Datadog Code Security Achieves 100 Percent Accuracy in OWASP Benchmark by Using an IAST Approach | Datadog

Datadog Code Security achieves 100 percent accuracy in OWASP Benchmark by using an IAST approach

Author Gorka Vicente
Author Eyal Engel

Published: May 1, 2024

As application architectures shift to the cloud and the velocity of software delivery accelerates, organizations are seeking more powerful capabilities to identify security vulnerabilities within their production applications. Traditional static application security testing (SAST) tools, by themselves, are insufficient. Because they don’t evaluate the flow of data in a real-world context, they tend to generate false positives and miss true risks—allowing vulnerable code to make its way to production more frequently. Meanwhile, an interactive application security testing (IAST) approach to vulnerability detection, while effective, has typically impacted application performance.

In response to this need, Datadog Code Security offers the only production-ready IAST solution built on an observability platform and designed with performance in mind.

We are pleased to announce that Datadog Code Security has achieved an accuracy score of 100 percent in the rigorous OWASP Benchmark test. This result demonstrates the power of Code Security’s IAST approach in correctly detecting application vulnerabilities while avoiding the reporting of false positives—all in a production-ready solution.

Datadog Code Security proves its accuracy

The OWASP Benchmark is a fully executable web application intended to be scanned by vulnerability detection tools. The benchmark evaluates the accuracy, coverage, and speed of these tools, allowing users to measure quality in an objective and vendor-neutral way. The latest version of the benchmark is built with almost 3,000 test cases, which include a combination of true application vulnerabilities and decoys that are intended to elicit a false positive reading during a vulnerability scan. These test cases cover 11 distinct categories of vulnerabilities that lend themselves to particular attacks, including LDAP injection, SQL injection, and cross-site scripting (XSS) attacks. Approximately half of the test cases represent real vulnerabilities, while the remaining half serve as control measures designed to trigger false positives.

As shown in the scorecard below, Datadog Code Security scored 100 percent in the OWASP Benchmark, demonstrating its high dependability in detecting true threats and avoiding false positives. This is an important combination of capabilities that ensures security teams can place a high degree of trust in the signals they receive from Code Security.

OWASP Benchmark Test Results

Note: While the OWASP Benchmark is a Java test suite, Datadog Code Security uses the same high-quality detection rules for code written in .NET and Node.js.

Benefits beyond the OWASP Benchmark

While achieving excellence in the OWASP Benchmark is a significant milestone, Datadog Code Security also includes security capabilities not measured by the test. These include the ability to detect vulnerabilities for server-side request forgeries (SSRFs), unvalidated redirects, hardcoded secrets, NoSQL injection attacks, and more. In fact, Code Security includes over 20 additional detection rules beyond what is tested in the OWASP Benchmark.

Another key advantage that sets apart Code Security’s IAST-based approach is the specificity of the results the tool provides. When a vulnerability is detected, our solution delivers highly specific information about it, including not only the vulnerability type and afflicted service name, but also the service owner, filename, and line number where the vulnerability appears. This unusually wide range of actionable information empowers engineers to locate the vulnerability easily and fix it quickly, minimizing the time to remediation and reducing the overall risk exposure. Additionally, if the teams enable our GitHub integration, Datadog displays the first impacted version of a service, the commit causing the vulnerability, and a snippet of the vulnerable code. This information helps teams quickly identify and prioritize vulnerabilities.

Vulnerability details for SQL injection

Finally, most IAST solutions heavily penalize applications during execution, and as a result, they are not usable in production due to the excessive overhead they introduce. Code Security, in contrast, does not incur a significant performance cost to applications thanks to its reliance on code instrumentation and its supporting observability platform. This makes Code Security a production-ready solution that allows teams to enjoy the advantages of IAST in a real-world setting.

Datadog is committed to security excellence

As cybersecurity threats continue to grow more sophisticated, it’s paramount to use increasingly innovative approaches, tools, and techniques to safeguard applications against vulnerabilities. By achieving 100 percent accuracy in the OWASP Benchmark, Datadog Code Security has demonstrated the accuracy and reliability of its IAST-powered approach in detecting active vulnerabilities while avoiding false positives—all in a production-ready solution.

If you’re a Datadog customer, you can start using Code Security by navigating to Application Security settings and following the instructions for Code Security. If you’re not yet a Datadog customer, you can sign up for a .