Modern software is increasingly complex, made up of hundreds or thousands of open source components, hidden away in deeply-nested dependency trees. Just how much do we know about these open source components that are an integral part of our products? What are the risks associated with their usage, and our exposure? As an industry, our solution is to build up a robust defense against these perils. Security scans, licence checkers - these help create a walled-garden, but ultimately harms the wider open source ecosystem. In this talk Colin will take a deep dive into a popular open source software product, scrutinising its dependencies and software supply chain. We’ll look at where this code comes from, who authored it and how it is distributed. A key factor contributing to the 2008 financial crisis was our hidden and unwitting exposure to the failing subprime mortgage market. In the recovery from the crash, it took a concentrated effort to identify and unpick the layers of abstraction that hid this exposure. There are certainly parallels to be drawn with the complexity and exposure with open source software. And much like the financial crash, there is no simple solution!