How a Securities Firm Achieved DevSecOps Maturity to Boost Transformation

Large enterprises have found that standardization and tool empowerment are key to success. The DevOps standards and a standards‑based continuous delivery pipeline platform can significantly improve quality and efficiency, making companies more agile and competitive. Using assessment‑driven implementation helps the standards take effect faster.

Recent Assessment Announcement

On December 26, the China Academy of Information and Communications Technology (CAICT) announced the latest batch of DevOps and AIOps standard assessment results.

Case Study: CITIC Securities

CITIC Securities Co., Ltd. participated in the assessment with its Institutional Business Service Platform project, which passed the Level 2 security and risk management (DevSecOps) assessment, demonstrating a domestic leading level of capability.

To date, CITIC Securities has one project that passed the Level 3 continuous delivery standard and one project that passed the DevSecOps standard.

Interview Highlights

Q: Please introduce your company and the project involved in the assessment. CITIC Securities, founded in 2005, is a nationwide comprehensive securities firm with top‑tier A‑class ratings. The Institutional Business Service Platform is a mobile‑first, one‑stop financial service tool for institutional clients, offering research, trading, derivatives, custody, and operational services.

Q: How do you feel about passing the DevSecOps Level 2 assessment? The team is pleased, seeing it as validation of their security capabilities. Significant resources were invested to ensure successful implementation, and experts from CAICT provided valuable guidance.

Q: Why did you decide to join the DevSecOps assessment? Digital transformation requires secure, stable, and compliant operations. By adopting an integrated security lifecycle, the company aims to protect the entire development‑to‑operation process.

Q: What benefits has the assessment brought? It validated the practice, raised the maturity of the DevSecOps capability, and set a solid foundation for broader rollout, encouraging continuous improvement and higher‑level assessments.

Q: What challenges does the platform face in daily security risk management? The platform serves a wide client base with frequent agile iterations, creating challenges for rapid security response and handling emerging mobile‑app vulnerabilities.

Q: How are culture, process, and technology used to implement DevSecOps? Culturally, the company conducts security awareness training and phishing drills. Process‑wise, security tools are integrated into the DevOps pipeline covering requirements, testing, and vulnerability management. Technically, a comprehensive security toolchain automates security checks throughout the lifecycle.

Q: What are your future plans? The team will promote the DevSecOps experience from the platform to other projects, aim for higher assessment levels, and continue strengthening security risk management.

Outlook on DevOps

DevOps is a key driver of digital transformation, enabling rapid, high‑quality delivery while maintaining stability. DevSecOps unifies development, testing, deployment, operation, and security, supporting trends such as micro‑services, serverless, low‑code platforms, cloud‑native, and AIOps.

DevOps Capability Maturity Model

The model, jointly developed by CAICT, cloud‑computing alliances, and leading internet companies, is the first comprehensive DevOps standard in China and has been adopted by many enterprises. It covers agile development, continuous delivery, technical operation, security, system and tool management, and business value management.

For further information on DevOps standard assessments, contact CAICT (Liu Kaili) at 15650786171 or [email protected], or the Efficient Operations Community (Wei Huanxin) at 18500255645 or [email protected].