Engineering Trust

In this episode of the Exodos Labs Engineering Trust Podcast, we break down SBOMs in plain language: what an SBOM is (a “software ingredients list”), why it suddenly matters for security and compliance, and what “good SBOM hygiene” looks like in practice. You’ll hear real-world context (including why Log4j is still haunting organizations years later), how SBOMs fit into the software lifecycle, and why “generating an SBOM” is the easy part—while requesting, receiving, tracking, validating, and sharing SBOMs at scale is where most teams struggle. In this episode, we cover: SBOM 101: what it is (and what it isn’t) using the ingredients-list analogy Why this is a supply chain problem (open-source dependency reality + downstream risk) The two dominant formats: SPDX and CycloneDX—and what differs in practice How SBOM generation works with common tools (and why CI/CD automation is key to staying up to date) SBOM “quality gates” and minimum requirements (e.g., NTIA / industry baselines) Why SBOM exchange today is “all over the place” (emails, portals, shared drives) and how to make it auditable A look ahead: XBOMs (e.g., cryptography BOM), and geo-risk / provenance signals via maintainer & contributor context If you’re a CISO, AppSec, DevOps, or product security leader trying to operationalize SBOMs beyond checkbox compliance, this one is for you.

The Exodos Labs team breaks down the EU Cyber Resilience Act (CRA) into a practical readiness playbook for software vendors—no legalese, just the actions you need to take now to be ready before 2027. In this episode, we cover: The CRA timeline and the two key milestones (reporting starts in 2026; full requirements hit in 2027) What the CRA actually expects: security-by-design/default, vulnerability handling, supply chain control, and user-facing documentation Product risk classes (Standard vs. “Important” Class I vs. “Critical” Class II) and what that means for conformity assessment SBOMs as operational evidence: CI/CD generation, quality gates, versioning, and controlled access (not “publish everything”) A realistic 90-day blueprint to get your first CRA-ready skeleton in place If you’re a product security, engineering, or compliance lead shipping into the EU, this is your “start here” checklist.