eric.gallagher Software Supply Chain Risk
Free Diagnostic // For Engineering & Security Leaders

How exposed is your
software supply chain
right now?

Most organizations don't find out until something breaks. This free 22-question diagnostic gives you a scored view of your supply chain risk across seven dimensions — and a live follow-up from me with personalized findings.

Take the Assessment See what's included
// Takes 8–12 minutes  ·  Free  ·  No pitch, just findings
22 Questions across 7 risk dimensions
100 Point scored maturity index
1:1 Live debrief with Eric — every respondent
// What you receive
01
Your Risk Score
An overall maturity score out of 100, benchmarked across four tiers from Reactive to Optimized. See exactly where you land.
02
Dimension Breakdown
Individual scores across all seven dimensions so you know which areas are carrying the most risk — and which are already strengths.
03
Top Gap Analysis
Your three highest-priority risk areas, ranked by score. A clear starting point for your next 90 days of remediation work.
04
Live Debrief with Eric
Every respondent gets a personal follow-up. Not a sales pitch — a real conversation about your findings and what they mean for your organization.
// Seven dimensions of risk
01 Visibility & SBOM
02 Sourcing & Provenance
03 Build Integrity
04 Vulnerability & CVE Posture
05 Tooling Strategy
06 Governance & Policy
07 Incident Response
// Questions are weighted by dimension. Scoring reflects real-world risk exposure, not checkbox compliance.
// Maturity tiers
Reactive 0–39 Ad hoc responses. Significant exposure across most dimensions.
Maturing 40–64 Some controls in place. Key gaps remain in governance and visibility.
Proactive 65–84 Solid foundation. Optimization opportunities in tooling and policy.
Optimized 85–100 Leading posture. Supply chain risk is a managed, strategic discipline.
// Who's behind this
Eric Gallagher
Enterprise Security · Software Supply Chain Risk

Modern organizations run on a software supply chain that is fragile, opaque, and increasingly dangerous — and far too many leaders are operating under comforting illusions. I challenge those illusions.

I work with CISOs, security leaders, and engineering executives who are no longer satisfied with the industry's shallow explanations, vendor gloss, or false sense of security. My approach is simple: brutal clarity, strategic truth, zero bullshit.

// The illusions I hear most often — and spend my time dismantling:

"Secure containers" are only as secure as the application layer beneath them
SBOMs without curation produce false confidence, not real visibility
"Shift left" is a myth in enterprise reality — the risk doesn't move with it
Dependency sprawl is becoming an existential risk, not a hygiene problem
Most supply chain attacks succeed long before runtime
Security is no longer a tooling problem — it's a governance problem

Through Securing the Backbone and five books on supply chain risk, I help security leaders get past the dashboards and noise — toward better assurance, better visibility, and better control of the code their enterprises depend on.

ActiveState Securing the Backbone 5x Author Parkersburg, WV
Know your number.
Then let's talk about what it means.

The assessment takes under 12 minutes. Your score is immediate. The debrief is personal — I read every response before we connect.

Start the Assessment
// Free · 8–12 min · Personalized debrief included