Require that every API maintain a current software bill of materials enumerating the libraries, services, and versions it depends on. I want a machine-readable SBOM and dependency manifest kept in sync with what actually ships, so we can answer what is inside an API the moment a vulnerability is disclosed. You cannot secure or evaluate a dependency you have not inventoried, and an out-of-date SBOM is worse than none because it lies about exposure. I hold a maintained SBOM as a production requirement for provenance, security response, and honest procurement.
Dependency SBOM Maintained
Strategies
API Dependencies Have an SBOM
I want a software bill of materials for the APIs and services we depend on, so that we always know what is actually in the systems we ship. Every external API we consume is a dependency, and if we ...
APIs Are Evaluated Before Adoption
I want us to evaluate an API before we build on it, because the cheapest time to discover a bad dependency is before it is wired into production. That means running third-party APIs through a procu...
Experiences
Procurement
Procurement is the experience of evaluating and adopting an API before building on it. Whether the API comes from another team or a third-party vendor, someone has to weigh its quality, reliability...
Provenance
Failing to understand your API history increases the risk of repeating past mistakes in future API development. Establishing provenance for each API helps track changes over time and ensures new ow...
Security
API security is a top priority for any enterprise, with even higher standards for externally available APIs. However, security doesn’t end with the APIs an enterprise produces—it also applies to co...
Lifecycle
balance Governance Production
Governance is how everything on this lifecycle stays aligned as an operation scales. Policies, rules, and standards applied consistently across teams are what keep APIs coherent without slowing eve...