I often suggest that they either review it all, pay a company like mine to review it all, or do tree shaking to remove most of the deps and make it lean enough that they can afford to maintain reviews.
Failing those when a legacy codebase is just too big to simplify or review, I will generally pivot to retrofitting in accountability to something that can be trusted. This often means working with the team to design small, auditable, reproducibly buildable standalone services for security critical functions that can run in a TEE or HSM. These often take on critical signing, encryption, and policy enforcement responsibilities such that a compromise of any single employee or the larger legacy application can be tolerated.
Gotta have multiple knobs you can turn so the org can choose the cheapest path that honestly meets the required threat model.
Failing those when a legacy codebase is just too big to simplify or review, I will generally pivot to retrofitting in accountability to something that can be trusted. This often means working with the team to design small, auditable, reproducibly buildable standalone services for security critical functions that can run in a TEE or HSM. These often take on critical signing, encryption, and policy enforcement responsibilities such that a compromise of any single employee or the larger legacy application can be tolerated.
Gotta have multiple knobs you can turn so the org can choose the cheapest path that honestly meets the required threat model.