id-am-2 High priority Identify / Asset Management

Inventories of software assets are maintained

Unmanaged software is a primary attack vector. Outdated packages, unlicensed tools, and shadow IT all expand your attack surface silently. A software inventory lets you enforce approved applications, detect unauthorized installs, and respond quickly when a vulnerability is disclosed in a dependency you actually use.

3h estimated effort

inventory assets software sbom saas

Complete first: id-am-1

Implementation steps

1

Inventory installed applications on endpoints

Use your MDM to generate a report of all applications installed across managed devices. Flag anything not on your approved software list.

jamf kandji microsoft-intune
2

Inventory SaaS tools in use

Review SSO provider app assignments, credit card statements, and browser extension installs. Many SaaS tools are adopted without IT approval; this step surfaces shadow IT.

okta google-workspace nudge-security
3

Inventory software dependencies in your codebase

Run a software composition analysis tool against your repositories to generate a bill of materials (SBOM) for each service. This is what you reference when a CVE drops.

dependabot snyk grype trivy
4

Establish an approved software list

Document which applications are approved for use by employees. Communicate it during onboarding and review it quarterly.