How China Agricultural Bank Achieved Advanced DevSecOps Maturity

Domestic and international large enterprises have shown that standardization and tool empowerment are key to success. The DevOps standards and the standards‑based continuous delivery pipeline platform can significantly improve quality and efficiency, enhancing safety, agility, and market competitiveness.

On December 26, 2022, the China Academy of Information and Communications Technology (CAICT) announced the latest batch of DevOps standard assessment results.

China Agricultural Bank participated with two projects: the Mobile Banking Payment Settlement product and the "WeijieDai" online inclusive finance product. Both projects passed the CAICT DevSecOps Security and Risk Management Level‑2 assessment, demonstrating the bank’s advanced capabilities in this area.

To date, the bank has passed 17 CAICT DevOps assessments: 12 for continuous delivery, 1 for application design, and 4 for security and risk management.

Q&A

Q: Please introduce yourself, your company, and the projects involved in the assessment.

Xie Zhibo: The two projects are the Mobile Banking Payment Settlement product and the "WeijieDai" online inclusive finance product.

Q: What are the key features and outcomes of these projects?

The Payment Settlement product focuses on protecting customer funds and privacy, adding over 2,000 barcode scenarios, supporting 200,000 new merchants, increasing merchant growth by 150%, raising transaction success rates to 92% (transfer) and 90% (payment), boosting monthly active users by 40%, and growing the customer base by 50 million.

The "WeijieDai" product offers fully self‑service, end‑to‑end online financing for micro‑enterprises, leveraging big data for precise risk control. It serves nearly one million micro‑clients, with an average loan amount of 1.75 million CNY per client.

Q: How does passing the DevSecOps Level‑2 assessment benefit your organization?

It validates the bank’s organization‑wide security R&D operations, makes the bank the first to pass multiple DevSecOps sub‑domains, and confirms strong security and risk control capabilities.

Q: How did the bank decide to join the DevSecOps assessment?

Increasing online business, emerging attack vectors, and regulatory emphasis on financial security drove the bank to enhance its security capabilities, leading to the launch of DevSecOps in 2021.

Q: How were cultural, process, and technical aspects implemented?

Cultural: Established three‑level security roles, reward‑penalty mechanisms, and regular security training and competitions.

Process: Integrated security requirements, design, coding, testing, and operation into the end‑to‑end project management chain.

Technical: Integrated SAST, SCA, IAST into pipelines; used DAST, MAST, and manual penetration testing; developed open‑source component security tools for configuration baseline checks.

Q: What challenges were encountered during the assessment?

Cross‑department collaboration was difficult due to the wide range of functions involved. The bank formed a flexible project team with strong leadership support to coordinate efforts.

Q: What are the biggest gains and future plans?

The bank achieved solid implementation in pilot projects and improved organizational security levels. Future plans include expanding assessments to other business lines, enhancing measurement feedback and cloud security, and building a high‑quality DevSecOps expert team.

Q: Outlook for DevOps development?

The CAICT‑led OSCAR alliance provides a platform for DevOps exchange and promotion, encouraging broader industry participation in standards, expert resources, tool platforms, and emerging technology research.

The CAICT DevOps Capability Maturity Model, jointly developed by leading internet companies and financial institutions, is the most comprehensive and authoritative DevOps standard in China and has been adopted by many enterprises after being released by the Ministry of Industry and Information Technology.

For inquiries about DevOps standard assessments, contact CAICT (Li Kailing, phone 15650786171, email [email protected]) or the Efficient Operations Community (Wei Huaxin, phone 18500255645, email [email protected]).