Cyber attacks leveraging or targeting the software supply chain, such as the SolarWinds and the Log4j incidents, affected thousands of businesses and their customers, drawing attention from both industry and government stakeholders. To foster open dialogue, facilitate mutual sharing, and discuss shared challenges encountered by stakeholders in securing their software supply chain, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) organize Secure Supply Chain Summits with stakeholders. This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023, which consisted of \panels{} panel discussions with a diverse set of \participants{} practitioners from the industry. The individual panels were framed with open-ended questions and included the topics of Software Bills of Materials (SBOMs), vulnerable dependencies, malicious commits, build and deploy infrastructure, reducing entire classes of vulnerabilities at scale, and supporting a company culture conductive to securing the software supply chain. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.

翻译：利用或针对软件供应链的网络攻击，如SolarWinds和Log4j事件，影响了数千家企业及其客户，引起了产业界和政府相关方的高度关注。为促进公开对话、推动经验共享并探讨相关方在保障软件供应链安全过程中面临的共同挑战，美国国家科学基金会（NSF）支持的安全软件供应链中心（S3C2）的研究人员与相关方共同组织安全供应链峰会。本文总结了2023年11月16日举办的产业安全供应链峰会，该峰会包含多场专题讨论，汇聚了来自产业界具有多元背景的从业者。各专题讨论围绕开放式问题展开，涵盖软件物料清单（SBOMs）、脆弱依赖项、恶意代码提交、构建与部署基础设施、大规模减少整类漏洞以及培育有利于保障软件供应链安全的企业文化等议题。本次峰会旨在促进公开讨论与经验共享，并揭示具有实践经验的产业从业者在保障软件供应链安全时所面临的共性挑战。