S3C2 Summit 2202-09: Industry Secure Suppy Chain Summit

TL;DR

This paper summarizes a summit where industry practitioners discussed challenges and solutions related to securing the software supply chain, focusing on recent attacks, standards, and best practices.

Contribution

It provides insights from industry experts on practical challenges and strategies for improving software supply chain security based on panel discussions.

Findings

Industry faces common challenges in supply chain security

Practitioners emphasize importance of SBOMs and standards

Collaborative discussions highlight practical solutions

Abstract

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. We conducted six panel discussions with a diverse set of 19 practitioners from industry. We asked them open-ended questions regarding SBOMs, vulnerable dependencies, malicious commits, build and deploy, the Executive Order, and standards compliance. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain. This paper summarizes the summit held on September 30, 2022.