I frequently find myself advocating for better supply chain security. But if I asked developers (or their managers) to review/audit 2,000 NPM dependencies, I would almost certainly fail. No other company they know of is doing that, and asking them to start is predicated on the entire industry being wrong. That tends to be a tough sell - even though I agree with you, convincing others is a whole 'nother ball game!
What kind of arguments do the organizations you consult for find compelling? I find it extraordinarily difficult to convince others. There is a strong bias towards the status quo.
I often suggest that they either review it all, pay a company like mine to review it all, or do tree shaking to remove most of the deps and make it lean enough that they can afford to maintain reviews.
Failing those when a legacy codebase is just too big to simplify or review, I will generally pivot to retrofitting in accountability to something that can be trusted. This often means working with the team to design small, auditable, reproducibly buildable standalone services for security critical functions that can run in a TEE or HSM. These often take on critical signing, encryption, and policy enforcement responsibilities such that a compromise of any single employee or the larger legacy application can be tolerated.
Gotta have multiple knobs you can turn so the org can choose the cheapest path that honestly meets the required threat model.
It's a "thing" in the Medical Device industry. I don't recall if it's now mandated or merely suggested in the recent FDA Cybersecurity Guidelines (still a Draft, not yet a Regulation), but creating a Software Bill of Materials for OTS/SOUP that's in your project is now recommended. Doing this allows you to track and analyze the impact of discovered vulnerabilities that may be in your shipped product.
I'm far from a security expert, but the concept of creating and maintaining an SBOM seems to be gaining traction across a number of industries.
What kind of arguments do the organizations you consult for find compelling? I find it extraordinarily difficult to convince others. There is a strong bias towards the status quo.