S3C2 Summit 2025-03: Industry Secure Supply Chain Summit

TL;DR

The paper reports on a March 2025 NSF-backed Summit where 18 practitioners from 17 organizations discussed six topics critical to software supply chain security, including SBOMs, compliance, malicious commits, build infrastructure, culture, and LLMs. It documents persistent themes such as SBOMs not being mere checkboxes, the need for contextual SBOMs and build provenance, and the challenges of compliance across legacy systems and mergers. It also highlights advances in build transparency, reproducible builds, and governance around LLM usage, while noting the ongoing difficulty of attributing malicious intent and securing upstream dependencies. Collectively, the findings underscore a maturation of industry practices, a push toward deeper, more actionable security processes, and a cautious but growing openness to adopt newer technologies with appropriate controls and culture change.

Abstract

Software supply chains, while providing immense economic and software development value, are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks specifically targeting vulnerable links in critical software supply chains. These attacks disrupt the day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The ever-evolving threat of software supply chain attacks has garnered interest from both the software industry and US government in improving software supply chain security. On Thursday, March 6th, 2025, four researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 18 practitioners from 17 organizations. The goals of the Summit were: (1) to enable sharing between participants from different industries regarding practical experiences and challenges with software supply chain security; (2) to help form new collaborations; and (3) to learn about the challenges facing participants to inform our future research directions. The summit consisted of discussions of six topics relevant to the government agencies represented, including software bill of materials (SBOMs); compliance; malicious commits; build infrastructure; culture; and large language models (LLMs) and security. For each topic of discussion, we presented a list of questions to participants to spark conversation. In this report, we provide a summary of the summit. The open questions and challenges that remained after each topic are listed at the end of each topic's section, and the initial discussion questions for each topic are provided in the appendix.