- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Security Controls prevent false positives reporting in vulnerability detection using escaping and sanitization functions. Security functions refine how data is processed, ensuring that legitimate transformations do not trigger unnecessary security alerts.
Security Controls differentiate between Input Validators and Sanitizers, depending on how a function is used in security validation:
The Security Controls definition must be placed in the configuration variable DD_IAST_SECURITY_CONTROLS_CONFIGURATION
.
To configure a list of security controls, follow the format and field specifications below.
This format uses specific separators to structure each security control entry.
<TYPE>:<SECURE_MARKS>:<CLASS/FILE>:<METHOD>:<PARAMETERS (Optional)>:<PARAMETERS TO VALIDATE (Optional)>
Field | Description |
---|---|
Type | Defines the type of control. Accepted values: INPUT_VALIDATOR or SANITIZER . |
Secure Marks | List of vulnerability types to apply. Possible values are defined in Secure marks. Optionally, use * to indicate applicability to all types. |
Class/File | Fully qualified class or file implementing the security control. |
Method | Name of the method implementing the security control. |
Parameters (Optional) | Fully qualified class parameters. Used to distinguish between overloaded methods. If omitted and overloading exists, the security control applies to all overloaded methods. |
Parameters to Validate (Optional) | Zero-based list of parameter positions to validate. The first parameter is position 0. This field applies only to INPUT_VALIDATOR types. Used when not all parameters require validation. |
;
(semicolon): Separates each security control.:
(colon): Separates each field within a security control.,
(comma): Separates items within a field that accepts a list.The available secure marks correspond to the codes associated with each injection-related vulnerability. These codes and their availability for each language can be found in supported vulnerabilities.
The injection-related vulnerabilities are:
bar.foo.CustomInputValidator#validate(String input1, String input2)
INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate
bar.foo.CustomInputValidator#validate(String input1, String inputToValidate)
INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:1
bar.foo.CustomInputValidator#validate(String input1, String firstInputToValidate, String secondInputToValidate, Object anotherInput)
INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:1,2
bar.foo.CustomInputValidator#validate(String input)
INPUT_VALIDATOR:COMMAND_INJECTION,CODE_INJECTION:bar.foo.CustomInputValidator:validate
bar.foo.CustomInputValidator#validate(String input)
INPUT_VALIDATOR:*:bar.foo.CustomInputValidator:validate
bar.foo.CustomInputValidator#validate(String input)
bar.foo.CustomInputValidator#validate(String input, String input2)
INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:java.lang.String
Applies for the first method.
bar.foo.CustomInputValidator#validate(String input)
bar.foo.CustomInputValidator#validate(String input, String input2)
INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate
Applies for both methods.
bar.foo.CustomSanitizer#sanitize(String input)
SANITIZER:COMMAND_INJECTION:bar.foo.CustomSanitizer:sanitize
bar.foo.CustomSanitizer#sanitize(String input)
SANITIZER:COMMAND_INJECTION,CODE_INJECTION:bar.foo.CustomSanitizer:sanitize
bar.foo.CustomSanitizer#sanitize(String input)
SANITIZER:*:bar.foo.CustomSanitizer:sanitize
bar.foo.CustomSanitizer#sanitize(String input)
bar.foo.CustomSanitizer#sanitize(String input, String input2)
SANITIZER:COMMAND_INJECTION:bar.foo.CustomSanitizer:sanitize:java.lang.String
applies for the first method
bar.foo.CustomSanitizer#sanitize(String input)
bar.foo.CustomSanitizer#sanitize(String input, String input2)
SANITIZER:COMMAND_INJECTION:bar.foo.CustomSanitizer:sanitize
applies for both methods