I have always said that supply chain attacks would bring havock to software companies. However it can be simplified with open source and great level of due diligence. When you have access to source you don't have to blindly trust your vendors security testing you can actually conduct your own. But most vendors think that source code can't be shared, it's their IP ... So results are clear. https://www.wired.com/story/solarwinds-hack-china-usda/