Key Takeaways:
- Secure Application is an add-on to Splunk APM that detects runtime vulnerabilities in your Java applications' open-source libraries.
- It uses a single combined JVM agent (splunk-otel-javaagent-csa) that replaces your existing Splunk OTel Java agent – no separate security agent needed.
- Vulnerabilities are surfaced directly in Splunk Observability Cloud, right alongside your APM data.
- New CVEs are detected on an hourly cadence, giving you near-real-time visibility into emerging threats.
- This guide covers what Secure Application is, why it matters, and a step-by-step walkthrough to enable it.
If you're already using Splunk Observability Cloud for Application Performance Monitoring (APM), you know how valuable it is to have real-time visibility into your application performance. But what about the security of things like the open-source libraries your applications depend on?
That's where Secure Application comes in — bringing runtime application security directly into your existing observability workflow.
In this post, we'll walk through what Secure Application is, why it matters for vulnerability detection and remediation, and how to get it up and running in your environment using OpenTelemetry and the Secure Application JVM agent.
If you’re already familiar with Secure Application and just want to get started, click here to jump to the part of the post where we dig into the capability.
What is Secure Application?
Secure Application is a runtime application security capability available as an add-on to Splunk APM in Splunk Observability Cloud. It brings proven application security technology — battle-tested over four-plus years on the Splunk AppDynamics platform — into the Splunk Observability Cloud ecosystem.
At its core, Secure Application:
- Identifies open-source libraries loaded by your Java applications at runtime.
- Detects and accesses impact of Common Vulnerabilities and Exposures (CVEs) in those libraries using a continuously updated threat feed.
- Prioritizes risks by integrating with Cisco Vulnerability Management (CVM) to distinguish between vulnerabilities that could be exploited and ones that are being exploited. Instead of rushing to patch everything, vulnerabilities can be automatically prioritized.
- Surfaces security findings directly in the Splunk Observability Cloud and alerts when new CVEs are discovered — right alongside your existing APM data.
All of this is powered by OpenTelemetry, using the same collector you already have deployed for APM. Simply swap your existing Splunk OTel Java agent for the combined splunk-otel-javaagent-csa agent, which handles both APM instrumentation and security library scanning in a single JAR — no separate security agent needed.
Why use Secure Application?
If your applications use open-source libraries (like nearly all modern applications do), you already have a vulnerability surface that traditional Static Application Security Testing (SAST) scanners may not fully cover. Here's what makes Secure Application different and critical to your environment:
Real-time runtime vulnerability detection
Unlike static analysis tools that scan code or container images at build time, Secure Application monitors what's actually loaded and running in your environments. You see vulnerabilities in context — tied to specific services and environments — not just a list of CVEs disconnected from your live infrastructure.
Complete open-source library inventory
Secure Application gives you a complete inventory of the open-source libraries in use across your services. You can see which libraries carry the most critical and high-severity vulnerabilities, helping you prioritize remediation where it matters most.
One agent for both APM and Security
This is a big one. Secure Application uses a single combined JVM agent (splunk-otel-javaagent-csa) that in place of your existing Splunk OTel Java agent. This one agent handles both APM instrumentation and security library scanning — there's no separate security agent to install or manage alongside APM. If you're already running Splunk APM with the Splunk Distribution of OpenTelemetry, the switch is straightforward.
Minimal performance overhead
The agent collects library metadata asynchronously — it doesn't operate at the per-request level. Dependency information is streamed to the backend, so even applications with a large number of libraries won't see a meaningful impact on CPU, memory, or latency.
Prioritized vulnerability remediation with CVSS and Cisco Security Scores
Vulnerabilities are ranked using both Common Vulnerability Scoring System (CVSS) scores and Cisco Security Risk Scores, so you can focus on what's most critical first. Splunk Secure Application integrates Cisco Vulnerability Management (CVM) to prioritize vulnerabilities. CVM analyzes billions of signals – distinguishing between a vulnerability that could be exploited and vulnerabilities that are being actively exploited – to predict the real-world likelihood of an attack. This allows for a shift from rushing to fix everything at once to fixing what matters most first.
Recommended remediation actions are also provided, like which library version to upgrade to in order to fix a given vulnerability.
Step-by-step guide: how to enable Secure Application in Splunk Observability Cloud
Prerequisites for enabling Secure Application
Before you get started, make sure you have the following in place:
- An active Splunk Observability Cloud account
- Existing Splunk APM instrumentation for your Java services
- A Secure Application license (add-on SKU on top of your APM subscription – contact sales to enable)
- Splunk OTel Collector Helm chart version 0.137.0 or newer (if you’re not working with Kubernetes, this isn’t required, but our walkthrough will be using Helm)
Step 1: deploy and configure the OpenTelemetry Collector
If you're running on Kubernetes with Helm, start by adding the Splunk OTel Collector Helm repository:
helm repo add splunk-otel-collector-chart https://signalfx.github.io/splunk-otel-collector-chart helm repo update
Then install (or upgrade) the collector with Secure Application enabled. The key flag is splunkObservability.secureAppEnabled=true:
helm install splunk-otel-collector splunk-otel-collector-chart/splunk-otel-collector \ --set="splunkObservability.accessToken=<YOUR_ACCESS_TOKEN>" \ --set="splunkObservability.realm=<YOUR_REALM>" \ --set="splunkObservability.secureAppEnabled=true" \ --set="clusterName=<YOUR_CLUSTER_NAME>"
Under the hood, this configures a routing connector in the collector pipeline that identifies Secure Application OTel events and routes them through a dedicated Secure Application exporter. The exporter adds a Secure Application header to the events so the Observability Cloud ingress layer can route them to the correct backend service.
Note: you can use the upstream OpenTelemetry Collector if the routing connector and Secure Application exporter are configured properly. Refer to the Splunk Secure Application documentation for non-Helm, non-Kubernetes deployment examples.
Step 2: Instrument your Java application with the Secure Application JVM Agent
The Secure Application JVM agent (splunk-otel-javaagent-csa) replaces the standard Splunk OTel Java agent and handles both APM instrumentation and Secure Application library scanning in a single JAR.
Download version 2.21.1 or newer from Maven Central:
curl -L https://repo1.maven.org/maven2/com/splunk/splunk-otel-javaagent-csa/<version>/splunk-otel-javaagent-csa-<version>.jar -o splunk-otel-javaagent-csa.jar
Note: the name you give to the downloaded JAR file must contain splunk-otel-javaagent.
Next, start your application with the JVM agent:
java -javaagent:./splunk-otel-javaagent-csa.jar \ -Dotel.service.name=<service-name> \ -Dotel.resource.attributes=deployment.environment=<environment-name>,service.name=<service-name>,service.namespace=<namespace-name> \ -Dotel.exporter.otlp.endpoint=http://<collector-endpoint>:<collector-port> \ -jar <myapp>.jar
You can configure the agent using either system properties or environment variables. System properties take precedence over environment variables. Here are the key configuration parameters:
Once the application starts, the agent will report library metadata at startup and then once every 24 hours after that.
Note: The agent only needs to be able to reach the OTel Collector — no inbound ports are required, and it uses the same authentication mechanism/access tokens as APM.
Step 3: Set up vulnerability alert notifications
Once data is flowing, you'll want to be notified when new vulnerabilities are detected. In Splunk Observability Cloud:
- Navigate to APM > Application Security > Runtime Vulnerabilities > Notifications:
- Click Create Alert Notification Rule:
- Provide a rule name and a webhook URL where notifications should be sent:
- Optionally scope the rule to specific environments or services.
When a new high-severity vulnerability is detected at runtime, a notification is sent to the configured webhook URL so your team can take immediate remediation action.
Note: Secure Application alerting is event-based, not metric-based. This means you cannot currently use Splunk Observability Cloud detectors (which operate on metric time series) for Secure Application alerts.
Exploring Secure Application in Splunk Observability Cloud
Secure Application data surfaces in two key places within Splunk Observability Cloud:
Integrated directly into the Splunk APM workflow
While you can interact directly with vulnerabilities through Application Security, you don't have to leave your APM workflow to see security data. On the APM Overview page, a Runtime Vulnerabilities column is available alongside your existing service list for quick insight into vulnerabilities per service, along with their severity:
Clicking a vulnerability takes you directly to the detailed Application Security view for that service:
The Service Map also displays the top five runtime vulnerabilities for each selected service. If you select a specific service from within the Service Map view, you can see the top 5 runtime vulnerabilities scoped to that service:
Application Security
As we’ve seen, from the Home page in Splunk Observability Cloud, you can navigate to APM in order to locate Application Security:
If we select Runtime Vulnerabilities we can see all identified runtime vulnerabilities across our instrumented services:
Each entry includes:
- CVE title and CVE ID
- CVSS score and Cisco Security risk score for prioritization
- Detection status (e.g., detected, fixed)
- Affected libraries and recommended remediation actions (e.g., upgrade to a specific library version)
The Libraries view provides a complete inventory of runtime libraries, the vulnerabilities associated with each, a bar chart highlighting the top 10 libraries with the most critical and high-severity vulnerabilities, along with recommended actions for remediation:
We’ve seen how Notifications allow for configuration of alert notification rules. If a new high-severity vulnerability is detected at runtime, a notification is triggered and delivered directly to the webhook URL specified in the notification configuration. All configured notifications can be viewed from the Notifications tab.
What's on the Secure Application roadmap?
At GA, Secure Application supports Java applications and services. Support for additional languages — including Python and Node.js — is on the near-term roadmap. Attack detection and response capabilities, along with deeper integration with Splunk Enterprise Security (ES), are also planned for upcoming releases.
Wrap up
Secure Application brings runtime vulnerability detection into the same workflow you already use for application performance monitoring. By swapping your existing Splunk OTel Java agent for the combined splunk-otel-javaagent-csa agent, you get both APM and security from a single JAR — no extra tools, no additional footprint. If you're currently using Splunk APM with Java services, enabling Secure Application is a straightforward way to gain real-time visibility into the open-source security risk in your application environments.
Already a Splunk Observability Cloud customer and ready to try out Splunk Secure Application? Contact our sales team to try it out today.
New to Splunk Observability Cloud? Start with a free 14-day trial.
Resources
