Assessing third-party software risk is a leap of faith. External testing methods like security questionnaires, pen-testing, and security rating services fail to provide the transparency enterprises need, while deeper analysis with SAST and SCA requires access to the vendor’s source code. Simply put, the tools available to third-party cyber risk professionals do not adequately measure their breach exposure through third-party software. The result is software supply chain attack risk. To effectively scale with their growing third-party software attack surface, cybersecurity professionals need to unshackle themselves from traditional assessment methods and analyze commercial software on their own terms.