S3C2 Summit 2025-03: Industry Secure Supply Chain Summit
- URL: http://arxiv.org/abs/2510.24920v1
- Date: Tue, 28 Oct 2025 19:47:07 GMT
- Title: S3C2 Summit 2025-03: Industry Secure Supply Chain Summit
- Authors: Elizabeth Lin, Jonah Ghebremichael, William Enck, Yasemin Acar, Michel Cukier, Alexandros Kapravelos, Christian Kastner, Laurie Williams,
- Abstract summary: Software supply chains provide immense economic and software development value.<n>In the past several years, there has been an exponential increase in cyberattacks targeting vulnerable links in critical software supply chains.<n>Four researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit.
- Score: 48.11564259257153
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: Software supply chains, while providing immense economic and software development value, are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks specifically targeting vulnerable links in critical software supply chains. These attacks disrupt the day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The ever-evolving threat of software supply chain attacks has garnered interest from both the software industry and US government in improving software supply chain security. On Thursday, March 6th, 2025, four researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 18 practitioners from 17 organizations. The goals of the Summit were: (1) to enable sharing between participants from different industries regarding practical experiences and challenges with software supply chain security; (2) to help form new collaborations; and (3) to learn about the challenges facing participants to inform our future research directions. The summit consisted of discussions of six topics relevant to the government agencies represented, including software bill of materials (SBOMs); compliance; malicious commits; build infrastructure; culture; and large language models (LLMs) and security. For each topic of discussion, we presented a list of questions to participants to spark conversation. In this report, we provide a summary of the summit. The open questions and challenges that remained after each topic are listed at the end of each topic's section, and the initial discussion questions for each topic are provided in the appendix.
Related papers
- S3C2 SICP Summit 2025-06: Vulnerability Response Summit [51.90004414779634]
Researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) and the Software Innovation Campus Paderborn (SICP) conducted a Vulnerability Response Summit.<n>The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security.
arXiv Detail & Related papers (2025-12-02T10:05:41Z) - Establishing a Baseline of Software Supply Chain Security Task Adoption by Software Organizations [0.3079566893278951]
Software supply chain attacks have increased exponentially since 2020.<n>Tasks that mitigate the novel attack vectors through software components and the build infrastructure are in the early stages of adoption.
arXiv Detail & Related papers (2025-09-09T18:39:03Z) - S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit [50.93790634176803]
Over the past several years, there has been an exponential increase in cyberattacks targeting software supply chains.<n>The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government.<n>Three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies.
arXiv Detail & Related papers (2025-05-15T17:48:14Z) - S3C2 Summit 2024-08: Government Secure Supply Chain Summit [51.99432298381618]
Supply chain security has become a very important vector to consider when defending against adversary attacks.<n>On August 29, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 practitioners from 10 government agencies to discuss the state of supply chain security.<n>The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward.
arXiv Detail & Related papers (2025-04-01T15:54:41Z) - S3C2 Summit 2023-11: Industry Secure Supply Chain Summit [60.025314516749205]
This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023.
The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.
arXiv Detail & Related papers (2024-08-29T13:40:06Z) - S3C2 Summit 2024-03: Industry Secure Supply Chain Summit [51.12259456590232]
Supply chain security has become a very important vector to consider when defending against adversary attacks.
On March 7th, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 industry leaders, developers and consumers of the open source ecosystem to discuss the state of supply chain security.
The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward.
arXiv Detail & Related papers (2024-05-14T16:53:14Z) - A System for Automated Open-Source Threat Intelligence Gathering and
Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management.
It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.