Overview

Datadog Application Vulnerability Management (AVM) continuously monitors your production environment for vulnerabilities in the open source libraries your applications rely on. You can identify and prioritize the remediation of the highest vulnerabilities by business impact.

This guide walks you through best practices for getting your team up and running with AVM.

Phase 1:

  1. Check ASM Compatibility to see if your service is supported.
  2. Enable Application Vulnerability Management on your services.

Phase 2:

  1. Identify Vulnerabilities: Navigate to Security -> Application Security -> Vulnerabilities.

  2. Sort by Status and Severity:

    Application Vulnerability Management showing the Vulnerability tab, sorted by Status and Severity.

    Each vulnerability has its own status to help prioritize and manage findings:

    StatusDescription
    OpenThe vulnerability has been detected by Datadog.
    In ProgressA user has marked the vulnerability as In Progress, but Datadog still detects it.
    MutedA user has ignored the vulnerability, making it no longer visible on the Open list, but Datadog still detects it.
    RemediatedA user has marked the vulnerability as resolved, but Datadog still sees the vulnerability.
    Auto-ClosedThe vulnerability is no longer detected by Datadog.

    Note: Remediated and Auto-Closed vulnerabilities re-open if the vulnerability is detected again by Datadog.

  3. View additional details by clicking on the vulnerability. This opens a panel which includes information about:

    • Which services are affected.

    • The date on which the vulnerability was last detected.

    • A description of the vulnerability.

    • Recommended remediation steps.

    • Vulnerability score.

      Application Vulnerability Management detailed view of the vulnerability.

      Note: The severity of a vulnerability within AVM is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.

      The adjusted vulnerability score includes the full context of each service:

      • The original vulnerability severity.
      • Evidence of suspicious requests.
      • Sensitive or internet-exposed environments.

      Severities are scored by the following:

      CVSS ScoreQualitative Rating
      0.0None
      0.1 - 3.9Low
      4.0 - 6.9Medium
      7.0 – 8.9High
      9.0 – 10.0Critical
  4. Optionally, download the Software Bill of Materials (SBOM) for your service. While viewing the details of a vulnerability, click on View in Service Catalog. From here you can navigate to the Security view of your service, and download the SBOM under the libraries tab.

Phase 3:

  1. Prioritize Response and Remediate: While on the Vulnerability Explorer, take action:

    • Change the status of a vulnerability.
    • Assign it to a team member for further review.
    • View links and information sources to understand the context behind each vulnerability.

    Note: Adding an assignee to the vulnerability does not generate a notification regarding the assignment. This action only lists their name as an annotation of the vulnerability.

    Application Vulnerability Management Explorer view showing assignment, status, and additional resources.

Further reading