Application Security Monitoring (ASUs)
Application Security Monitoring helps you to visualize, analyze, and monitor security vulnerabilities in your environment that are related to third-party libraries at runtime.
Application Security units
Dynatrace Application Security is licensed based on the consumption of Application Security units (ASUs). The number of Application Security units that an environment consumes is based on the servers that run applications, which are monitored with Application Security.
There are multiple factors that influence the consumption of ASUs:
- The amount of RAM that a monitored server has (see the weighting table below)
- The number of hours that the server runs
- The Application Security capabilities that are enabled on the server
Application Security capabilities
Currently, Application Security provides two capabilities:
- Runtime Vulnerability Analytics
- Runtime Application Protection
How capabilities affect monitoring consumption
Each capability consumes 1 ASU per hour multiplied by the RAM weight (See the weighting table for details).
Runtime Application Protection (RAP) relies on Runtime Vulnerability Assessment (RVA) to evaluate the vulnerability that an attack is based on. Therefore, a server with Runtime Application Protection enabled always consumes ASUs for both RVA and RAP.
| Host size (based on RAM GB) | Runtime Vulnerability Analytics (Application Security units per hour) | Runtime Vulnerability Analytics & Runtime Application Protection (Application Security units per hour) |
|---|---|---|
| 1.6 GB | 0.10 | 0.20 |
| 4 GB | 0.25 | 0.50 |
| 8 GB | 0.50 | 1 |
| 16 GB | 1 | 2 |
| 32 GB | 2 | 4 |
| 48 GB | 3 | 6 |
| 64 GB | 4 | 8 |
| 80 GB | 5 | 10 |
| N x 16 | N | N x 2 |
Example
Say that an environment consists of
- 1 server with 32 GB RAM running RVA and RAP
- 1 server with 32 GB RAM running RVA
- 1 server with 4 GB RAM running RVA
- 1 server with 32 GB RAM to handle load spikes running RVA and RAP
If the first three servers in the list run 24x7, they will consume 54,750 Application Security units per year. When the environment is no longer able to handle the load, an additional server with 32 GB RAM running RVA and RAP spins up to handle the spikes. This server runs a total of 250 hours during the year, so the consumption is increased by 1,000 ASUs.
This is calculated based on the following:
- One of the 32 GB RAM servers is running RVA and RAP and consumes 35,040 ASUs per year.
4 ASUs for RVA and RAP for a 32 GB host x 24 (hours) x 365 (days) - The other 32 GB RAM server is running only RVA and consumes 17,520 ASUs per year.
2 ASUs for RVA for a 32 GB host x 24 (hours) x 365 (days) - The 4 GB RAM server runs only RVA and consumes 2,190 ASUs per year.
0.25 ASUs for RVA for a 4 GB host x 24 (hours) x 365 (days) - When the environment is no longer able to handle the load, an additional server with 32 GB RAM running RVA and RAP spins up to handle the spikes, but it only runs a total of 250 hours during the year. So, the consumption is increased by 1,000 ASUs.
4 ASUs for RVA and RAP for a 32 GB host x 250 (hours)
Combine Application Security monitoring with Full-Stack and Infrastructure Monitoring
Application Security units are consumed concurrently with host units for both Full-Stack and Infrastructure Monitoring. For example, you can monitor the security of a host that runs on a Tomcat server that's monitored with Dynatrace Infrastructure Monitoring only, rather than Full-Stack Monitoring. This approach provides you with Dynatrace Application Security insights, but you won't benefit from improved prioritization based on your topology or the deeper performance insights that are provided with Full-Stack Monitoring mode.
The allocation of Application Security units is only applicable to hosts that run supported technologies. Please contact a Dynatrace product specialist via in-product chat or reach out to your account executive to learn more.