Track Open Source Security Exposure With Snyk and Datadog | Datadog

Track open source security exposure with Snyk and Datadog

Author Thomas Sobolik

Published: October 21, 2020

Using open source code makes it easier to build applications, but the freely available nature of open source code introduces the risk of pulling potential security vulnerabilities into your environment. Knowing whether or not customers are actually accessing the vulnerable parts of your application is key to triaging security threats without spending hours fixing an issue that doesn’t affect end users. Datadog has partnered with Snyk to integrate their best-in-class open source vulnerability analysis into the Datadog Continuous Profiler. With the new integration, teams can immediately identify exactly what parts of their application that are being called contain vulnerabilities—making it easy to focus remediation.

What is Snyk?

Snyk is a “developer-first” security platform that integrates with IDEs, version control and CI/CD tools to perform vulnerability analysis on your code. Snyk’s vulnerability database collates known dependency vulnerabilities using an intelligence-gathering tool which pulls and enriches data from security bulletins, Github commit threads, and Jira boards, as well as other publicly available vulnerability databases. The new integration, available to all Profiler customers, allows teams to track calls to potentially vulnerable code from within profiles. Rather than relying on signals from static code in a repository, you can now use the Profiler to gather insights on which vulnerabilities are most often exposed at runtime.

Identify vulnerabilities with the Continuous Profiler

Datadog’s Continuous Profiler is an always-on, production code profiler that lets you analyze code-level performance across your entire environment with minimal overhead. Profiles reveal performance bottlenecks in your code—whether by CPU usage, memory allocation, or wall time—as well as any runtime errors being thrown. You can use tags to quickly slice and dice your profiles by host, service, etc. and isolate performance issues in time-sensitive situations, then correlate your profiles with requests in APM for a granular understanding of performance across common request pathways.

Our Snyk integration expands this functionality to add visibility into where and when your services call functions from potentially vulnerable dependencies. For example, a dependency for your front end might have implemented improper HTTP request validation, possibly exposing your application to cross-site scripting attacks. Because the function calling this dependency will likely run on every user session, you’ll want to patch this exposure as soon as possible.

A new tab on the Continuous Profiler dashboard tells you the severity of security risk incurred by your dependencies at a glance.

From the Continuous Profiler dashboard, you can catch your services’ most recent calls to documented vulnerabilities, getting observability into both code performance and security risk on a single pane of glass. Snyk’s database collates vulnerability scores from FIRST’s Common Vulnerability Scoring System (CVSS). The CVSS takes in contextual details such as attack vector (can the attack be executed over a public network? Or only via physical interaction with the vulnerable server?), attack complexity (does the attack’s success depend on factors beyond the attacker’s control?), and impact (how does a successful attack affect the availability, integrity, or confidentiality of your service’s output?) to characterize the severity of a successful vulnerability exploit.

Viewing a code profile affected by a dependency vulnerability enables you to assess the risk and use Snyk's database to determine an appropriate course for remediation.

The details page of an affected profile provides a link through to the corresponding entry in Snyk’s vulnerability database. In the profile shown above, we can see that Snyk has documented a potential denial of service exploit for one of the dependencies invoked by the ‘product-recommendation’ service. The Snyk database entry for the exploit will provide contextual information about the type of attack the invoked dependency is vulnerable to, as well as best practices for protecting your application and any available updates/rollbacks to remediate the problem. Snyk has made their database freely available to all Datadog Continuous Profiler customers, so you can leverage the new feature immediately, without any additional cost.

Get started with Snyk and Datadog

With Snyk now natively integrated in Datadog’s Continuous Profiler, you can seamlessly access valuable security information with service- and host-level granularity alongside vital performance data from your code profiles. See our documentation for information on how to access the integration by setting up Continuous Profiler. Or, if you’re not using Datadog yet, sign up for a to get started.