Getting Started with Application Vulnerability Management

Overview

Datadog Application Vulnerability Management (AVM) continuously monitors your production environment for vulnerabilities in the open source libraries your applications rely on. You can identify and prioritize the remediation of the highest vulnerabilities by business impact.

This guide walks you through best practices for getting your team up and running with AVM.

Phase 1:

1. Check ASM Compatibility to see if your service is supported.
2. Enable Application Vulnerability Management on your services.
   • Navigate to Security -> Configuration -> Application Security -> Quick Start Guide.
   • Expand Enable Vulnerability Detection.
   • Click Start Activation.
   • Choose services to secure with ASM.

Phase 2:

1. Identify Vulnerabilities: Navigate to Security -> Application Security -> Vulnerabilities.

2. Sort by Status and Severity:

   Each vulnerability has its own status to help prioritize and manage findings:

   Status	Description
   Open	The vulnerability has been detected by Datadog.
   In Progress	A user has marked the vulnerability as In Progress, but Datadog still detects it.
   Muted	A user has ignored the vulnerability, making it no longer visible on the Open list, but Datadog still detects it.
   Remediated	A user has marked the vulnerability as resolved, but Datadog still sees the vulnerability.
   Auto-Closed	The vulnerability is no longer detected by Datadog.

   Note: Remediated and Auto-Closed vulnerabilities re-open if the vulnerability is detected again by Datadog.

3. View additional details by clicking on the vulnerability. This opens a panel which includes information about:

   • Which services are affected.

   • The date on which the vulnerability was last detected.

   • A description of the vulnerability.

   • Recommended remediation steps.

   • Vulnerability score.
     
     

     Note: The severity of a vulnerability within AVM is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.
     
     

     The adjusted vulnerability score includes the full context of each service:

     • The original vulnerability severity.
     • Evidence of suspicious requests.
     • Sensitive or internet-exposed environments.

     Severities are scored by the following:

     CVSS Score	Qualitative Rating
     0.0	None
     0.1 - 3.9	Low
     4.0 - 6.9	Medium
     7.0 – 8.9	High
     9.0 – 10.0	Critical

4. Optionally, download the Software Bill of Materials (SBOM) for your service. While viewing the details of a vulnerability, click on View in Service Catalog. From here you can navigate to the Security view of your service, and download the SBOM under the libraries tab.

Phase 3:

1. Prioritize Response and Remediate: While on the Vulnerability Explorer, take action:

   • Change the status of a vulnerability.
   • Assign it to a team member for further review.
   • View links and information sources to understand the context behind each vulnerability.

   Note: Adding an assignee to the vulnerability does not generate a notification regarding the assignment. This action only lists their name as an annotation of the vulnerability.

Further reading

Additional helpful documentation, links, and articles:

Application Security terms and conceptsDOCUMENTATION How Application Security Management worksDOCUMENTATION Enabling ASMDOCUMENTATION Security research, reports, tips, and videos from DatadogSECURITY LABS