SaaSBOM

A SaaSBOM (Software-as-a-Service Bill of Materials) is an extension of the traditional Software Bill of Materials (SBOM), specifically designed to provide visibility into all services used by an application, system or cloud-native software. A service is any software that is accessed over a network, including third-party APIs, data processing pipelines, cloud services, libraries, authentication providers, and any other service-level dependency that could impact security or availability.

Modern software rarely operates as a self-contained unit, instead, it interacts with other services and networked resources. These interactions introduce risks beyond vulnerabilities within the software code, such as unprotected data exchanges, insecure API calls, and service misconfigurations, and rising attacks on third-party SaaS providers and service dependencies.

SaaSBOMs provide the visibility needed to mitigate these service-based risks as well as support third-party software risk management, compliance, incident response, and vendor security evaluations.

There are several scenarios where a SaaSBOM provides additional insight that providers and consumers of software and services would find valuable:

• Cloud-native systems composed of internal and third-party services or microservices
• Web applications that depend on third party services to integrate necessary functions such as authentication, payment, or federated access to other services
• Applications running on desktops, mobile, or other edge devices that access third party services to function
• Thin clients which are primarily made up of API calls to access services hosted in a secure environment
• Shadow IT where employees or business units are using SaaS applications without the knowledge or approval of the organization

SaaSBOMs are typically generated through a combination of: