Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On February 22, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 15 companies. The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security and helping to form new collaborations. We conducted six-panel discussions based upon open-ended questions regarding software bill of materials (SBOMs), malicious commits, choosing new dependencies, build and deploy,the Executive Order 14028, and vulnerable dependencies. The open discussions enabled mutual sharing and shed light on common challenges that industry practitioners with practical experience face when securing their software supply chain. In this paper, we provide a summary of the Summit. Full panel questions can be found in the appendix.

翻译：近年来，针对软件供应链中安全性较薄弱环节的网络攻击日益增多，给企业和组织造成了致命损害。过去著名的软件供应链攻击案例包括影响数千客户和企业的SolarWinds和log4j事件。美国政府与业界均对提升软件供应链安全表现出同等关注。2023年2月22日，美国国家科学基金会（NSF）支持的“安全软件供应链中心”（S3C2）的研究人员举办了一场安全软件供应链峰会，邀请了来自15家企业的17位不同背景的从业者。此次峰会旨在促进具有软件供应链安全实践经验与挑战的行业从业者之间的交流，并协助建立新的合作关系。我们围绕开放性问题开展了六场分组讨论，内容涉及软件物料清单（SBOM）、恶意提交、新依赖项选择、构建与部署、第14028号行政令以及漏洞依赖项。这些开放式讨论促进了相互分享，并揭示了从业者在保障软件供应链安全时所面临的共同挑战。本文对峰会内容进行了总结。完整的分组讨论问题请参见附录。