From Hidden Risks to Complete Control: Expanding Software and API Inventories for Modern Compliance and Visibility

From Hidden Risks to Complete Control with Extended Pipeline Bill of Materials (LinkedIn Single Image Ad) (1)

In this OX Security webinar, Boaz Barzel and Raviv Vinnik open with a CISO/VP role-play, reacting to a Sisense breach, to show how the OX BOM Overview answers in seconds what would otherwise take development teams days. They then demo the three inventories that make up the BOM Overview: the SBOM (with a bubble chart of vulnerable, unused, unmaintained, and unapproved-license packages), the API BOM (every endpoint discovered from code or OpenAPI, and the issues each exposes), and the SaaS BOM (discovering Shadow SaaS from code, with evidence). Along the way they show how the attack path ties an exposed issue back through APIs and the call stack to its location in code, and how connecting source control builds all three BOMs automatically, key for spotting exposed PII and meeting modern compliance.

Key Takeaways

  • Traditional SBOM isn’t enough; you need API and SaaS BOMs too. The BOM Overview unifies SBOM, API BOM, and SaaS BOM to surface hidden risk across the software supply chain in one place.
  • A SaaS BOM exposes Shadow SaaS in minutes. When a SaaS vendor is breached (for example, Sisense), you can instantly see everywhere it’s used in code, with evidence, instead of waiting days for dev teams to check.
  • The SBOM shows more than vulnerabilities. It flags unused packages to remove, unpopular or unmaintained ones, and deprecated or unapproved licenses; deprecated packages with critical CVEs need replacing, not patching.
  • The API BOM inventories every endpoint, including shadow APIs. Discovered from code or OpenAPI/Swagger, with HTTP method, source, repo, executed functions, and the highest-severity issues each endpoint exposes.
  • “Evidence” ties an issue to the APIs and call stack that expose it. The attack path shows which endpoints expose an issue and the call stack from the API definition through the handler to the issue’s location in code.
  • It’s quick to deploy and helps protect sensitive data. Connect source control and the SBOM, API BOM, and SaaS BOM build automatically, surfacing PII exposed through APIs you didn’t know about, which matters for compliance.

Video Transcript

Speakers

boaz li image

Boaz Barzel

View on LinkedIn

Director, Technical Enablement, OX Security

Director of technical enablement at OX Security.

Raviv Vinnik

Raviv Vinnik

View on LinkedIn

Product Manager, OX Security

Product manager at OX Security.

FAQ

A single page giving high-level views of three inventories, the SBOM, the API BOM, and the SaaS BOM, with quick navigation to each full BOM page.

An inventory of the SaaS services discovered from your code, with evidence of where each is used. When a SaaS provider is breached, you instantly see where it’s used and your exposure, addressing Shadow SaaS.

Packages with vulnerabilities, unused packages, unpopular or unmaintained packages, and deprecated or unapproved licenses. You can export by entire org to CycloneDX or CSV, or via saved filters, for compliance and regulatory needs.

An inventory of all APIs discovered from code or OpenAPI/Swagger files, with the HTTP method, discovery source, repository, executed functions, and the highest-severity issues each endpoint exposes, helping uncover shadow APIs.

For code-discovered endpoints, OX shows the exposed issues and an attack path with the call stack from the API definition through the handler function to the issue’s location in the code.

Connect your source control at ox.security and the BOMs build automatically. You can view SaaS per application using filters or the application page’s tags and attack path.