30 May 2022 04:49 AM - last edited on 30 May 2022 08:26 AM by MaciejNeumann
Am new to Dynatrace's Application Security capabilities, so pardon me if my question sounds trivial: the following is an excerpt from https://www.dynatrace.com/news/blog/automatic-detection-and-blocking-of-attacks/ which hints that Dynatrace performs source/sink tracking or taint propagation to identify injection vulnerabilities.
With transaction analysis and code-level insights, Dynatrace detects whenever user-generated inputs are sent to vulnerable application components without sanitization. With this approach, you can identify SQL injection attacks, command injection attacks, and JDNI attacks like log4shell or the H2 vulnerability.
This means that Dynatrace doesn’t rely on vulnerability databases but is rather able to identify and block such attacks automatically even if they are exploiting unknown weaknesses. A perfect OWASP benchmark score for injection attacks—100% accuracy and zero false positives—impressively proves the precision of our approach.
The examples I've come across of Application Security issues Dynatrace is able to identify seem to rely on vulnerability databases such as synk to identify or component vulnerabilities, or am I missing something? I'm not interested in Dynatrace flagging component vulnerabilities without proof-of-exploitability: that is already covered by other SCA tools.
Can someone who's experienced with Dynatrace Application Security capabilities confirm if it has source/sink tracking and/or taint propagation capabilities that is capable of detecting and preventing injection attacks that are introduced with custom code without code change?
Solved! Go to Solution.
31 May 2022 12:53 PM
I believe this is one of the upcoming features in Dynatrace 1.242 / OneAgent 1.241. Details are not publicly available yet - stay tuned.
Until now, the Application Security module relied on the vulnerability list from the vulnerability feed - where SNYK was the (main) source.
31 May 2022 01:19 PM - last edited on 01 Aug 2023 08:16 PM by ghaydtner
Just a basic info as its not public, we compare the deployed packages with a list of vulnerable packages and the DAVIS act as a security advisor to make the needful action. Code level insights and other data are used to determine the technology packages and code pattern used by any application.
Stay tune
Application Security Product Tour (dynatrace.com)
03 Jun 2022 02:20 AM
Thanks both for your replies, that answered my question and more.
Will keep an eye on the upcoming release.
03 Jun 2022 07:30 AM
@frank in the meantime you can check this video from Perform which shows part of it in action (mainly the second half):
https://www.dynatrace.com/perform-2022-ondemand/breakouts/address-log4shell-with-ease/
07 Jun 2022 07:24 AM
Hi @frank ,
as already mentioned, the OSS library vulnerability assessment is using our partner Snyk's best-in-class vulnerability database.
With the upcoming attack protection, we are going a step further and - as you already expected - track user generated input through the code paths to detect injection attacks on custom and library code. This gives us the capability of not only detecting known vulnerabilities, but find undiscovered vulnerabilities in all monitored Java applications.
And that with the flip of a switch - no code changes or configuration necessary.