Monitor Application Security

Application Security is a Dynatrace product feature designed to help you detect, visualize, analyze, monitor, and remediate open-source and third-party vulnerabilities in production and pre-production environments at runtime.

Prerequisites

  • Dynatrace SaaS/Managed version 1.206+
  • OneAgent version 1.185+
  • Java (any version)
  • Assign Security admin permission to users who are allowed to view and manage security problems

Enable Application Security

You can enable Application Security globally or at the process group level.

Note: You need to restart all affected processes before these settings will take effect.

List vulnerabilities

To list vulnerabilities of third-party libraries in your environment, select Security from the navigation menu. The Security page displays the following information about the listed vulnerabilities:

  • Vulnerability - the vulnerability's external ID (see CVE) and Dynatrace problem number.
    To see vulnerability details, select the link in the Vulnerability column.
  • Risk level - the risk level (Critical, High, Medium, Low) of the security problem, based on all data related to the vulnerability and the environment in which it occurs.
  • CVSS score - the Common Vulnerability Scoring System (CVSS) score.
  • Public internet exposure - whether the vulnerability affects a process that is exposed to the internet, based on the Dynatrace entity model (SmartScape).
  • Sensitive data affected - whether the vulnerability affects a process that has database access, based on the Dynatrace entity model.
  • Public exploit available - whether there's any known malicious code that exploits this vulnerability.
  • Current status:
    • Open means the problem is active.
    • Resolved means the problem has been closed automatically because the root cause (for example, loading a vulnerable library) is no longer present. A security problem is marked as resolved when no process group has been reporting any affected software component for more than two hours.
    • Muted means the problem is active but has been silenced by request, if it's not considered serious for some reason. Dynatrace analyzes muted problems periodically, but you can filter them out from the list of security problems by Open or Resolved status. You can mute a problem by selecting Mute problem and unmute it at any time by selecting Unmute problem on the details page of a vulnerability.
  • First seen - when the vulnerability appeared.
  • Last change - when the most recent change (for example, a new risk assessment or a new software component with the same vulnerability) was detected.

Display vulnerability details

To see details about a vulnerability, select a link in the Vulnerability column of the Security page. The vulnerability details page displays the following information about the selected vulnerability:

  • Exposed processes - specific processes that are exposed to the public internet.
  • Affected processes - specific processes containing the identified vulnerability.
  • Overview - problem background, including links to more detailed information about the identified vulnerability.
  • Sensitive data assets - data storages (database services) affected by processes containing the identified vulnerability.
  • Recent events - problem status changes (for example, when the problem is first resolved and then reopened).
  • Vulnerable components - libraries that are affected by the identified vulnerability.
  • Affected entities - entities (applications, services, hosts, databases) that are affected by the identified vulnerability, with direct links to those entities.

Filtering options

You can filter vulnerabilities by vulnerability details, global timeframe, and management zone. You can combine any of these filters.

Filter by vulnerability details

On the Security page, you can filter the vulnerabilities table by the following:

  • Risk level (high, medium, low)
  • Status (open, resolved)
  • Vulnerability
  • Risk assessment (public internet exposure, sensitive data affected, public exploit available)
  • Affected entity

Filter by global timeframe

You can use the global timeframe selector to filter vulnerabilities on the Security page and on the vulnerability details page.

  • The Security page displays vulnerabilities that were open within the selected global timeframe. However, the data displayed about an entry reflects the current state of the entry, not the historical state.
  • The vulnerability details page displays entities that were affected and libraries that were vulnerable during the selected global timeframe. An affected entity or a vulnerable component is shown:
    • If it was already affected or vulnerable during the selected timeframe
    • If it's still affected or vulnerable

Filter by management zone

You can use the management zones filter on the Security page and on the vulnerabilities details page. Note that for each case, the filter applies to different components:

  • On the Security page, filtering by management zone applies to vulnerabilities. The management zone filter doesn't affect the other vulnerability fields, such as Public internet exposure or Sensitive data affected; other than Vulnerability, all values on this page are based on the whole environment.
  • On the vulnerability details page, filtering by management zone applies to vulnerable components and affected entities (processes, process groups, hosts, services, etc.). The management zone filter doesn't affect the majority of data on the infographic; other than Affected entities, all values on this page are based on the whole environment.

Note:

  • When a vulnerability stops affecting a management zone, it won't show up when you filter for that management zone.
  • When a vulnerability is resolved (when it has stopped affecting the whole environment), it shows up regardless of the selected management zone.

For more information on how to set up and apply management zones, and about the rules that define and limit the entities that can be accessed within a management zone, see Management zones.

Management zone calculation is based on processes (process group instances). Management zones are calculated when a security problem is opened and every 15 minutes after that until the security problem is resolved. A management zone is affected by a security problem if a process (process group instance) of the management zone uses a software component that has the reported vulnerability.

Adjust reporting of OneAgent features

You can control the OneAgent feature sending software component libraries by enabling or disabling Java Software Component Reporting.

  1. Go to Settings > Server-side service monitoring > Deep monitoring.
  2. Expand New OneAgent features.
  3. Enable or disable Java Software Component Reporting.

tweak-agent

If you turn off the OneAgent feature, the Security page will still be available but it will always show zero vulnerabilities because OneAgent sends nothing to be analyzed.

Risk assessment

To determine external exposure and affected data assets, Dynatrace takes the following into consideration:

  • Sources - a known exploit is determined by the feed reporting the vulnerability.
  • Entities - a vulnerable software component is linked to the process group instance of the reporting Java component, and the running services in that process group are used to calculate the exposure and whether sensitive data assets are affected.
  • Dependencies - to calculate exposure, Dynatrace analyzes whether incoming web request services and web service calls from the last day come from a public IP address. To see if sensitive data assets are affected, Dynatrace investigates affected services and services that are directly called by those services. If one of those services is a database, a sensitive data asset is affected.

Security problem management

Libraries

Libraries (software components) are reported as soon as any class of libraries is loaded. Additionally, all loaded libraries are reported again every hour.

Topology changes

Once Dynatrace finds a new vulnerability, it regularly checks for topology changes (for example, when a new sensitive asset or data source is involved).

Vulnerability feeds

The vulnerability feeds are checked for updates every five minutes. If there's a new feed available, the information is pushed to the Dynatrace Cluster via Cloud Control/Mission Control. Updated vulnerability feeds are imported into Dynatrace Clusters within approximately two hours.

Based on the existent vulnerability feeds, Dynatrace searches for new vulnerabilities in your environment every minute.

Troubleshooting

Application Security writes to the following existing Dynatrace log files:

  • The OneAgent Java code module log
  • The Dynatrace Cluster server log and debug log