Citigroup: Continuous Secure Ingestion for OSS Software Packages

How a multinational bank implemented automated provenance verification of over three million external packages
Featured image

About Citigroup

Citigroup is an American multinational investment bank and financial services corporation headquartered in New York City. Citigroup serves more than 200 million customer accounts and operates in more than 160 countries and jurisdictions. Their clients include 90% of Fortune Global 500 companies.

Continuous Secure Ingestion for OSS Software Packages

In the rapidly evolving landscape of software supply chain security, third-party code risk has emerged as a significant concern. Citigroup, a large multinational bank, needed to safely ingest open and closed source software while mitigating this risk. Our cloud native security consultancy was engaged to address these challenges.

By augmenting the client’s team with our specialists and implementing rapid proof-of-concept (POC) iterations, we delivered a solution that enabled secure and efficient software ingestion. This integrated with external assurance and scanning systems, and facilitated Software Bill of Materials (SBOM) generation and storage.


Citigroup needed to safely ingest open and closed source software as part of their operations. However, they faced significant supply chain risks, including the potential for malicious implants in third-party code, the manual ingestion of software, and the use of legitimate but outdated and vulnerable software versions. As a high-compliance organisation, Citigroup needed to mitigate these risks to maintain their security posture and comply with regulatory requirements.

The following challenges were faced:

  • The organisation was exposed to supply chain risks, including the potential for malicious implants in third-party code
  • A recent Sonatype State of the Software Supply Chain report noted that there has been a 742% average annual increase in supply chain attacks over the past three years
  • Citigroup’s process for ingesting software was manual, leading to increased development times, inefficiencies and potential errors

These challenges were impacting the organisation in several ways:

  • The risk of malicious implants could compromise the security of systems and data, leading to potential financial and reputational damage
  • The manual process could result in the use of outdated or vulnerable software versions, increasing the risk of security breaches
  • Delays in the availability of 3rd party packages, increased lead time but also increases context switching as developers move to other tasks whilst waiting for packages to be made available


ControlPlane delivered a highly scalable and secure-by-default Open Source Ingestion platform that secures the software supply chain, facilitates pre-usage vulnerability assessment of open and closed source software, and reduces the client’s time to update software.

The following deliverables were provided:

  • A platform for safely consuming open source and vendor provided software utilising software composition analysis, security scanning, SBOM validation, and metadata collection

  • External systems integration for added assurance capabilities, scanning, and SBOM generation and storage

  • Client team augmentation with our best-in-class specialists, bringing in-depth knowledge and expertise in software supply chain security

  • Rapid POC iterations to ensure the highest-throughput approach for software ingestion

These solutions provided multiple benefits to the client, including:

  • Reduced time to update for all software due to the risk insight provided by the system

  • Quantified supply chain risk with objective analysis of software vulnerability impact and probability

  • Enhanced management of third-party code risk and associated mitigation

  • Uplift of client’s specialist knowledge and expertise, leading to an optimal solution for secure software ingestion

  • Integration with external assurance and scanning systems to support existing security measures

  • Data lakes for pipeline metadata, including the history of policy decisions and reasoning about SBOM generation and storage

  • Automated re-processing of imported packages to continuously collect the latest intelligence available

Business Outcomes

The client achieved secure and fast open source software ingestion, mitigating supply chain risks and enhancing their overall security posture across their 3 million external packages under management. This rapid process optimisation improved operational efficiency and compliance and grew confidence in their ability to ingest open and closed source software safely and securely.

ControlPlane’s expertise in Supply Chain Security and their collaborative efforts with Citigroup demonstrated their dedication to driving innovation and delivering secure solutions in the cloud-native ecosystem.

For more details on the delivery approach of this project, please see here

Similar case studies:  
cloud kubernetes supply-chain security aws all