S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit

TL;DR

This paper reports on a summit where industry practitioners and researchers discussed practical challenges and recent developments in securing software supply chains amidst rising cyber threats.

Contribution

It provides insights into real-world challenges and collaborative efforts to improve software supply chain security from a diverse industry summit.

Findings

Shared practical experiences on supply chain security challenges

Identified key areas for future research and collaboration

Highlighted emerging topics like large language models and vulnerability reduction

Abstract

While providing economic and software development value, software supply chains are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks, specifically targeting vulnerable links in critical software supply chains. These attacks disrupt the day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government in improving software supply chain security. On September 20, 2024, three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies. The goals of the Summit were to: (1) to enable sharing between individuals from different companies regarding practical experiences and challenges with software supply chain security, (2) to help form new collaborations, (3) to share our observations from our previous summits with industry, and (4) to learn about practitioners' challenges to inform our future research direction. The summit consisted of discussions of six topics relevant to the companies represented, including updating vulnerable dependencies, component and container choice, malicious commits, building infrastructure, large language models, and reducing entire classes of vulnerabilities.