Skip to content

Use Tanium Software Bill of Materials to Protect Your Organization from Software Supply Chain Vulnerabilities

The recent hype focused on the cURL vulnerability highlights the need for greater visibility and knowledge of your applications' software bill of materials (SBOM)

Emerging Issue

What You Need to Know

Software supply chain risk has emerged as a leading concern for private sector firms and government agencies of all sizes. The main reason for the growing risk is the vast number of open-source packages and libraries in use. For instance, GitHub, an online platform that manages software for others, hosts over 200 million software repositories. Additionally, JavaScript and Python, two widely used programming languages, support over a million packages combined.
With the demand for rapid software development, open-source packages and libraries have become critical components that enable this swift deployment. However, there is limited monitoring and cataloguing of this process. Little is known about the extent to which developers and software vendors utilize these packages. No database describes which companies use which software components. Companies themselves may not even be aware of the breadth of software they employ for their critical business operations.

The Challenge is Finding It

The key to reducing your organization’s risk is to identify and patch or mitigate any affected implementations as soon as possible. However, the challenge lies in patching widely used third-party open-source libraries like cURL and locating all the instances of its usage across the enterprise.
CURL, like other open-source libraries, is source code that software vendors have to compile, potentially distributed in various ways, from being statically integrated into their program to being dynamically linked resources. Traditional vulnerability scanners find these types of dependencies difficult (or in many cases impossible) to detect. Hence, discovering them requires a multi-layered approach.

How Can Tanium SBOM Help?

Tanium Software Bill of Materials (SBOM), when combined with Tanium Asset, provides the capability to identify third-party libraries associated with software packages. Tanium SBOM is an add-on functionality that works with both Asset and Comply.
By utilizing a single Tanium agent, Tanium SBOM offers real-time visibility into complex software environments, enabling organizations to make better-informed decisions regarding endpoint risk management.
After configuring Tanium SBOM, you will have detailed information about every software application in your environment and the presence of vulnerable packages. Simply ask Tanium SBOM a question, and you will get an answer from across your environment in seconds, at scale.

Watch this short demo video to learn how Tanium SBOM provides visibility and details about your software supply chain:

How to Use Tanium SBOM to Address the cURL Vulnerability

Tanium SBOM currently supports parsing these ecosystems: Java, JavaScript, Python, PHP, Ruby, and GoLang-Binaries. There are some additional steps to install and configure SBOM content.

With Tanium, you will be able to:

  • Understand every software component at runtime, uncovering software packages and examining all constituent components without relying on the software vendor. It can probe thick client files and inspect thin client environments.
  • Address vulnerabilities or misconfigurations found in those components.
  • Take action to mitigate risk by stopping the use of an impacted device, terminating relevant processes, or even removing apps completely from affected endpoints.

The Tanium Converged Endpoint Management (XEM) platform can identify and remediate vulnerabilities like the cURL vulnerability today and better prepare your organization for future supply chain vulnerabilities.

You can find more information, including How Tanium Can Help with CVE-2023-38545: cURL Vulnerability

Tanium Staff

Tanium’s village of experts co-writes as Tanium Staff, sharing their lens on security, IT operations, and other relevant topics across the business and cybersphere.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.