server-side service monitoring > Deep monitoring.
  2. Expand New OneAgent features.
  3. Enable or disable Java Software Component Reporting.

tweak-agent

If you turn off the OneAgent feature, the Security page will still be available but it will always show zero vulnerabilities because OneAgent sends nothing to be analyzed.

Risk assessment

To determine external exposure and affected data assets, Dynatrace takes the following into consideration:

  • Sources - a known exploit is determined by the feed reporting the vulnerability.
  • Entities - a vulnerable software component is linked to the process group instance of the reporting component, and the running services in that process group are used to calculate the exposure and whether sensitive data assets are affected.
  • Dependencies - to calculate exposure, Dynatrace analyzes whether incoming web request services and web service calls from the last day come from a public IP address. To see if sensitive data assets are affected, Dynatrace investigates affected services and services that are directly called by those services. If one of those services is a database, a sensitive data asset is affected.

Security problem management

Libraries

Libraries (software components) are reported as soon as any class of libraries is loaded. Additionally, all loaded libraries are reported again every hour.

Topology changes

Once Dynatrace finds a new vulnerability, it regularly checks for topology changes (for example, when a new sensitive asset or data source is involved).

Vulnerability feeds

The vulnerability feeds are checked for updates every five minutes. If there's a new feed available, the information is pushed to the Dynatrace Cluster via Cloud Control/Mission Control. Updated vulnerability feeds are imported into Dynatrace Clusters within approximately two hours.

Based on the existent vulnerability feeds, Dynatrace searches for new vulnerabilities in your environment every minute.

Troubleshooting

Application Security writes to the following existing Dynatrace log files:

  • The OneAgent Java code module log
  • The Dynatrace Cluster server log and debug log