cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How does Application Security detects injection vulnerabilities?

frank
Newcomer

Am new to Dynatrace's Application Security capabilities, so pardon me if my question sounds trivial: the following is an excerpt from https://www.dynatrace.com/news/blog/automatic-detection-and-blocking-of-attacks/ which hints that Dynatrace performs source/sink tracking or taint propagation to identify injection vulnerabilities. 

 

With transaction analysis and code-level insights, Dynatrace detects whenever user-generated inputs are sent to vulnerable application components without sanitization. With this approach, you can identify SQL injection attacks, command injection attacks, and JDNI attacks like log4shell or the H2 vulnerability.

This means that Dynatrace doesn’t rely on vulnerability databases but is rather able to identify and block such attacks automatically even if they are exploiting unknown weaknesses. A perfect OWASP benchmark score for injection attacks—100% accuracy and zero false positives—impressively proves the precision of our approach.

 

The examples I've come across of Application Security issues Dynatrace is able to identify seem to rely on vulnerability databases such as synk to identify or component vulnerabilities, or am I missing something? I'm not interested in Dynatrace flagging component vulnerabilities without proof-of-exploitability: that is already covered by other SCA tools. 

 

Can someone who's experienced with Dynatrace Application Security capabilities confirm if it has source/sink tracking and/or taint propagation capabilities that is capable of detecting and preventing injection attacks that are introduced with custom code without code change? 

5 REPLIES 5

Julius_Loman
DynaMight Guru
DynaMight Guru

I believe this is one of the upcoming features in Dynatrace 1.242 / OneAgent 1.241.  Details are not publicly available yet - stay tuned.

Until now, the Application Security module relied on the vulnerability list from the vulnerability feed - where SNYK was the (main) source.

Certified Dynatrace Master | TEMPEST a.s., Slovakia, Dynatrace Master Partner

techean
Dynatrace Pro
Dynatrace Pro

Just a basic info as its not public, we compare the deployed packages with a list of vulnerable packages and the DAVIS act as a security advisor to make the needful action. Code level insights and other data are used to determine the technology packages and code pattern used by any application.

Stay tune

Application Security Product Tour (dynatrace.com)

KG

frank
Newcomer

Thanks both for your replies, that answered my question and more. 

 

Will keep an eye on the upcoming release. 

@frank  in the meantime you can check this video from Perform which shows part of it in action (mainly the second half):
https://www.dynatrace.com/perform-2022-ondemand/breakouts/address-log4shell-with-ease/


Certified Dynatrace Master | TEMPEST a.s., Slovakia, Dynatrace Master Partner

GerhardByrne
Dynatrace Enthusiast
Dynatrace Enthusiast

Hi @frank ,

 

 

as already mentioned, the OSS library vulnerability assessment is using our partner Snyk's best-in-class vulnerability database. 

 

With the upcoming attack protection, we are going a step further and - as you already expected - track user generated input through the code paths to detect injection attacks on custom and library code. This gives us the capability of not only detecting known vulnerabilities, but find undiscovered vulnerabilities in all monitored Java applications.

And that with the flip of a switch - no code changes or configuration necessary.