In today’s modern interconnected world, software is rarely designed to function in isolation. Applications increasingly rely on external services and APIs to extend their functionality and implement useful features. Development teams can save time and money by leveraging existing services that are available instead of building solutions from scratch. Visibility into these services enables security professionals to understand external service dependencies, assess risk, and apply compensating controls as needed.
Beyond the SBOM
The CycloneDX Extended Bill of Materials (xBOM) standard defines a Software as a Service Bill of Materials — or SaaSBOM — as a way to represent critical details about networking services used by a software application. While many of us are familiar with an SBOM, which describes the components (or “building blocks”) that make up an application, a SaaSBOM provides an inventory of external services and captures details such as service name, specific API endpoints, data classifications, directional flow of data, and authentication requirements.
External services function as remote dependencies, and they’re just as integral to the security of an organization’s software supply chain as the open source libraries and commercial components built into its applications. Like any other dependency, relying on these services can introduce risk to the environment.
Here are a few examples of potential issues that can arise with third-party services:
- Exposed PII - A user identity or tracking service requires access to your customers’ personally identifiable information (PII). Sharing this data increases the chance of exposure, especially if the third-party’s systems are vulnerable or lack strong security controls.
- Vulnerable APIs - Most services are accessed through REST APIs, which can contain exploitable vulnerabilities. The OWASP Top 10 API Security Risks outlines common pitfalls developers face when security is overlooked.
- Inadequate Monitoring - Inadequate logging or monitoring by a service can hinder the ability to detect and respond to threats or anomalous behavior.
- Manipulation - A compromised file exchange service could be manipulated to deliver malware instead of legitimate files, putting downstream systems at risk.
- Failed Isolation - Many third-party providers - especially in the cloud - operate on shared infrastructure. If proper data isolation isn’t enforced, customer data, intellectual property, or workloads could be exposed or compromised.
SaaSBOM Insights
SaaSBOMs boost software transparency by providing security teams and auditors insight into the dynamic relationships between software and third-party services being used. It allows them to better understand the overall security and compliance posture and more effectively manage risks around insecure APIs, vulnerable data exchanges, and misconfigured or banned services.
Let’s look at four different scenarios where having SaaSBOMs can be a game-changer.
1. One of the largest U.S. states, Texas, prohibits all state and local governmental agencies from using software or services from ByteDance, the Chinese company behind TikTok. Since most agencies rely on third-party vendors rather than building software in-house, verifying compliance with such a policy can be extremely challenging. That’s where SaaSBOMs offer a clear advantage. A simple search for “TikTok” in the SaaSBOM instantly reveals any potential violations - making compliance both practical and efficient.
2. Integrating artificial intelligence (AI) through machine learning (ML) models is an increasingly common practice in modern applications. However, it's well understood that ML models - such as DeepSeek - can introduce new risks. While an ML-BOM from Spectra Assure identifies models embedded within a software package, a SaaSBOM goes further by detecting the use of AI-related APIs, such as the DeepSeek API, and providing a more complete picture of potential exposure.
3. An RL customer in the financial services sector enforces a strict company-wide policy: applications used by employees must not include business communication features like chat or file transfer. The organization relies heavily on vendor software. With SaaSBOMs in place – for both vendor apps and internally-developed apps – identifying the presence of external chat or file exchange features becomes quick and painless.
4. A zero-day vulnerability in a file exchange service is exploited by a threat actor and begins serving malware to client applications. Much like the MOVEit supply chain attack two years ago, this presents a significant risk to any organization running an application that connects to the file exchange service. With SaaSBOMs in place, security teams are empowered to swiftly determine whether their systems are affected. If so, the teams can immediately focus their forensic investigation on any affected application and its infrastructure, saving valuable time and reducing potential impact.
Polling suggests that cybersecurity professionals are beginning to recognize the value of a SaaSBOM as well.
In a recent IT GRC Forum webinar, where RL was a key participant, attendees were asked which emerging BOM type — SaaSBOM, ML-BOM, or Cryptography BOM (CBOM) — would be most helpful to meet their compliance and security goals. With 259 attendees voting, SaaSBOM was the clear winner with 46% of the votes. ML-BOM garnered 18% of the votes and CBOM managed 10%.
Spectra Assure’s New SaaSBOM Capabilities
With the benefits clear, how can organizations obtain a SaaSBOM for vendor applications where the source code is not available? Spectra Assure fulfills this need to perfection by leveraging complex binary analysis developed over the last 15 years at RL. Since no source code is required, it’s the ideal tool for third-party cyber risk management (TPCRM) teams facing visibility gaps into the security posture of their purchased software.
The SaaSBOM services identified by Spectra Assure are categorized based on their purpose. The categories are:
- Chat Exchange
- Data Exchange and Collaboration
- Data Processor
- File Exchange
- AI
- Mail Exchange
- User Identity
- User Finance
- User Tracking
Over 700 specific services are currently supported, with more to come. Identified services are listed by name and include one or more associated network locations (API endpoints).
The primary output from a Spectra Assure analysis is the SAFE report.
Let’s take a closer look at the SAFE report for the scan of a virtual machine disk image, a 3.69 GB OVA file in this case. The SaaSBOM is found under “Services” in the Bill of Materials section on the left hand side.
Spectra Assure identified a total of 31 services in this disk image - primarily from Amazon, but also including services from Google, GitHub, Azure, and Slack.
Expanding one of the services - Amazon Transcribe API - reveals the specific endpoints that roll up into this API. The service card provides additional information, including that data flows bidirectionally and that authentication is required to access this service.
If the developer/producer of the software package wishes to include a custom or non-standard service in the SaaSBOM, this is possible when scanning with Spectra Assure’s command-line interface (CLI) tool. Simply define a custom policy control that declares a networking service, and it will appear in the SaaSBOM in subsequent scans. This allows the output to be tailored for your use-case.
Embracing CycloneDX
CycloneDX is a popular BOM standard from OWASP and Ecma International. Spectra Assure currently supports the following capabilities within the CycloneDX Extended Bill of Materials (xBOM):
- SaaSBOM
- Software BOM (SBOM)
- Machine Learning BOM (ML-BOM)
- Cryptography BOM (CBOM)
- Bill of Vulnerabilities (BOV)
- Vulnerability Exploitability Exchange (VEX)
With CycloneDX v1.6-compliant BOMs generated by Spectra Assure, customers can confidently share them, archive them for audits or regulatory compliance, or integrate them into their preferred SBOM management platform.
Let’s examine a CycloneDX file in detail, where the SaaSBOM appears under the “services” node. As an example, we’ll look at a portion of the CycloneDX JSON file for the same 3.69 GB OVA file.
Here, the details for the Amazon Transcribe API have been expanded, and we see that the same data provided in the Spectra Assure SAFE report is present in the CycloneDX file as well.
The Bottom Line: Software Transparency Improves with SaaSBOMs
SBOMs have been part of the mainstream for some time, offering valuable insight into the components included in a software package. However, they don’t provide complete visibility into all dependencies - particularly external services. That’s where SaaSBOMs come in, offering a deeper layer of transparency by identifying third-party services in use.
As the four scenarios described earlier illustrate, SaaSBOMs today have practical, real-world benefits for security teams, helping to increase efficiency, reduce risk, and demonstrate compliance. A future vision for SaaSBOMs is to assist SecOps teams with allow-listing of applications, potentially even importing them directly into their firewalls for quick onboarding of locally deployed applications.
While SBOM adoption continues to grow, organizations are increasingly recognizing that having visibility into the full ecosystem of interconnected services via SaaSBOMs is essential to securing today’s complex software supply chains.
Adoption of other BOM types defined in the CycloneDX standard is also on the rise. Spectra Assure already supports many of these BOMs, with additional support planned - helping us move steadily toward a future where comprehensive software transparency is the norm.
