TalksAWS re:Invent 2025 - Fast and compliant CI/CD pipelines in the financial industry (IND217)

AWS re:Invent 2025 - Fast and compliant CI/CD pipelines in the financial industry (IND217)

Secure and Compliant CI/CD Pipelines for the Financial Industry

Supply Chain Attacks: The Top Risk for Banks in 2025

  • 75% of enterprise organizations have experienced a supply chain attack in the past 12 months
  • Attackers target CI/CD pipelines to inject malicious code that gets deployed to production
  • This poses major risks for banks and financial institutions, including large fines and reputational damage

The Danger of Deployment Drift Windows

  • Modern CI/CD pipelines often have long "drift windows" between build and deployment
  • During this time, artifacts can sit idle for days or weeks, increasing the risk of tampering or vulnerabilities
  • Multiple drift windows exist in a typical release cycle (dev, QA, staging, production)
  • This "danger zone" must be secured to prevent supply chain attacks

The Three Pillars of a Zero-Trust Pipeline

  1. Software Bill of Materials (SBOM): A complete list of third-party components and libraries used to build the application
  2. Provenance: The "who, what, when, where, and how" of the artifact creation process
  3. Attestation: Cryptographic proof that links the SBOM and provenance to the deployed artifact
  • These three elements work together to provide a secure chain of trust from build to deployment

Separation of Duties: GitHub Actions and Octopus Deploy

  • GitHub Actions handles the CI side: building, testing, scanning, and publishing artifacts
  • Octopus Deploy manages the CD side: verifying SBOM and attestations, enforcing policies, and deploying to production
  • This clear separation of responsibilities ensures a secure, zero-trust pipeline

Octopus Deploy: Verifying and Governing Deployments

  • Octopus Deploy verifies the SBOM, attestations, and artifact integrity before deployment
  • It also applies compliance policies, checks for vulnerabilities, and tracks Kubernetes object status
  • This provides a comprehensive governance framework for regulated industries like finance

Real-World Example: Deploying the Account Registry Application

  1. GitHub Actions workflow:
    • Scans repository, builds container, generates SBOM and attestations
    • Signs and publishes artifacts to package repository
  2. Octopus Deploy:
    • Retrieves packages, verifies SBOM and attestations
    • Compares hashes to ensure artifact integrity
    • Checks for vulnerabilities using the GitHub API
    • Applies compliance policies and deploys to EKS

Key Takeaways

  • Established a secure chain of trust from build to deploy using SBOM, provenance, and attestations
  • Enforced deployment governance through policy evaluation, vulnerability checks, and artifact validation
  • Verified the integrity of deployed artifacts to ensure they were not tampered with
  • Demonstrated a practical, real-world example of a zero-trust CI/CD pipeline for a financial application

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.