Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

S3C2 Summit 2023-11: Industry Secure Supply Chain Summit

Nusrat Zahan, Yasemin Acar, Michel Cukier, William Enck, Christian Kästner, Alexandros Kapravelos, Dominik Wermke, Laurie Williams

TL;DR

The paper documents the Industry Secure Supply Chain Summit (November 16, 2023) organized by the NSF-supported S3C2 program to surface practitioner insights on securing the software supply chain. Through a keynote and six panel discussions with 13 industry practitioners from 11 companies and 3 researchers, the summit covers SBOM adoption, vulnerable dependencies, malicious commits, build infrastructure, scaling vulnerable classes of vulnerabilities, and culture changes, all within a dialogue framework designed to share lessons learned and identify research opportunities. Key findings highlight practical challenges in SBOM generation and sharing, the complexity of vulnerability management, the need for robust build provenance and reproducible builds, and the critical role of executive support and culture in enabling secure software development. The discussions illuminate actionable pathways for industry and policy, including standardization efforts, trusted-build workflows, and incentives to accelerate the adoption of memory-safe languages and secure development practices in both proprietary and open-source ecosystems, aligned with national cybersecurity priorities under EO 14028.

Abstract

Cyber attacks leveraging or targeting the software supply chain, such as the SolarWinds and the Log4j incidents, affected thousands of businesses and their customers, drawing attention from both industry and government stakeholders. To foster open dialogue, facilitate mutual sharing, and discuss shared challenges encountered by stakeholders in securing their software supply chain, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) organize Secure Supply Chain Summits with stakeholders. This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023, which consisted of \panels{} panel discussions with a diverse set of \participants{} practitioners from the industry. The individual panels were framed with open-ended questions and included the topics of Software Bills of Materials (SBOMs), vulnerable dependencies, malicious commits, build and deploy infrastructure, reducing entire classes of vulnerabilities at scale, and supporting a company culture conductive to securing the software supply chain. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.

S3C2 Summit 2023-11: Industry Secure Supply Chain Summit

TL;DR

The paper documents the Industry Secure Supply Chain Summit (November 16, 2023) organized by the NSF-supported S3C2 program to surface practitioner insights on securing the software supply chain. Through a keynote and six panel discussions with 13 industry practitioners from 11 companies and 3 researchers, the summit covers SBOM adoption, vulnerable dependencies, malicious commits, build infrastructure, scaling vulnerable classes of vulnerabilities, and culture changes, all within a dialogue framework designed to share lessons learned and identify research opportunities. Key findings highlight practical challenges in SBOM generation and sharing, the complexity of vulnerability management, the need for robust build provenance and reproducible builds, and the critical role of executive support and culture in enabling secure software development. The discussions illuminate actionable pathways for industry and policy, including standardization efforts, trusted-build workflows, and incentives to accelerate the adoption of memory-safe languages and secure development practices in both proprietary and open-source ecosystems, aligned with national cybersecurity priorities under EO 14028.

Abstract

Cyber attacks leveraging or targeting the software supply chain, such as the SolarWinds and the Log4j incidents, affected thousands of businesses and their customers, drawing attention from both industry and government stakeholders. To foster open dialogue, facilitate mutual sharing, and discuss shared challenges encountered by stakeholders in securing their software supply chain, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) organize Secure Supply Chain Summits with stakeholders. This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023, which consisted of \panels{} panel discussions with a diverse set of \participants{} practitioners from the industry. The individual panels were framed with open-ended questions and included the topics of Software Bills of Materials (SBOMs), vulnerable dependencies, malicious commits, build and deploy infrastructure, reducing entire classes of vulnerabilities at scale, and supporting a company culture conductive to securing the software supply chain. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.
Paper Structure (32 sections)

This paper contains 32 sections.

Table of Contents

  1. Overview
  2. November 2023 Summit
  3. Software Bill of Materials
  4. SBOM Adoption
  5. Sharing & Collecting SBOMs
  6. Key Takeways: SBOMs
  7. Vulnerable Dependencies
  8. Vulnerability Management
  9. Prioritizing Vulnerabilities
  10. Vulnerability Alerts in IDEs
  11. Key Takeaways: Vulnerable Dependencies
  12. Malicious Commits
  13. Handling Commits
  14. Multi-Factor Authentication and Signing
  15. External Components
  16. ...and 17 more sections