Application Vulnerability Management
Overview
Application Vulnerability Management offers built-in detection capabilities that warn you about the vulnerabilities detected in your services’ open source dependencies. Details of that information are shown in the Vulnerability Explorer, identifying the severity, affected services, potentially vulnerable infrastructure, and remediation instructions to solve the surfaced risks.
Check ASM Compatibility to see if your service is supported.
The Vulnerability Explorer shows a complete list of vulnerabilities detected by Application Vulnerability Management across all your services, ordering the vulnerabilities based on their severity, and offering grouping and filtering capabilities so you can investigate and prioritize problems. For open source vulnerabilities, it shows the number of affected services, the language of the affected library, and the last time that vulnerability was detected.
Select a specific vulnerability to see its details, including which services are affected. From here you can explore what containers and infrastructure are potentially affected by the vulnerability, so you know more about the extent of a risk. This provides valuable information for prioritizing remediation tasks.
Within ASM, the severity of a vulnerability is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.
The adjusted vulnerability score includes the full context of each service:
- The original vulnerability severity
- Evidence of suspicious requests
- Sensitive or internet-exposed environments
The explorer also offers remediation recommendations for detected vulnerabilities that enable you to change the status of a vulnerability, and assign it to a team member for further review. It also includes a collection of links and references to websites or information sources that help you understand the context behind each vulnerability.
Manage open source vulnerabilities
Application Vulnerability Management detects the open source libraries used by your application at runtime, and reports security vulnerabilities associated with them. In order to do it, Application Vulnerability Management combines various public open source software known vulnerability data sources along with data obtained by Datadog security research team. Datadog does not scan your source code and the analysis is based on how your application behaves during runtime.
Manage code-level vulnerabilities
Code-level vulnerabilities detection for Application Vulnerability Management is in beta. To use it for your service, follow the
Setup instructions.Datadog is able to indicate the file name and line number where the vulnerability is located, without scanning the source code.
The code-level vulnerability types that can be found include:
- Weak Cipher
- Weak Hash
- SQL injection
- Path traversal
- LDAP injection
- Command Injection
- Server Side Request Forgery (SSRF)
- Insecure Cookie
- Cookie without HttpOnly Flag
- Cookie without SameSite Flag
- Unvalidated Redirect
Disabling code-level vulnerability detection capability
To disable code-level vulnerability detection capability in Vulnerability Management, remove the DD_IAST_ENABLED=true environment variable from your application configuration, and restart your service.
If you need additional help, contact Datadog support.
Application Vulnerability Management enriches the information APM is already collecting, and flags libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the security views embedded in the APM Service Catalog.
Further reading
Additional helpful documentation, links, and articles:
