#2 Exodos Labs Engineering Trust Podcast - SBOM Demystified or Why Software needs an Ingredients Label
Engineering Trust
In this episode of the Exodos Labs Engineering Trust Podcast, we break down SBOMs in plain language: what an SBOM is (a “software ingredients list”), why it suddenly matters for security and compliance, and what “good SBOM hygiene” looks like in practice.
You’ll hear real-world context (including why Log4j is still haunting organizations years later), how SBOMs fit into the software lifecycle, and why “generating an SBOM” is the easy part—while requesting, receiving, tracking, validating, and sharing SBOMs at scale is where most teams struggle.
In this episode, we cover:
SBOM 101: what it is (and what it isn’t) using the ingredients-list analogy
Why this is a supply chain problem (open-source dependency reality + downstream risk)
The two dominant formats: SPDX and CycloneDX—and what differs in practice
How SBOM generation works with common tools (and why CI/CD automation is key to staying up to date)
SBOM “quality gates” and minimum requirements (e.g., NTIA / industry baselines)
Why SBOM exchange today is “all over the place” (emails, portals, shared drives) and how to make it auditable
A look ahead: XBOMs (e.g., cryptography BOM), and geo-risk / provenance signals via maintainer & contributor context
If you’re a CISO, AppSec, DevOps, or product security leader trying to operationalize SBOMs beyond checkbox compliance, this one is for you.
Loading