Software supply chain attacks are increasingly frequent, posing severe threats to critical infrastructure and open-source ecosystems. Method: This project unites 12 leading industry partners to establish the first academia–industry–government collaborative diagnostic framework, employing socio-technical methods—including structured thematic workshops, experience-sharing sessions, and cross-organizational case benchmarking—to systematically identify recurrent real-world risks (e.g., malicious code commits, LLM-introduced vulnerabilities, dependency update bottlenecks). Grounded in empirical findings from the NSF-funded S3C2 Center, the initiative synthesizes insights from diverse stakeholder perspectives. Contribution/Results: It achieves consensus on six core technical challenges, catalyzes three cross-enterprise collaboration initiatives, and delivers robust empirical evidence to inform supply chain security standardization, development of automated verification tools, and evidence-based policy recommendations.

While providing economic and software development value, software supply chains are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks, specifically targeting vulnerable links in critical software supply chains. These attacks disrupt the day-to-day functioning and threaten the security of nearly everyone on the internet, from billion-dollar companies and government agencies to hobbyist open-source developers. The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government in improving software supply chain security. On September 20, 2024, three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies. The goals of the Summit were to: (1) to enable sharing between individuals from different companies regarding practical experiences and challenges with software supply chain security, (2) to help form new collaborations, (3) to share our observations from our previous summits with industry, and (4) to learn about practitioners' challenges to inform our future research direction. The summit consisted of discussions of six topics relevant to the companies represented, including updating vulnerable dependencies, component and container choice, malicious commits, building infrastructure, large language models, and reducing entire classes of vulnerabilities.