• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Deepfactor Platform
  • Knowledge Base

Best Practices for running your applications with Deepfactor in production environments

You can run Deepfactor in dev, QA, staging or production environments. As a best practice, we highly encourage customers to incorporate Deepfactor into their dev, QA and staging environments first, so they can catch security issues early during development and testing.

For running in production environments, please review the following considerations:

  1. Understand performance:
    While we take exhaustive measures to ensure that the performance overhead is minimal, the ultimate measure of actual performance overhead depends on the amount of application telemetry events generated by the applications that Deepfactor is observing. We recommend that customers run applications with Deepfactor in dev/staging environments with sufficient load before running them with Deepfactor in production environment so they are aware of the performance overhead and can provision accordingly. In a kubernetes deployment, customers may need to increase the pod CPU and memory limits. The more concurrent active processes being monitored, the more memory Deepfactor will consume.
  2. Understand the support matrix:
    The list of supported Operating Systems, languages and limitations are outlined in the following document. Please review and ensure that your deployment uses one of the configurations described in : Deepfactor support matrix
  3. Co-existing with monitoring/APM/other tools in your production environment:
    Your application may not work with Deepfactor if LD_PRELOAD is set in the environment. Some performance monitoring tools set LD_PRELOAD.
  4. Configure appropriate TTLs in the on-premise Depfactor portal:
    Since applications will be long running, set an appropriately low TTL on your on-premise Deepfactor portal to avoid high disk usage. This can be specified on the on-screen options for OVA/AMI deployments and as a helm override parameter for kubernetes installations. Please consult with your Deepfactor customer success manager for assistance.
  5. Disable Stack Tracing:
    Stack tracing is an advanced feature that will help Deepfactor pinpoint the line of code where a vulnerable behavior exists. This is very useful while running Deepfactor in your dev & test environments, and enables the engineering team to quickly resolve the security risk. However, it is a performance intensive operation, and therefore, isn’t recommended for production environments. We recommend turning off stack trace collection in production environments. You can read more about this feature in the following article : Language Specific Agents (LSA)
  6. Disable Usage Tracking:
    Deepfactor automatically intercepts class loaded event for java applications and provide the list of classes loaded per java dependency. It’s a great way to prioritize vulnerabilities based on usage of the vulnerable dependency. Since collecting this usage information is a performance intensive task, we do not recommend this mode for production environments. Instead, we recommend customers disable usage tracking while running Deepfactor in production environments. You can read more about this feature in the following article.
    Language Specific Agents (LSA)
  7. Disable collection of dependency information and OS package information
    Collecting dependency information and OS package information can create a spike in CPU usage at application/pod start that may cause the application to fail to start (or start slowly). Since the dependency information and OS package information generally does not vary between dev/test and production, Deepfactor recommends using the dev/test environment to collect this information (and resulting alerts).To disable collection of dependency event and/or OS package information telemetry and avoid the startup CPU spike, use the following annotation in your helm chart:

      #   # set to false to disable OS package manager queries for vuln. analysis
        #   packageInfoEvents: true
        #
        #   # set to false to disable dependency checking for vuln. analysis for Java
        #   dependencyCheckInfoEvents: true
  8. Package Query Delay in milliseconds
    If collecting dependency information and OS package information is desired for production workloads you can configure a throttle time in milliseconds to eliminate CPU spike during this process.This can be configured using the following annotation in your helm chart:

     #   # set to a positive value to set the package query time delay in milliseonds
       #   packageQueryDelayMS: 250
  9. Differentiate between non-production and production environment insights:
    It’s always a good idea to group your dev/test and prod findings into separate buckets. In order to differentiate between insights seen in non-production environments such as dev/qa/staging and production environments, we recommend the following approaches
    i. Use the environment (env) option
    dfctl command line utility and the Deepfactor kubernetes admission webhook provide an option (–env or envName) for specifying the environment your application is running in. You can filter based on the environment in the application dashboard screen. You can read more about this option in the following articles
    Configure Deepfactor Mutating Webhook
    Deepfactor CLI Referenceii. Create a different application for production environment
    If you would like greater isolation between findings observed in non-production and production environments, you can choose a different application name (ex. prod-myapp) while running in production environment. In case of the Kubernetes admission webhook, this can achieved by updating the appName option. You can read about this option in the following article.
    Configuring application name, component name and component version in K8s webhook
Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on December 13, 2023
Deepfactor Instrumentation Warning MessagesGolang Specific Notes

Powered by BetterDocs

Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure