How a Chinese Bank Won Top‑Tier DevSecOps Certification

On May 29, 2024, the Central Cyberspace Administration, State Administration for Market Regulation, and Ministry of Industry and Information Technology issued the "Information Standard Construction Action Plan (2024‑2027)", emphasizing internationalization of IT standards, participation in ISO, IEC, ITU, and alignment of domestic and international standards.

China Academy of Information and Communications Technology (CAICT) launched a synchronized assessment based on ITU DevOps international standard and the domestic DevOps standard, achieving mutual recognition of standards and upgrading evaluation scope, certificates, and reports.

On December 17, 2024, at the 5th IT New Governance Leadership Forum in Beijing, CAICT announced the dual‑certificate assessment results for ITU DevOps international standard and domestic DevOps standards, as well as AIOps and FinOps assessments.

Bank of Communications participated with its "Software Security Development Support Platform". The platform passed the ITU DevOps international standard assessment and the domestic DevOps security and risk management platform assessment, receiving an "Excellent" rating, indicating leading domestic capability.

Interview Highlights

Q: Please introduce yourself and the project.

Li Rui, Deputy General Manager of the Software Development Center at Bank of Communications, explained that the platform provides tool support for secure development, offering various risk detection capabilities to enhance digital financial risk prevention.

Q: Why did the bank undertake the security tool platform assessment?

Given the increasing cyber‑security challenges, the bank, as critical national infrastructure, balances development and security, adhering to the principle that security underpins development, and aims to strengthen its digital financial protection.

Q: What improvements resulted from the assessment?

Over six months, five security tool platforms completed 45 improvement items across open‑source component testing, static, dynamic, interactive, and infrastructure security testing, achieving the target of standardized security tool capabilities.

Q: What difficulties were encountered and how were they solved?

The main difficulty was the limitation of single tools to cover all risk detection methods. The team combined multiple tools to achieve full coverage, enhancing depth of defense and meeting the assessment requirements.

Assessment Statistics

To date, state‑owned banks have completed numerous DevOps maturity model assessments, with Bank of Communications having passed 22 CAICT DevOps standard assessments across various categories.

The article also references the broader push for BizDevOps standardization, the ITU‑T Y.3525 cloud computing standard, and the domestic DevOps maturity model, highlighting their role in digital financial transformation.