How China Agricultural Bank Achieved National‑Level DevSecOps Excellence Across Five Projects

Domestic large‑enterprise practice shows that standardization and tool empowerment are crucial for success; the CAICT DevOps standards and a standards‑based continuous‑delivery pipeline can significantly improve quality, efficiency, safety, and agility, thereby enhancing market competitiveness.

The China Academy of Information and Communications Technology (CAICT) has issued the “R&D Operations Integration (DevOps) Capability Maturity Model” series, which provides important guidance for enterprise DevOps implementation. Banks, securities, insurance, telecom, and internet companies have actively participated in CAICT assessments, improving related IT capabilities.

On April 25, 2024, the 22nd GOPS Global Operations Conference & XOps Technology Innovation Summit was held in Shenzhen, where CAICT announced the latest batch of DevOps standard assessment results.

China Agricultural Bank (ABC) entered five projects for evaluation:

Unified Encryption Platform

Integrated Mobile Office Personal Note module (Cloud Note)

Micro‑Bank Credit Card WeChat Service – Polaris Marketing Tool

Open‑Banking Authentication Authorization Gateway

IoT Platform Smart Operation Module

All five projects passed CAICT’s “DevSecOps Security Delivery Level 2” assessment, indicating that ABC’s related capabilities have reached an advanced domestic level.

Project highlights :

The Unified Encryption Platform provides core encryption services for card‑related applications, adds blacklist access control, log optimization, and supports new transaction interfaces.

Cloud Note offers cross‑device note‑taking with text, image, table, voice, and handwriting support, adding reminders, chat‑to‑note, and mind‑map features.

The Polaris Marketing Tool aggregates marketing data for credit‑card managers, adding facial‑recognition and expanded ID‑type support.

The Open‑Banking gateway adopts OAuth 2.0, enhancing password‑reset, app‑ID verification, and server‑access controls.

The IoT platform unifies device access and management, builds a public gateway product, and supports branch‑level IoT deployments.

In the interview, Deputy General Manager Cai Shizhi emphasized that passing the DevSecOps Level 2 assessment across five projects validates ABC’s security‑by‑design approach, reduces high‑risk vulnerabilities by 66.67%, and fosters a “security for everyone” culture.

ABC began its DevOps journey in 2019, launched a DevSecOps initiative in 2021, and continuously refined security tooling, automated checks (SAST, SCA, IAST, MAST), and cross‑department collaboration, overcoming challenges in inter‑team coordination through leadership support and flexible project teams.

Future plans include internal DevSecOps assessments, expanding the practice to regional branches, enhancing measurement feedback, addressing supply‑chain and data‑security risks, and building a multi‑level DevSecOps coaching team.

Statistics show that, as of April 25 2024, state‑owned banks have completed numerous DevOps assessments covering continuous delivery, technical operation, and DevSecOps standards, with ABC having completed 33 assessments across various standards.

The CAICT DevOps Capability Maturity Model, co‑created with leading internet, telecom, and financial enterprises, is recognized by the Ministry of Industry and Information Technology and has been adopted as an international standard (ITU‑T Y.3525). Its architecture covers agile development management, continuous delivery, technical operation, application design, security & risk management, system & tool assessment, and more.