Understanding our supply chain means understanding all the components that make it. But this is harder than it appears. Open-source components make up 80 - 90% of our application's source code, but we must also remember that our open-source components are also made from open-source components, it's like supply chain inception. SCA or Software Composition Analysis is a security tool that looks at your entire supply chain and outlines vulnerabilities, including transitive or downstream dependencies. In this video, we discuss real-world implications of supply chain risk and break down how an SCA tool fits into your security position. Introduction 0:00 Risks of dependencies 0:20 Log4J Example 2:25 UA Parsjer Example 3:15 Event-stream example 4:01 SCA tools 4:40 SBOM 6:25