Cisco Secure Application

Cisco Secure Application provides business-risk based visibility of security issues so that Security, Data, and IT teams can prioritize fixes for cloud native applications. This visibility reduces the risks associated with an application, its data, and infrastructure in the cloud. The Cisco Secure Application requires adding either the Cloud Security module, or the Data Security module.

Cisco Secure Application is available as standalone application on the Cisco Observability Platform. This page provides details of Cisco Secure Application, Cloud Security, which is also integrated into Cisco Cloud Observability. This integration allows you to deploy both applications, Cisco Secure Application and Cisco Cloud Observability, to receive insights across security, application, and infrastructure domains.

Cisco Secure Application and Cisco AppDynamics Entities

Cisco Secure Application will appear on the ECPs for your cloud infrastructure. An entity represents a system that Cisco Cloud Observability observes and collects data about. Entity types include databases, services, applications, pods, or other infrastructure components. Cisco Cloud Observability creates ECPs for each entity type that provide entity-specific performance metrics.

Cisco Secure Application, in turn, provides security risks, business risks, CVE IDs, Cisco Security Risk Scores, and CVSS scores in three places in the AppDynamics UI:

List View
List View > Properties panel
Detail View

Cisco Secure Application Supported Entities

Cisco Secure Application provides a security analysis at various levels of granularity depending on the ECP. Cisco Secure Application analyzes these infrastructure components represented by ECPs in Cisco Cloud Observability:

Business Transactions
Vulnerabilities
Pods
Workloads
Containers
Images

Navigate Cisco Secure Application

The next few sections will show you where to view Cisco Secure Application on the AppDynamics ECPs. We'll provide you with navigation steps to the Entity Page Data (ECPs) as well as annotated screenshots.

Business Transactions

Navigation Steps	List View	List View > Properties panel	Detail View	Cisco Secure Application Metrics and Calculations
List View: From your Cloud Tenant, navigate to Observe > Business Transactions. List View > Properties panel: From the List View, click on a specific business transaction. Detail View: From the Business Transactions page, click on a specific Business Transaction Name.	In the List View you will find: Business Risk Business Transaction Name	In the List View > Properties panel you will find: Business Risk Business risk factors Top 3 remediations	In the Detail View you will find: Health Violations Endpoints Metrics Average Response Time (milliseconds) Calls Per Minute Errors Per Minute Business Risk	Business Risk: This is calculated based on the likelihood of vulnerability exploitation, and the impact of the potential exploitation in a business transaction. The higher the value, the higher the risk for the application vulnerability. The three statuses of a Business Risk includes: Normal: 0-330 Warning: 340-660 Critical: 670-1000 Business risk score is calculated based on four factors: Business context: How important this business transaction is to your organization. Vulnerability context: Count and severity of vulnerabilities that are impacting underlying pods. Infrastructure context: Count of underlying pods that have high security risk. Data context: Count of logs with data of critical sensitivity. The Business Risk Total Score updates the business risk observability four times per day (once every 6 hours), taking into account the application, business, and security context.

Vulnerabilities

Navigation Steps

List View

List View > Properties panel

Detail View

Cisco Secure Application Metrics and Calculations

List View:
From your Cloud Tenant, navigate to Observe > Vulnerabilities.
List View > Properties panel:
From the List View of Vulnerabilities, click on a specific vulnerability.
Detail View:
From Vulnerabilities, click on a specific CVE ID.

In the List View you will find:

CVE ID
Cisco Security Risk Score
CVSS score
Package name
Affected version
Fix version

In the List View > Properties panel you will find:

CVE ID
Description
Cisco Security Risk Score details
CVSS scoring
Fix details

In the Detail View you will find:

Cisco Security Risk Score
CVSS score over time

CVE ID: The Common Vulnerabilities and Exposure (CVE) identifier.
Cisco Security Risk Score details include: Cisco Security Risk Score, Easily exploitable, Malware exploitable, Active internet breach, Popular target, Predicted exploitable. Cisco Security Risk Score details include true or false values.
Cisco Security Risk Score: This score provides an estimate of exploitation based on real-time events. The three statuses of a Cisco Security Risk Score includes:
- Green 0-33
- Amber 34-66
- Red 67-100
CVSS score: This score is based on the Common Vulnerability Scoring System (CVSS) with five severities:
- None: 0-0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0
Package name: The package affected because of the vulnerability.
Affected version: The version that has the vulnerability.
Fix version: The version to upgrade the package for remediation.

Pods

Navigation Steps

List View

List View > Properties panel

Cisco Secure Application Metrics and Calculations

List View:
From your Cloud Tenant, navigate to Observe > Pods.
List View > Properties panel:
From the List View of Pods, click on a specific pod.

In the List View you will find:

Security Risk
Name

In the List View > Properties panel you will find:

Security Risk
Pod risk factors

The Security Risk shows the overall risk level of a pod, which is based on its risk factors like detected vulnerabilities, and Kubernetes misconfigurations. A high security risk impacts the business risk score of the business transaction that the pod is a part of.
Security Risk statuses: Critical, High, Medium, Low, or Unavailable.
Pod risk factors:
- Highest Cisco Security Risk Score
- Highest CVSS score
- Privileged access
- Can run as root
- Has a host path mounted with write privileges
- May have risky capabilities allowed
- Node PIDs maybe shared with this workload
- Has a risky role
- Can escalate its privileges
- Public facing

See Pods for more information.

Workloads

Navigation Steps

List View

List View > Properties panel

Cisco Secure Application Metrics and Calculations

List View:
From your Cloud Tenant, navigate to Observe > Workloads.
List View > Properties panel:
From the List View of Workloads, click on a specific workload.

In the List View you will find:

Security Risk
Name

In the List View > Properties panel you will find:

Security Risk
Workload risk factors

The Security Risk of a workload is based on the risk factors of the pods it manages, like detected vulnerabilities, and Kubernetes misconfigurations. A pod with high security risk also impacts the business risk score of the business transaction that the pod is a part of.
Security Risk statuses: Critical, High, Medium, Low, or Unavailable.
Workload risk factors:
- Highest Cisco Security Risk Score
- Highest CVSS score
- Privileged access
- Can run as root
- Has a host path mounted with write privileges
- May have risky capabilities allowed
- Node PIDs maybe shared with this workload
- Has a risky role
- Can escalate its privileges
- Public facing

See Workloads for more information.

Containers

Navigation Steps

List View > Properties panel

Cisco Secure Application Metrics and Calculations

List View > Properties panel:
From the List View of Containers, click on a specific container.

In the List View > Properties panel you will find:

Vulnerabilities Detected
- Highest Cisco Security Risk Score
- Highest CVSS score

Cisco Security Risk Score: This score provides an estimate of exploitation based on real-time events. The three statuses of a Cisco Security Risk Score includes:
- Green 0-33
- Amber 34-66
- Red 67-100
CVSS score: This score is based on the Common Vulnerability Scoring System (CVSS) with five severities:
- None: 0-0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0

See Containers for more information.

Images

Navigation Steps

List View > Properties panel

List View > Properties panel

Detail View

Cisco Secure Application Metrics and Calculations

List View:
From your Cloud Tenant, navigate to Observe > Images.
List View > Properties panel:
From Images, click on the List View and the Properties panel will appear.
Detail View:
From Images, click on a specific Image name.

In the List View you will find:

Active Vulnerabilities
Highest Cisco Security Risk Score
Highest CVSS score

In the List View > Properties panel you will find:

Image Risk Factors:
- Vulnerability context
- Highest Cisco Security Risk Score
- Highest CVSS score

In the Detail View you will find:

Health Violations
Cisco Security Risk Score
CVSS score over time

Cisco Security Risk Score: This score provides an estimate of exploitation based on real-time events. The three statuses of a Cisco Security Risk Score includes:
- Green 0-33
- Amber 34-66
- Red 67-100
CVSS score: This score is based on the Common Vulnerability Scoring System (CVSS) with five severities:
- None: 0-0
- Low: 0.1-3.9
- Medium: 4.0-6.9
- High: 7.0-8.9
- Critical: 9.0-10.0

Cisco Secure Application Collectors

You can view Cisco Secure Application collectors in the Agent Management console. This allows you to view the collectors and clusters that have Cisco Secure Application deployed. See Agent Management.

Troubleshooting Cisco Secure Application

These tips are common troubleshooting actions that you can take to solve Cisco Secure Application issues.
If Cisco Secure Application is unavailable:

Ensure that the helm repos appdynamics colletors and appdynamics-collectors-1.13.658 are up-to-date, or an ensure that a higher version of the chart is used.
```
helm repo update -n appdynamics
helm list -n appdynamics
```
BASH
Check if your cluster is deployed or try a different time range.
Review logs of the security agent for any errors:
```
kubectl logs -n appdynamics deploy/portshift-agent
```
BASH

Check for any 401 errors, or agent registration errors:

{Message:HTTP Status 401 - agent with agent ID <xxxx> not registered. path: /agents/logs}

BASH

Check agent logs for any certificate errors:

time="2023-08-02T23:44:24Z" level=warning msg="webhook_serverhttp: TLS handshake error from 10.115.86.209:41248: remote error: tls: bad certificate\n" time="2023-08-03T00:18:17Z" level=warning msg="webhook_serverhttp: TLS handshake error from 10.115.91.183:60398: read tcp 10.115.91.74:8443->10.115.91.183:60398: read: connection reset by peer\n"

CODE

Here you can ignore the agent error log message:

time="2023-08-25T19:05:26Z" level=error msg="Automated policy requires deployer channel is nil" func="github.com/cisco-eti/agent/pkg/agent.(*Agent).handleAgentStateDiff" file="/home/ubuntu/go/src/github.com/portshift/agent/pkg/agent/status.go:494"

CODE

If the agent fails to register:

Update the collectors-values.yaml with the proper agentID and sharedSecret, then Upgrade Kubernetes and App Service Monitoring.

collectors-values.yaml

appdynamics-security-collector:
  enabled: true
  panoptica:
    controller:
      agentID: <agent-ID>
      secret:
        sharedSecret: <shared-secret>

YML

If TLS handshake error is noted:

Delete the agent certificate, and restart the pod:

kubectl delete secret -n appdynamics portshift-ca-secret
kubectl delete pod -n appdynamics -l app=portshift-agent

CODE

If you see "No Data" under the Security section of the Business Transactions properties panel:

Select a shorter time range than Last 1 Week on Business Transactions, and refresh the page.

Kubernetes^® is a trademark of The Linux Foundation^®.