How China Pacific Insurance Achieved Advanced DevSecOps Certification and Boosted Security

On May 29, 2024, China’s Central Cyberspace Administration, State Administration for Market Regulation, and Ministry of Industry and Information Technology jointly issued the "Information Standard Construction Action Plan (2024‑2027)" to promote the internationalization of IT standards, encouraging deep involvement in ISO, IEC, ITU and other global bodies.

The China Academy of Information and Communications Technology (CAICT) launched a synchronized assessment based on the ITU DevOps international standard and the domestic DevOps standard, enabling mutual recognition of standards and upgrading evaluation scope, certificates, and reports.

At the 5th IT New Governance Leadership Forum on December 17, 2024, CAICT announced the dual‑certificate results for the ITU DevOps international standard and related AIOps/FinOps standards.

China Pacific Insurance (Group) Co., Ltd. (CPIC) entered the assessment with its "Group 2015 e‑commerce platform – Safe Box" project, successfully passing the ITU DevOps international assessment and the domestic DevSecOps Level‑2 security delivery module, demonstrating that its capabilities meet advanced domestic standards.

Q&A

Q: Please introduce yourself, your company, and the project you evaluated.

A: Xu Jianguo, Chief Technology Officer of CPIC, explained that the Safe Box project supports the PC website, mobile site, WeChat, and app, providing unified policy and claim queries for millions of users, and that DevSecOps practices have reduced security risks and improved service reliability.

Q: How does achieving the DevSecOps Level‑2 assessment make you feel?

A: CPIC is the first insurance group in China to obtain Level‑2 DevSecOps certification, reflecting industry‑leading security delivery and thanking CAICT experts and the project team for their effort.

Q: Why did you decide to participate in the DevSecOps assessment?

A: CPIC’s mission of responsible insurance drives a commitment to technology security; the assessment showcases its dedication, strengthens customer confidence, and aligns with regulatory emphasis on financial cybersecurity.

Q: What benefits has the security and risk management assessment brought?

A: The assessment provided an objective benchmark, identified maturity gaps, guided systematic improvements across the entire application lifecycle, and helped build a repository of security best‑practice cases.

Q: What are the distinctive features and challenges of the Safe Box project?

A: The platform serves over 39 million registered users with daily visits exceeding 1.2 million, demanding high security; rapid iteration pressures were mitigated by shifting security left, integrating checks early in development.

Q: Can you share concrete metrics that illustrate the project’s improvements?

A: (See the accompanying chart.)

Q: How does CPIC implement DevSecOps across culture, process, and technology?

A: Culturally, CPIC conducts regular security training and issues certifications; procedurally, it enforces a "111+10" security requirement checklist throughout the lifecycle; technically, it has built a comprehensive security toolchain integrated into CI/CD pipelines and runs continuous penetration testing.

Q: What difficulties did you encounter during preparation?

A: Tight timelines coincided with national cyber‑defense drills, and cross‑regional team coordination was challenging, but strong collaboration enabled on‑time completion and successful certification.

Q: What are CPIC’s next steps for DevSecOps?

A: CPIC will continue to refine its security management system, expand assessments to development and operations processes, and advance its "Digital Security Operations" initiative to further elevate overall application security.

Additional information includes statistics on insurance industry participation in DevOps assessments, details of the ITU DevOps international standard (ITU‑T Y.3525), and an overview of the domestic DevOps maturity model led by CAICT.