Code buried deep inside applications can make a system vulnerable to supply-chain attacks. You need to know all the software in your system to protect it.