Guest: Moti Gindi (LinkedIn)
Company: Apiiro (Twitter)
Show: TFiR Newsroom

Creating an inventory for a modern application is an uphill struggle as it’s not just built by multiple components but also comes from multiple development teams. But it’s crucial at the same time because if you don’t understand your attack surface, you cannot protect it. Since the Executive Order on Improving the Nation’s Cybersecurity was released two years ago, SBOMs have become synonymous with mapping your application attack surface to understand risk. But unfortunately, they only help check a compliance box and don’t really provide a lot of value.

In this episode of TFiR Newsroom, Swapnil Bhartiya sat down with Moti Gindi, Chief Product Officer at Apiiro, to discuss the company’s newly launched XBOM (eXtended Software Bill of Materials) platform — an improved version of traditional SBOM, and how it helps organizations better understand and assess risk within their modern yet complex application attack surfaces.

Highlights of this video interview:

• Apiiro aims to secure your application code and the way that it is delivered into the cloud.
• How Apiiro approaches the problem in an innovative way: It creates a real-time inventory with your application — how it is being built, how it is being executed, and how it is being deployed. Based on that, Apiiro creates the most important thing to alert triage and remediation, which translates to the risk of your business and allows you to choose the important things that you need to remediate and fix fast.
• Security can be very complicated in the cloud-centric world for three different reasons: 1) One is the way that applications are being technically built and moved from a monolithic application built by a small set of people to a distributed application that is built by hundreds/thousands of engineers 2) The second thing is that the attack surface changed the fact that the application is in the cloud and is based on running on boarded cloud applications, servers and Kubernetes and identities and access to third-party services that may be out of the scope of the application. 3) And the third is the pace of the application — not only how it is being built and how the infrastructure it runs on to, but also the processes.
• Only by creating an accurate picture of what they have, customers can actually implement the core service course and a core value of application security.
• The scalable way to create an SBOM is by doing it automatically as part of your development, build and deployment processes, and make it a background process within the company and using technology that allows you to do that.
• The modern application is a complex beast that changes constantly and gets developed in a distributed way. And part of the attack surface is the way that is developed and the way that it is deployed. If you don’t know what you have, you can’t secure it.
• With XBOM, Apiiro wants customers and application engineers to look at the entire set of their application, which is the combination of all things called components, API code modules, developer behaviors, data models, etc.
• What Apiiro does is it takes the concept of traditional SBOMs to new heights by expanding them beyond open source or infrastructure to everything that the code is based on.
• For customers that are using Apiiro’s pure cloud application security and platform, the company is supporting XBOM out of the box. In parallel, the company is also providing a product capability within a few cloud application security platforms, to export and to query XBOM  for the value of its customers.

This summary was written by Monika Chauhan.