Application Vulnerability Management
Overview
Application Vulnerability Management offers built-in detection capabilities that warn you about the vulnerabilities detected in your services’ open source dependencies. Details of that information are shown in the Vulnerability Explorer, identifying the severity, affected services, potentially vulnerable infrastructure, and remediation instructions to solve the surfaced risks.
Check ASM Compatibility to see if your service is supported.
The Vulnerability Explorer shows a complete list of vulnerabilities detected by Application Vulnerability Management across all your services, ordering the vulnerabilities based on their severity, and offering grouping and filtering capabilities so you can investigate and prioritize problems. For open source vulnerabilities, it shows the number of affected services, the language of the affected library, and the last time that vulnerability was detected.
Select a specific vulnerability to see its details, including which services are affected. From here you can explore what containers and infrastructure are potentially affected by the vulnerability, so you know more about the extent of a risk. This provides valuable information for prioritizing remediation tasks.
Within ASM, the severity of a vulnerability is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.
The adjusted vulnerability score includes the full context of each service:
- The original vulnerability severity
- Evidence of suspicious requests
- Sensitive or internet-exposed environments
The explorer also offers remediation recommendations for detected vulnerabilities that enable you to change the status of a vulnerability, and assign it to a team member for further review. It also includes a collection of links and references to websites or information sources that help you understand the context behind each vulnerability.
Detect known open source vulnerabilities
Application Vulnerability Management detects the open source libraries used by your application at runtime, and reports security vulnerabilities associated with them. In order to do it, Application Vulnerability Management combines various public open source software known vulnerability data sources along with data obtained by Datadog security research team. Datadog does not scan your source code and the analysis is based on how your application behaves during runtime.
Detect custom code vulnerabilities
Custom code vulnerabilities (
unknown vulnerabilities) detection is in private beta. Request access to the feature by
contacting Support.
Application Vulnerability Management can find issues in your services’ custom code, the proprietary code that implements the business logic of your application from scratch, in addition to open source and third party libraries.
Datadog is able to indicate the file name and line number where the vulnerability is located, without scanning the source code.
The custom code vulnerabilities it can find include:
- Insecure Cipher
- Insecure Hashing
- Weak Randomness
- SQL injection
- Path traversal
- LDAP injection
- Command Injection
Application Vulnerability Management enriches the information APM is already collecting, and flags libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the security views embedded in the APM Service Catalog.
Further reading
Additional helpful documentation, links, and articles: