How China Postal Savings Bank Achieved Advanced DevSecOps Maturity – A Deep Dive

Large enterprises have proven that standardization and tool empowerment are key to success. DevOps standards and continuous‑delivery pipelines can significantly improve quality, efficiency, market competitiveness, security, and agility.

On April 7, 2023, the 20th GOPS Global Operations Conference was held in Shenzhen, jointly organized by GreatOPS and OOPSA. During the event, the China Academy of Information and Communications Technology (CAICT) announced the latest batch of DevOps capability maturity assessments.

China Postal Savings Bank participated with its Operation Risk Management System project, which passed the Level‑2 assessment of the DevSecOps security and risk management module , indicating an advanced domestic security level. The bank has now passed nine CAICT DevOps standard assessments: three for continuous delivery, five for system and tool standards, and one for DevSecOps.

Interview Highlights

Q: Please introduce your organization and the assessed project.

A (Hu Junfeng, General Manager, Software R&D Center): The bank serves over 6.5 billion personal customers with nearly 40 000 outlets and assets of 14 trillion RMB. The Software R&D Center is the main force behind the bank’s digitalization, responsible for platform construction, testing, and application management.

The Operation Risk Management System supports full‑bank risk management, complying with regulatory capital requirements and the bank’s “14th‑Five‑Year” IT plan. It integrates risk assessment, key risk indicators, loss data collection, capital measurement, and reporting, enabling end‑to‑end risk identification, evaluation, control, mitigation, monitoring, and reporting.

Q: How did you feel after passing the DevSecOps Level‑2 assessment?

A: We are honored that the system passed the DevSecOps security assessment, which provides clear, industry‑leading guidance for embedding security throughout the DevOps lifecycle.

Q: Why did you decide to participate in the DevSecOps assessment?

A: Aligning with national security strategies, the bank established a three‑year security capability plan, created a dedicated security team, and integrated security into every development phase, from requirements to deployment, using ISO‑27001 certification and internal standards.

Q: What benefits has the assessment brought?

A: By aligning with the CAICT maturity model, the bank embedded security into the development and delivery of the risk management system, reducing security risks, ensuring agile delivery, and establishing best practices for secure software lifecycle management.

Q: How are culture, process, and technology used to implement DevSecOps?

A: The bank built a professional security team, provided extensive training, set security entry criteria for external partners, and conducted regular phishing drills. Process-wise, it adopted ISO‑27001‑based security controls across the entire development lifecycle and established security metrics. Technically, it deployed threat‑modeling tools, automated code‑review and open‑source scanning tools, integrated them into the CI/CD pipeline, and used WAF, IPS, and security monitoring systems.

Q: What challenges did you face during the assessment?

A: Coordinating multiple departments during the COVID‑19 pandemic required remote collaboration, intensive training, and rapid issue resolution, but the team succeeded through strong leadership and cross‑functional cooperation.

Q: What are the next steps for DevSecOps in the bank?

A: The bank will continue to promote DevSecOps across key projects, extend support to branches and subsidiaries, refine security metrics, and enhance automated security capabilities to achieve both quality and efficiency gains.