The role of API inventory in SBOM and cyber security

The Software Bill of Materials (SBOM) has become an increasingly important aspect of cyber security and software supply chain management in recent years. Alongside this, maintaining a comprehensive and up-to-date application programming interface (API) inventory has emerged as an important component in the creation and management of an effective SBOM. 

This article will explore the minimum elements of SBOM as defined by the United States National Telecommunications and Information Administration (NTIA) and then delve deeper into the importance of API inventory in relation to SBOM.

Minimum elements of SBOM as defined by the NTIA

In 2021, the NTIA issued a paper delineating the basic components of an SBOM, consisting of:

• Component name
• Component version
• Component author or publisher
• Component relationship
• Component dependency
• Component licenses
• Component vulnerabilities

These minimum elements provide a solid foundation for creating an SBOM, enabling organizations to better manage risks, vulnerabilities, and compliance requirements associated with their software components.

The importance of API inventory in relation to SBOM

Maintaining an up-to-date API inventory is a crucial part of creating a comprehensive and reliable SBOM. APIs are integral components of modern software applications, allowing communication and data exchange between different software systems.

Including API information in an SBOM offers several key benefits. At BLST Security, we call these benefits CSMD, which stands for:

• Compliance: Including API information in an SBOM can help ensure compliance with any licensing or usage restrictions associated with the APIs or their related components.
• Security: Keeping track of API versions and their known vulnerabilities can help organizations assess and manage potential security risks. Furthermore, knowing which APIs are used in an application allows for better monitoring and control of data access and authorization.
• Maintenance and updates: Maintaining an up-to-date API inventory list can help organizations proactively manage updates, patches and changes to the APIs they use, ensuring software applications continue to function correctly and securely.
• Dependency management: Understanding the dependencies between APIs and other components can help identify potential risks and vulnerabilities that may arise due to these dependencies.

By emphasizing the role of API inventory management within the broader SBOM framework, organizations can further enhance their ability to manage software supply chain risks and maintain robust cyber security practices. 

The relation between API sprawl and SBOM

Managing API sprawl is an essential aspect of maintaining an effective and secure SBOM.  When API sprawl is not properly addressed, it can lead to several challenges, such as:

• Incomplete or inaccurate SBOM: API sprawl can make it difficult to maintain an accurate and up-to-date SBOM, as the numerous API versions and dependencies can easily become unmanageable, leading to gaps in the SBOM.
• Increased security risks: The presence of multiple API versions, especially older or unpatched ones, can introduce vulnerabilities into an organization's software systems. These vulnerabilities can be exploited by attackers, undermining the security measures outlined in the SBOM.
• Difficulty in compliance and maintenance: API sprawl can complicate compliance with licensing and usage restrictions as well as make it more challenging to manage updates and patches for the various APIs in use.

To minimize API sprawl risks, organizations need to incorporate effective API governance, monitoring, and version control into their SBOM management, resulting in a more accurate SBOM, better software supply chain risk management, improved cyber security and a stronger API posture. 

Effective API management leads to more efficient use of resources and reduced redundancy, which could result in cost savings for some organizations.

Risks of a redundant API inventory

If an organization does not have up-to-date API inventory and version control, it could be at risk for things like unauthorized access to user data and Account Takeover (ATO) through the API. When older API versions are not properly retired or locked down, they may have security holes that malicious actors can exploit.

These vulnerabilities may allow attackers to manipulate API versions, gain unauthorized access to sensitive data, or execute an ATO. By keeping an accurate inventory of APIs and using good version control, organizations can greatly reduce the risk of cyber attacks like these. 

Nir Chevroni, head of data security at booking.com explains: "Having an SBOM for API inventories is valuable because it allows developers and application security teams to identify and track the dependencies of their APIs, and which becomes even more valuable if your environment is in large scale.

"With an SBOM, they hold a wider visibility, and can quickly determine which components are used, their versions, and potential vulnerabilities that may exist in those components. This information is crucial for managing risk, ensuring compliance and maintaining the security and integrity of API inventories."

The future of SBOM implementation

As the cyber security landscape continues to evolve, the importance of SBOM in managing software supply chain risks will only grow. With government directives such as Executive Order (EO) 14028, the development of SBOM standards and guidelines will likely become more widespread, leading to their increased adoption by organizations across various industries.

In the coming years, we can expect further refinement and standardization of SBOM elements, including the integration of API inventory management. As organizations increasingly recognize the value of SBOM in mitigating software supply chain risks, it is likely that SBOM will become an essential component of cyber security best practices.

How to secure your network by combining API and SBOM

The history of SBOM demonstrates its growing importance in the realm of cyber security and software supply chain management, with the inclusion of API inventory management emerging as a critical component. The implementation of EO 14028 highlights the need for a standardized approach to SBOM, underscoring its significance in promoting transparency, accountability, and security in software supply chains.

The NTIA's minimum elements for an SBOM provide a foundation for organizations to effectively manage risks, vulnerabilities and compliance requirements associated with their software components. Meanwhile a comprehensive API inventory offers enhanced visibility and control over software dependencies.

As the future unfolds, we can expect the continued development of SBOM standards, guidelines, and best practices, with API inventory management taking on an increasingly prominent role. By embracing SBOM and integrating robust API inventory practices, organizations can better secure their software systems, mitigate vulnerabilities and ensure their resilience and success in an increasingly interconnected world.