S3C2 Summit 2024-08: Government Secure Supply Chain Summit

TL;DR

The paper documents a government-focused Secure Software Supply Chain Summit evaluating practices in SBOMs, VEX, vulnerable-dependency updates, malicious commits, and broader cultural and technological factors. It highlights practical challenges such as trust in VEX artifacts, classification-related constraints on SBOM data, bureaucratic hurdles to patching, and the rising relevance of SCA tools, while emphasizing the XZ incident as a wake-up call for resilience. It also discusses policy and regulatory dimensions, including the EU Cyber Resilience Act, and the dual nature of LLMs as both useful development aids and potential attack vectors. Overall, the work underscores a gradual but ongoing shift toward security as an enabling discipline, balanced against operational overhead and policy uncertainties, with a call for concrete governance, cross-agency collaboration, and cautious integration of emerging technologies.

Abstract

Supply chain security has become a very important vector to consider when defending against adversary attacks. Due to this, more and more developers are keen on improving their supply chains to make them more robust against future threats. On August 29, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 practitioners from 10 government agencies to discuss the state of supply chain security. The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward. Through this meeting, participants were questions on best practices and thoughts how to improve things for the future. In this paper we summarize the responses and discussions of the summit.