Application Vulnerability Management

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Application Security Management is not supported for your selected Datadog site ().

Overview

Application Vulnerability Management offers built-in detection capabilities that warn you about the vulnerabilities detected in your services’ open source dependencies. Details of that information are shown in the Vulnerability Explorer, identifying the severity, affected services, potentially vulnerable infrastructure, and remediation instructions to solve the surfaced risks.

Check ASM Compatibility to see if your service is supported.

Explore vulnerabilities

The Vulnerability Explorer shows a complete list of vulnerabilities detected by Application Vulnerability Management across all your services, ordering the vulnerabilities based on their severity, and offering grouping and filtering capabilities so you can investigate and prioritize problems. For open source vulnerabilities, it shows the number of affected services, the language of the affected library, and the last time that vulnerability was detected.

Application Vulnerability Management explorer page.

Select a specific vulnerability to see its details, including which services are affected, severity breakdown score, and recommended remediation steps. On the details explorer, you can also view impacted infrastructure to gain better insights to your overall attack exposure.

Within ASM, the severity of a vulnerability is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.

The adjusted vulnerability score includes the full context of each service:

  • The original vulnerability severity
  • Evidence of suspicious requests
  • Sensitive or internet-exposed environments
Vulnerability details page showing a modified severity score

See getting started with application vulnerability management for more information on the adjusted vulnerability score.

Remediation

The explorer also offers remediation recommendations for detected vulnerabilities that enable you to change the status of a vulnerability, and assign it to a team member for further review. It also includes a collection of links and references to websites or information sources that help you understand the context behind each vulnerability.

Application Vulnerability Management vulnerability details page showing affected services, links to infrastructure, suggested remediation, and links to more information.

Manage open source vulnerabilities

Application Vulnerability Management detects the open source libraries used by your application at runtime, and reports security vulnerabilities associated with them. In order to do it, Application Vulnerability Management combines various public open source software known vulnerability data sources along with data obtained by Datadog security research team. Datadog does not scan your source code and the analysis is based on how your application behaves during runtime.

Manage code-level vulnerabilities

Code-level vulnerabilities detection for Application Vulnerability Management is in beta. To use it for your service, follow the Setup instructions.

Datadog is able to indicate the file name and line number where the vulnerability is located, without scanning the source code.

The code-level vulnerability types that can be found include:

  • Weak Cipher
  • Weak Hash
  • SQL injection
  • Path traversal
  • LDAP injection
  • Command Injection
  • Server Side Request Forgery (SSRF)
  • Insecure Cookie
  • Cookie without HttpOnly Flag
  • Cookie without SameSite Flag
  • Unvalidated Redirect

Disabling code-level vulnerability detection capability

To disable code-level vulnerability detection capability in Vulnerability Management, remove the DD_IAST_ENABLED=true environment variable from your application configuration, and restart your service.

If you need additional help, contact Datadog support.

Risk information in APM views

Application Vulnerability Management enriches the information APM is already collecting, and flags libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the security views embedded in the APM Service Catalog.

Vulnerability information shown in the APM Service Catalog

Further reading

Documentation, liens et articles supplémentaires utiles:

How Application Security Works in DatadogDOCUMENTATION more more Enabling Application Security on your servicesDOCUMENTATION more more Getting started with Application Vulnerability ManagementGUIDE more more Enhance application security in production with Datadog Application Vulnerability ManagementBLOG more more