How CVEs are Detected
Azul Intelligence Cloud maintains a knowledge base containing "fingerprints" of known vulnerabilities found in the National Vulnerability Database and compares this to fingerprints of code actually processed by Azul JVMs.
By using an agentless approach, there is no performance impact and no management overhead for maintaining and updating a separate agent in production. Azul Intelligence Cloud matches application usage as seen by Azul JVMs to compare classes run against its Java-oriented CVE knowledge base. The result is better observability of where vulnerable components are used, present but not used, or not present at all. This approach offers three key benefits over other security analysis techniques:
-
Production-quality performance. By targeting production environments, Azul can engage custom and vendor applications that do not have test environments.
-
Lower manual work. Working through tools that systems are already using, simplifies the ability to “turn it on” and keep it running.
-
Fewer false positives and wasted effort. By watching code load, the analysis can reduce false positives to focus effort – directing scarce human effort to where vulnerable code is used rather than simply present.
It is possible that the same application, when restarted multiple times, executes a vulnerable code in one instance and does not execute it in the other. In this case, the first instance is marked as affected by the CVE, and the second one is not.