Well of course security consultants believe every company should hire security consultants to review every dependency in the stack all the way down.
But for the people who sign the checks, do you have ROI numbers to support this approach?
How many exploitable vulnerabilities in open source dependencies that could have led to financial loss have your reviews found that an off-the-shelf SCA tool didn't find?
FWIIW I advocated for external review of security critical dependencies and hired external firms for this long before I started my own firm.
The ROI is not having your company ended by someone malicious that reviewed that code before someone acting in your interest does. That said, I normally work with companies that -really- need users to trust their security practices so this can become a sales and marketing win. When competitors are forced to admit they do not review the code that handles customer data or money, and you do because it is obviously the responsible thing to do... it helps customers choose you.
As to your practical example question, many companies depend on Terraform, for example. Until I reviewed the AWS password generation function it was producing passwords seeded by the current time. An attacker that knew what time an account was created had a path to guessing the password.
Do we find things this impactful super often? No. But when we do find them all of our clients can get early warning and be recommended general practices that avoid this type of issue entirely.
We have also privately exploited supply chain attacks when legally possible more than once as demonstrations for our clients.
While the best examples are public, you do not have to look hard to realize supply chain attacks are all too often -easy-.
Researchers did a scan of all npm packages who have maintainer email addresses with expired domains. AKA packages anyone can buy their way into control of.
Thousands of them. I bought the maintainer email domain of the NPM foreach package just to prove a point.
Generally though we spend most of our time doing blue team work. If you architect your application well with well placed secure enclaves you can get away with any single system or human being comprised without a loss of user data or funds. Then it becomes possible to more freely use libraries and move fast in other parts of your stack with lower risk.
Reviewing 100% of all deps company-wide is not the only knob one can turn.
But for the people who sign the checks, do you have ROI numbers to support this approach?
How many exploitable vulnerabilities in open source dependencies that could have led to financial loss have your reviews found that an off-the-shelf SCA tool didn't find?