Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. We conducted six panel discussions with a diverse set of 19 practitioners from industry. We asked them open-ended questions regarding SBOMs, vulnerable dependencies, malicious commits, build and deploy, the Executive Order, and standards compliance. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain. This paper summarizes the summit held on September 30, 2022.

翻译：近年来，针对软件供应链中安全薄弱环节的网络攻击日益增多，对企业和组织造成了致命损害。此前知名的软件供应链攻击案例包括影响数千客户和企业的SolarWinds事件及log4j漏洞。美国政府与业界同样高度关注提升软件供应链安全性。我们组织了六场专题讨论，邀请来自业界的19位从业者参与。通过开放式提问，围绕SBOM、脆弱依赖项、恶意提交、构建与部署、行政命令及标准合规性等议题展开探讨。本次峰会旨在促进开放对话、经验共享，并揭示业界实践者在保障软件供应链安全过程中面临的共性挑战。本文总结了于2022年9月30日举行的该峰会成果。