How a Securities Firm Built a 100‑Day DevSecOps Prototype

On October 26‑27, 2023, the 21st GOPS Global Operations Conference was held in Shanghai, featuring experts from China Academy of Information and Communications Technology, Agricultural Bank of China, Transport Bank, Shenwan Hongyuan Securities and over 80 other specialists discussing DevOps, AIOps, SRE, continuous testing, and security.

Speaker: Wang Biansi, Head of Application Security at Shenwan Hongyuan Securities presented “Building a DevSecOps Sample Room in 100 Days”.

1. Goal Setting

To build the DevSecOps sample room, the team first defined goals, dividing application security into modules such as security toolchain, toolchain integration, processes, and culture. Each module was broken down into tasks across requirement, design, development, testing, and operation, creating a detailed DevSecOps Todo list with prioritized timelines.

2. Research and Baseline

Research was conducted at both project and role levels. Project‑level research selected representative applications and compiled detailed inventories for different architectures and technology stacks. Role‑level research involved interviews with PMs, developers, testers, and operations staff to assess their security awareness.

3. Platform and Toolchain Design

After goal setting and research, the implementation phase began, focusing on tool selection and toolchain integration. Tool selection aligned security tools with each stage of the software lifecycle, integrating existing security policies, tools, and processes. The chosen tools are highlighted in the accompanying diagram, showing coverage across all phases.

Toolchain integration required a security‑integrated development platform to host these tools as plugins, providing unified services. The platform also needed to interoperate with the DevOps platform, enabling lightweight threat modeling during requirements, pushing security requirements downstream, and routing code‑level vulnerabilities for closure.

4. Application Security Training

Training was planned in advance, with resources allocated for specific decisions and processes. Once training materials were prepared, rollout timing could be aligned with the promotion of security platforms, such as offering security‑requirement list training alongside the security requirements platform.