Professional Documents
Culture Documents
NCC Group
650 California St, Suite 2950
San Francisco, CA 94108
https://www.nccgroup.com/us/
November 14, 2022
Tanium, Inc.
3550 Carillon Point
Kirkland, WA 98033
Introduction
Since 2016, Tanium has contracted NCC Group to perform security assessments of various Tanium modules. This document
describes the scope of testing, applied methodology, and a summary of the results.
The goal of each NCC Group assessment was to identify vulnerabilities in Tanium software that could result in:
● Execution of unauthorized operations
● Compromise of the confidentiality, integrity, and availability of sensitive information
● Unauthorized remote execution of privileged commands
Testing Methods
NCC Group’s consultants used manual techniques and automated tools to perform source code reviews and whitebox appli-
cation penetration testing on Tanium software. Security testing was informed by industry standards such as the OWASP Top
10 and SANS Top 25, as well as NCC Group’s consultants security expertise and understanding of Tanium-specific security
risks. NCC Group’s consultants looked for vulnerabilities including, but not limited to:
● Cross-site scripting (XSS)
● Cross-site request forgery (CSRF)
● XML injection (XXE)
● SQL injection
● Command injection
● Path traversal
● Flawed session management
● Improper access controls
● Insecure communication channels
● Privilege escalation
● Cryptographic failures
● Vulnerable third-party dependencies
Summary of Findings
During our review of Tanium modules, NCC Group did not identify any vulnerabilities with a CVSSv3 base score equal to or
higher than 7.0. Upon completion of the assessment, all findings were reported to Tanium along with recommendations.
The following list details the name and most recently tested version of each Tanium module reviewed by NCC Group, along
with the level of effort.
Many Tanium modules rely on functionality provided by Shared Services. The following list details the name and most recently
tested version of each Tanium Shared Service reviewed by NCC Group, along with the level of effort.
Kevin Dunn