As organizations increasingly adopt continuous delivery practices and deploy code as often as every few seconds, the number of vulnerabilities in your code and the potential for them to go undetected increases. Not knowing which vulnerabilities to focus on can be extremely costly—both in terms of the resources needed to address them as well as the risk they pose for your system. Application security testing tools and approaches can help you search for these vulnerabilities, but they require manual configuration and are slow to adopt and run. Additionally, they provide limited visibility into your code and don’t necessarily prioritize the vulnerabilities that most need your attention.
To surface critical security issues with minimal effort, Datadog Application Vulnerability Management now provides real-time, code-level vulnerability detection based solely on your application traffic, no scans or security tests required. You can use the Vulnerability Explorer page to view context-sensitive risk scores and pivot directly to affected cloud workloads and hosts, enabling you to efficiently triage the most critical security issues. Then, you can use source code snippets—with the exact files and line numbers containing the vulnerabilities highlighted—and suggested remediation actions to proactively identify solutions.
In this post, we’ll explore how Application Vulnerability Management enables you to:
- Identify code-level vulnerabilities during runtime
- Prioritize critical vulnerabilities with meaningful risk assessments
- Use source code insights to accelerate remediation
In order to balance the demands of fast-paced deployments against the need to reduce the attack surface area of your application, you need to prioritize the vulnerabilities that matter most—in other words, the ones that actively pose risks to your system. Traditional risk management practices often focus on the open source code that dominates cloud-native applications, but this code tends to consist of third-party libraries that are chosen for a specific feature and largely ignored. As a result, the majority of active code running in your system at any given point—nearly 80% of it—is actually application code written by development teams.
As a response to this, in addition to our open source vulnerability detection, Datadog also uses an Interactive Application Security Testing (IAST) approach to find vulnerabilities within your application code. By using instrumentation embedded in your code, Application Vulnerability Management monitors your code’s internal operations as well as its interactions with other components of your stack, such as libraries and infrastructure. This enables Datadog to identify vulnerabilities using legitimate application traffic, without needing to rely on external tests that could require extra configuration or periodic scheduling. By actively monitoring your applications during runtime, Application Vulnerability Management provides an up-to-date view of your attack surface that enables you to quickly identify potential issues.
With Application Vulnerability Management, Datadog gives you access to real-time threat data that helps you quickly understand which vulnerabilities present an active danger to your system. Each vulnerability comes with both a severity rating—critical, high, medium, or low—and a risk score (shown in the screenshot below). This score is tailored to the specific runtime context, taking into account factors such as where the vulnerability is deployed and whether the service is currently being targeted by attacks. Additionally, inspecting the vulnerability expands a side panel that contains a brief description of the issue—including the services impacted, the type of vulnerability, and when the problem was first detected—to help you quickly triage.
Let’s say that you’ve just released changes to an important feature and are reviewing your code for security issues. By viewing the Vulnerability Explorer page, you quickly see that numerous SQL injection vulnerabilities have been detected in related services. You look at the timeline details and confirm that this issue was introduced as a result of the recent feature updates. From here, you can use the vulnerability side panel to organize your triaging activities and pivot directly to associated cloud workloads and hosts in order to investigate where the vulnerability has been deployed.
Datadog doesn’t just detect vulnerabilities—it also gives you the actionable insights you need to immediately start fixing them. From the vulnerability side panel, you can view the filename of the problematic source code, as well as the exact line and method in your code that the vulnerability was detected in. And with Datadog’s GitHub integration, you can view relevant snippets of code directly alongside other troubleshooting details, such as associated versions and commits. This enables you to pinpoint exactly where in your code the vulnerability is located, streamlining the remediation process and reducing the risk exposure time.
To help you understand the actions you need to take to fix the vulnerability, you can also view the Remediation tab (shown below) for a step-by-step walkthrough of changes you can implement, including example source code that you can easily customize to your application. Additionally, you can jump directly from the panel to the source file in GitHub, IntelliJ, or VS Code to make these fixes.
Continuing the example from before, once you’ve identified the SQL injections, you can use the source code integration to identify the exact line containing the vulnerability, helping you quickly pinpoint the problematic command. You’re then able to pivot to the Remediation tab to determine how you can fix this issue. For a SQL injection, this could include passing sanitized or validated user input into the command as an argument, as opposed to simply concatenating it on.
By using an IAST approach to detect vulnerabilities in your code from the inside out, Datadog Application Vulnerability Management surfaces critical issues that pose an active risk to your production environments. This helps you focus your triage efforts and eliminate the noise that can come from leaving out runtime context. And with source code snippets and suggested remediation actions, you can proactively fix vulnerabilities before they can be exploited by bad actors as well as reduce the risk of security incidents that could impact user trust.
To get started with code-level vulnerability detection, you can sign up for the public beta program or check out our documentation to learn more. Or, if you’re not yet a Datadog user, you can sign up for a 14-day free trial today.