S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit
Imranur Rahman, Yasemin Acar, Michel Cukier, William Enck, Christian Kastner, Alexandros Kapravelos, Dominik Wermke, Laurie Williams
TL;DR
Software supply chains face escalating cyber threats targeting dependencies and build pipelines, with additional risk from AI/LLM-enabled vectors. The paper documents a day-long, Chatham House–ruled Summit (S3C2) where 12 practitioners from 9 firms discussed six topics—updating vulnerable dependencies, component/container choice, malicious commits, build infrastructure, LLMs, and reducing vulnerability classes—and surfaced current practices and open questions. Findings highlight persistent gaps in SBOM quality, exploitability/reachability tooling, build provenance, malicious-commit detection, and secure LLM/AI supply chains, alongside a set of cross-cutting research questions. The work aims to inform industry and government stakeholders, guide future research directions, and foster cross-organizational collaboration to advance practical software supply chain security.
Abstract
While providing economic and software development value, software supply chains are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks, specifically targeting vulnerable links in critical software supply chains. These attacks disrupt the day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government in improving software supply chain security. On September 20, 2024, three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies. The goals of the Summit were to: (1) to enable sharing between individuals from different companies regarding practical experiences and challenges with software supply chain security, (2) to help form new collaborations, (3) to share our observations from our previous summits with industry, and (4) to learn about practitioners' challenges to inform our future research direction. The summit consisted of discussions of six topics relevant to the companies represented, including updating vulnerable dependencies, component and container choice, malicious commits, building infrastructure, large language models, and reducing entire classes of vulnerabilities.
