Modern governments and organisations rely on a complex software supply chain of partners and vendors to operate. Unfortunately, there are numerous risks across closed and open source software that organisations aren't aware of. Recent software supply chain attacks include log4shell, which have cost organisations 10K hours in patching and remediation alone. Join us and walk through some common mistakes, and how some recent failures have caused a renewal of ecosystem risk models. This talk will dive into key risk indicators, tools and frameworks (including specific Cloud Security Alliance (CSA) guidelines) that can help, and how to improve your risk posture.