DocuSign Envelope ID: D63B3D23-EA96-4ADF-8827-8FBB2E0DF2EF

NCC Group
650 California St, Suite 2950
San Francisco, CA 94108
https://www.nccgroup.com/us/
November 14, 2022
Tanium, Inc.
3550 Carillon Point
Kirkland, WA 98033

Introduction
Since 2016, Tanium has contracted NCC Group to perform security assessments of various Tanium modules. This document
describes the scope of testing, applied methodology, and a summary of the results.

The goal of each NCC Group assessment was to identify vulnerabilities in Tanium software that could result in:
● Execution of unauthorized operations
● Compromise of the confidentiality, integrity, and availability of sensitive information
● Unauthorized remote execution of privileged commands

The scope of each assessment included:

● Module-specific backend (e.g. Node.js or Golang service)
● Module-specific frontend (e.g. React workbench)
● Module-specific content (e.g. sensors, packages, client extension, driver)
● Shared services used by the module, if applicable

Testing Methods
NCC Group’s consultants used manual techniques and automated tools to perform source code reviews and whitebox appli-
cation penetration testing on Tanium software. Security testing was informed by industry standards such as the OWASP Top
10 and SANS Top 25, as well as NCC Group’s consultants security expertise and understanding of Tanium-specific security
risks. NCC Group’s consultants looked for vulnerabilities including, but not limited to:
● Cross-site scripting (XSS)
● Cross-site request forgery (CSRF)
● XML injection (XXE)
● SQL injection
● Command injection
● Path traversal
● Flawed session management
● Improper access controls
● Insecure communication channels
● Privilege escalation
● Cryptographic failures
● Vulnerable third-party dependencies

NCC Group and Tanium confidential

DocuSign Envelope ID: D63B3D23-EA96-4ADF-8827-8FBB2E0DF2EF

Summary of Findings
During our review of Tanium modules, NCC Group did not identify any vulnerabilities with a CVSSv3 base score equal to or
higher than 7.0. Upon completion of the assessment, all findings were reported to Tanium along with recommendations.
The following list details the name and most recently tested version of each Tanium module reviewed by NCC Group, along
with the level of effort.

Asset 1.17.143 20 person-days

Comply 2.10.684 20 person-days
Connect 5.10.131 15 person-days
Deploy 2.9.138 20 person-days
Discover 4.6.109 15 person-days
Enforce 2.0.342 10 person-days
Feed 1.1.94 10 person-days
Health Check 1.0.8.0001 10 person-days
Impact 1.3.6 25 person-days
Integrity Monitor 1.12.206 10 person-days
Interact 2.12.70 20 person-days
Map 1.1.94 10 person-days
Patch 3.7.73 20 person-days
Performance 3.0.152 10 person-days
Reputation 6.1.32 10 person-days
Reveal 1.1.2.0025 20 person-days
Risk 1.0.11 20 person-days
Threat Response 3.2.67 30 person-days
Trends 3.9.188 10 person-days

Many Tanium modules rely on functionality provided by Shared Services. The following list details the name and most recently
tested version of each Tanium Shared Service reviewed by NCC Group, along with the level of effort.

API Gateway 1.1.15 5 person-days

Atlas 1.5.25 10 person-days
Direct Connect 2.1.114 20 person-days
Endpoint Configuration 1.3.276 10 person-days
End-User Notifications 1.10.49 As part of Patch
Reporting 1.3.12 As part of Risk
System User 1.0.57 5 person-days

Kevin Dunn

NCC Group and Tanium confidential