Introducing Datadog Application Security Monitoring | Datadog

Introducing Datadog Application Security Monitoring

Author Lucas Masson

Last updated: 4月 27, 2022

Securing modern-day production systems is expensive and complex. Teams often need to implement extensive measures, such as secure coding practices, security testing, periodic vulnerability scans and penetration tests, and protections at the network edge. Even when organizations have the resources to deploy these solutions, they still struggle to keep pace with software teams, especially as they accelerate their release cycles and migrate to distributed systems and microservices. Unscalable, piecemeal approaches to application security have fostered insecure applications that offer an easy target for attackers, putting customer data and company infrastructure at risk.

Only 12 months after we welcomed Sqreen to the Datadog team, we’re excited to announce the general availability of Datadog Application Security Monitoring (ASM), a new offering within the Cloud Security Platform that empowers security, operations, and development teams to build and run secure applications together—all from within the same platform they use every day.

In this post, we’ll explore how ASM can help you:

Datadog ASM generates Security Signals that can alert your team whenever threats actually exploit code-level vulnerabilities or target your application's business logic.

Get alerted when threats target the business logic of your production services

Companies are targeted with thousands of attacks every day, making it incredibly challenging for security and operations teams to focus on the threats that matter to their business. Most threats are not immediately harmful, such as bots and scanners that do not trigger anything in downstream services. However, their sheer volume can easily mask the most important threats (i.e., those that hit production services’ business logic), leaving them in danger of going undetected for days at a time.

Because Datadog collects observability and network data, as well as application runtime data, it can pinpoint and alert security and engineering teams to meaningful attacks. ASM generates Security Signals that can alert your team whenever threats actually exploit code-level vulnerabilities or target your applications’ business logic.

The severity of each Security Signal is defined based on the full execution context provided by the distributed trace, allowing your teams to easily disregard basic security scans that didn’t succeed in targeting any real application routes. Instead, you can quickly take action on the threats that matter most, such as actors trying to perform Server-Side Request Forgery (SSRF) on routes executing network queries. ​​

Because ASM collects observability and network data, as well as application runtime data, it can alert security and engineering teams to meaningful attacks. like SSRF attempts.

Today, our product offers coverage for a dozen classes of vulnerabilities, including SSRF, cross-site scripting (XSS), SQL injections (SQLi), and many more. This allows you to get visibility into most of the OWASP Top 10 attacks—and we plan to extend this coverage to reflect even more types of vulnerabilities in the future.

Identify authenticated bad actors taking aim at your applications

When targeting web applications and APIs, attackers will often perform an initial vulnerability discovery, usually through a standard security scan. While unlikely to expose security vulnerabilities in your application, this scan can provide attackers with an initial overview of your application’s topology, which includes your authentication endpoints. Unauthenticated users have very limited access to applications. Attackers will therefore either try to create accounts or gain access to existing accounts. Gaining authenticated access allows the attacker to benefit from a much wider attack surface, with the ability to query most of the endpoints. For security teams, being able to identify whether attacks are performed by non-authenticated actors or authenticated users is key for prioritizing which attacks require a response. Unauthenticated attacks are generally unharmful, while authenticated attacks are more likely to be sophisticated and targeted at sensitive parts of your application.

Datadog ASM provides the ability to link attacks to the authentication context through custom instrumentation of your authentication service. Any resulting Security Signals are enriched with this context so that teams can easily focus on authenticated attacks. This also allows teams to take precise actions to respond to the threat. Blocking an IP can come at a high risk—for example, doing so might inadvertently block all of the traffic from a data center or corporate IP. ASM enables security teams to identify which user accounts are suspicious, helping them take more granular actions like resetting the user password or revoking API keys.

Automatically enrich detected attacks with the authenticated user data.

Assess the impact of attacks and get code-level insights for remediation

Perimeter-based security solutions provide visibility into flat and edge attack traffic. This limited scope makes it difficult for teams to assess the potential impact of attacks, find out if something needs to be remediated, and determine who should be looped into any response efforts.

Datadog ASM leverages APM to trace the flow of attacks and attackers across distributed services, giving teams insight into how their applications, APIs, and databases reacted to threats. This means that security teams can now answer questions like:

  • Did this attack make it down to my PCI-compliant cluster?
  • What database queries have been executed with these suspicious requests?
  • Which public IP did this attack on an internal service originate from?
  • Did this SSRF attack trigger any calls to internal AWS services?
Datadog ASM leverages APM to trace the flow of attacks and attackers across distributed services, giving teams observability into how their applications, APIs, and databases reacted to threats.

Datadog APM and ASM also work together to surface errors, which are often the first step toward finding vulnerabilities. Datadog ASM provides visibility into related errors, all the way down to the stacktrace and even the exact piece of code affected, thanks to our source code integration, as shown below. But it also goes even further by gathering the runtime execution context from the trace, so you can quickly identify which attacks actually triggered code-level vulnerabilities. This is currently available for SQL injections, and we plan to expand our coverage over the next few months. With these actionable insights, security teams can now collaborate with engineering teams to strengthen their code together.

Datadog ASM gathers the runtime execution context from traces, so you can quickly identify which attacks actually triggered code-level vulnerabilities.

Reconstruct the attack vector across the stack with the Cloud Security Platform

As the cloud attack surface expands, attackers have more opportunities to target the weakest link of your stack, whether that lies in your applications, workloads, or infrastructure. Swiveling across multiple security point solutions for each of these layers wastes precious time during investigation. Because ASM is fully integrated into the Datadog Cloud Security Platform, teams can rely on a single source of truth to reconstruct the full attacker journey across the stack, get visibility into application vulnerabilities, and understand how attackers took control of the underlying infrastructure with Cloud Workload Security (CWS) and Cloud SIEM or exploited a cloud infrastructure misconfiguration with Cloud Security Posture Management (CSPM).

Datadog ASM is fully integrated in the Datadog Cloud Security Platform.

For a real-world example of how these products work together to help organizations detect and respond to threats, check out our Log4Shell or Spring4Shell blog posts.

Secure your applications with Datadog

Getting started with Datadog Application Security Monitoring is easy and frictionless since it leverages the same libraries that have already been deployed in any service that you are currently monitoring with APM. Simply add an environment variable and restart the application—no need to deploy yet another agent or redirect your traffic. See our documentation for more details.

If you’re already a Datadog customer, you can get started with ASM today. Otherwise, sign up for a 14-day .