S3C2 Summit 2024-03: Industry Secure Supply Chain Summit

TL;DR

This paper reports on the S3C2 Industry Secure Supply Chain Summit held on March 7, 2024, synthesizing panel discussions across SBOMs, vulnerable dependencies, malicious commits, build infrastructure, vulnerability reduction, and LLMs in the supply chain. It highlights practical, experience-based insights and trade-offs from 14 industry participants, emphasizing defense-in-depth, policy-driven updates, and rapid remediation over perfect prevention. Key takeaways advocate for measurable, context-aware approaches—such as selective SBOM usage, mature dependency update policies, reproducible builds, and phased adoption of memory-safe languages—while remaining cautious about LLM trust and liability. The findings aim to guide open-source and industry practices, informing policy, tooling, and future research in securing the software supply chain.

Abstract

Supply chain security has become a very important vector to consider when defending against adversary attacks. Due to this, more and more developers are keen on improving their supply chains to make them more robust against future threats. On March 7th, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 industry leaders, developers and consumers of the open source ecosystem to discuss the state of supply chain security. The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward. Through this meeting, participants were questions on best practices and thoughts how to improve things for the future. In this paper we summarize the responses and discussions of the summit. The panel questions can be found in the appendix.