Related papers: S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit

S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit

URL: http://arxiv.org/abs/2505.10538v1
Date: Thu, 15 May 2025 17:48:14 GMT
Title: S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit
Authors: Imranur Rahman, Yasemin Acar, Michel Cukier, William Enck, Christian Kastner, Alexandros Kapravelos, Dominik Wermke, Laurie Williams,
Abstract summary: Over the past several years, there has been an exponential increase in cyberattacks targeting software supply chains.<n>The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government.<n>Three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies.
Score: 50.93790634176803
License: http://creativecommons.org/licenses/by-sa/4.0/
Abstract: While providing economic and software development value, software supply chains are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks, specifically targeting vulnerable links in critical software supply chains. These attacks disrupt the day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government in improving software supply chain security. On September 20, 2024, three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies. The goals of the Summit were to: (1) to enable sharing between individuals from different companies regarding practical experiences and challenges with software supply chain security, (2) to help form new collaborations, (3) to share our observations from our previous summits with industry, and (4) to learn about practitioners' challenges to inform our future research direction. The summit consisted of discussions of six topics relevant to the companies represented, including updating vulnerable dependencies, component and container choice, malicious commits, building infrastructure, large language models, and reducing entire classes of vulnerabilities.

Related papers

Llama-3.1-FoundationAI-SecurityLLM-Base-8B Technical Report [50.268821168513654]
We present Foundation-Sec-8B, a cybersecurity-focused large language model (LLMs) built on the Llama 3.1 architecture.<n>We evaluate it across both established and new cybersecurity benchmarks, showing that it matches Llama 3.1-70B and GPT-4o-mini in certain cybersecurity-specific tasks.<n>By releasing our model to the public, we aim to accelerate progress and adoption of AI-driven tools in both public and private cybersecurity contexts.
arXiv Detail & Related papers (2025-04-28T08:41:12Z)
S3C2 Summit 2024-08: Government Secure Supply Chain Summit [51.99432298381618]
Supply chain security has become a very important vector to consider when defending against adversary attacks.<n>On August 29, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 practitioners from 10 government agencies to discuss the state of supply chain security.<n>The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward.
arXiv Detail & Related papers (2025-04-01T15:54:41Z)
Closing the Chain: How to reduce your risk of being SolarWinds, Log4j, or XZ Utils [0.8111409409504281]
The goal of this study is to aid software organizations in reducing the risk of software supply chain attacks.<n>We qualitatively analyzed 106 Cyber Threat Intelligence (CTI) reports of the 3 attacks to gather the attack techniques.<n>The three mitigation tasks with the highest scores are role-based access control, system monitoring, and boundary protection.
arXiv Detail & Related papers (2025-03-15T16:22:09Z)
S3C2 Summit 2023-11: Industry Secure Supply Chain Summit [60.025314516749205]
This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.
arXiv Detail & Related papers (2024-08-29T13:40:06Z)
An Industry Interview Study of Software Signing for Supply Chain Security [5.433194344896805]
We study the challenges that affect the effective implementation of software signing in practice.<n>We highlight the different challenges-technical, organizational, and human-that hamper software signing implementation.
arXiv Detail & Related papers (2024-06-12T13:30:53Z)
S3C2 Summit 2024-03: Industry Secure Supply Chain Summit [51.12259456590232]
Supply chain security has become a very important vector to consider when defending against adversary attacks. On March 7th, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 industry leaders, developers and consumers of the open source ecosystem to discuss the state of supply chain security. The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward.
arXiv Detail & Related papers (2024-05-14T16:53:14Z)
Software supply chain: review of attacks, risk assessment strategies and security controls [0.13812010983144798]
The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks. This study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.
arXiv Detail & Related papers (2023-05-23T15:25:39Z)
A System for Automated Open-Source Threat Intelligence Gathering and Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management. It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.