Application Security monitoring

Due to the widely spread increase in usage of open-source libraries, modern applications usually contain a large number of vulnerabilities. Evaluating hundreds or thousands of open security problems quickly becomes a daunting task.
Dynatrace Application Security pinpoints those vulnerabilities that need immediate investigation. It automatically analyzes data access paths and production execution to provide an automatic and precise risk and impact assessment.

To monitor the security issues of third-party libraries in your environment, follow the instructions below.

Prerequisites

  • Dynatrace SaaS/Managed version 1.206+
  • OneAgent version 1.185+
  • Java (any version)

1. Assign permissions

You need to assign Security admin permission to users who will be allowed to view and manage security problems.

To assign Security admin permission

  1. In Dynatrace, open the user menu in the upper-right corner of the page and go to Account settings > Identity management > User management.

To add an existing user to the group

  1. Select the user and then select Edit.
  2. Scroll down to Assign groups to user and select the Security admin group.
  3. Select Save.

For more information on user permissions, see Manage user groups and permissions.

2. Enable the runtime vulnerability detection functionality

To enable Application Security you must enable its functionality, runtime vulnerability detection.

  1. In the Dynatrace menu, go to Application Security > Vulnerabilities and select Activate settings.
  2. In the Runtime vulnerability detection page that opens, select Enable runtime vulnerability detection.

3. Enable OneAgent reporting of software components

After enabling runtime vulnerability detection, you need to enable OneAgent reporting software components from your running applications to Dynatrace. You have two options to enable the OneAgent features, globally or at the process group level. See below for instructions.

  1. In the Dynatrace menu, go to Settings > Server-side service monitoring > Deep monitoring.
  2. Scroll down the page and select New OneAgent features.
  3. Select the Global tab.
  4. Filter for Reporting and enable the software component reporting feature(s) you want.
  5. Select Save changes to save your configuration.

Note: If you enable Java Software Component Reporting, you need to restart all affected processes before these settings will take effect.

If you want to stop OneAgent reporting on any application, you can disable the respective software component reporting feature. OneAgent will then stop sending data for the respective application. If you disable all OneAgent features, the Security page will still be available but it will always show zero vulnerabilities because OneAgent won't send anything for analysis.

4. Control runtime vulnerability detection by technology optional

After you enable OneAgent reporting, Dynatrace starts generating security problems for all supported technologies by default. To control for which of these technologies you want to receive security problems

  1. In the Dynatrace menu, go to Settings > Application Security > Runtime vulnerability detection.
  2. Enable/disable the desired technology.
  3. Select Save changes to save your configuration.

List vulnerabilities

Once you enable the Application Security and OneAgent features, you can monitor vulnerabilities in Dynatrace.
To list vulnerabilities of third-party libraries in your environment, select Vulnerabilities from the Dynatrace menu. The Vulnerabilities page displays the following information about the listed vulnerabilities:

  • Vulnerability title:
    • The name of the vulnerability.
    • The Dynatrace security problem number (S-<number>) followed by the name of the vulnerable component. To see vulnerability details, select the link in the Vulnerability column.
  • Davis Security Score - the risk level (Critical, High, Medium, Low, None) of the vulnerability, based on the Common Vulnerability Scoring System (CVSS) score of the security problem and AI-enhanced to take public internet exposure and sensitive data assets into consideration.
  • Current status:
    • Open means the vulnerability is active.
    • Resolved means the vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. A vulnerability is marked as resolved when no process group has been reporting any vulnerable software component for more than two hours.
    • Muted - Open means the vulnerability is active but has been silenced by request.
    • Muted - Resolved means the silenced active vulnerability has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. Note: A muted security problem that has been closed automatically doesn't change its status to Resolved, but to Muted - Resolved.
  • Public exposure - whether the vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (Smartscape). If the vulnerability doesn't affect any process that is exposed to the internet, the symbol appears dimmed.
  • Sensitive data - whether the vulnerability affects a process that has database access, based on the Dynatrace entity model. If the vulnerability doesn't affect any process that has database access, the symbol appears dimmed.
  • Public exploit - whether there's any known malicious code that exploits this vulnerability.
  • Technology - the technology of the process affected by the security problem.
  • First seen - when the vulnerability appeared.
  • Last change - when the most recent change (for example, a new risk assessment or a new software component with the same vulnerability) was detected.

Display vulnerability details

To see details about a vulnerability, select a link in the Vulnerability column of the Vulnerabilities page. The vulnerability details page displays the following information about the selected vulnerability:

  • Exposed processes - specific processes that are exposed to the public internet.

  • Affected processes - specific processes containing the vulnerability and their technology, a description of the vulnerability, and links to further information.

  • Sensitive data assets - data storages (database services) accessed by affected processes containing the identified vulnerability.

  • Related entities - entities (applications, services, hosts, databases, Kubernetes workloads, or Kubernetes clusters) that are related to the identified vulnerability, with direct links to those entities.

    Note: The Kubernetes workloads and Kubernetes clusters sections are displayed only if Kubernetes workloads or clusters are detected.

  • Related container images - the top five related container images sorted by the number of affected processes.

    Note: This information is displayed only if containers are detected.

  • Problem evolution - vulnerability status changes (for example, when the vulnerability is first resolved and then reopened).

  • Vulnerable components - libraries that are affected by the identified vulnerability.

  • Davis Security Score - this expandable card shows in detail how the Davis Security Score for the opened security problem is calculated: starting from the CVSS from SNYK, Davis checks whether there is public internet exposure or sensitive data affected and, if so, to what extent. The score is then adjusted as applicable based on the Davis AI calculations.