S3C2 Summit 2023-11: Industry Secure Supply Chain Summit

TL;DR

The paper summarizes the November 2023 Industry Secure Supply Chain Summit, highlighting industry challenges, discussions on SBOMs, vulnerabilities, and best practices for securing software supply chains.

Contribution

It provides an overview of industry perspectives and shared challenges in securing software supply chains from a recent summit involving practitioners.

Findings

Discussion on the importance of SBOMs and vulnerabilities.

Shared challenges in securing build and deploy infrastructure.

Emphasis on fostering company culture for security.

Abstract

Cyber attacks leveraging or targeting the software supply chain, such as the SolarWinds and the Log4j incidents, affected thousands of businesses and their customers, drawing attention from both industry and government stakeholders. To foster open dialogue, facilitate mutual sharing, and discuss shared challenges encountered by stakeholders in securing their software supply chain, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) organize Secure Supply Chain Summits with stakeholders. This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023, which consisted of \panels{} panel discussions with a diverse set of \participants{} practitioners from the industry. The individual panels were framed with open-ended questions and included the topics of Software Bills of Materials (SBOMs), vulnerable dependencies, malicious commits, build and deploy infrastructure, reducing entire classes of vulnerabilities at scale, and supporting a company culture conductive to securing the software supply chain. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.