How China Postal Savings Bank Achieved Advanced DevSecOps Standards

Background

Large enterprises worldwide have found that standardization and tooling are key to success. The DevOps standards and the DevOps continuous delivery pipeline platform, based on these standards, can significantly improve quality, efficiency, and safety, enhancing market competitiveness. The China Academy of Information and Communications Technology (CAICT) has issued a "Research and Development Operations Integration (DevOps) Capability Maturity Model" series of standards that guide enterprise DevOps implementation.

On December 15, 2023, the GOLF+ IT New Governance Leadership Forum in Beijing announced the latest batch of DevOps and AIOps standard assessment results.

Case Study: China Postal Savings Bank

The bank’s Gold‑Metal Cloud Mall project successfully passed CAICT’s "DevSecOps Security and Risk Management" Level‑2 assessment, indicating that its capabilities are at an advanced domestic level.

Assessment Entity: China Academy of Information and Communications Technology

The bank has, to date, passed 17 CAICT DevOps standard assessments, including 3 continuous delivery, 2 DevSecOps, 10 system and tool, and 2 continuous testing assessments.

Interview with Hu Junfeng, General Manager of the Software R&D Center

Q: Please introduce yourself, your company, and the project you evaluated.

A: I am Hu Junfeng, General Manager of the Software R&D Center of China Postal Savings Bank, one of the six major state‑owned banks. We invest 3% of annual revenue in IT, focusing on secure, efficient financial services. Our Gold‑Metal Cloud Mall is an online channel for middle‑office business, offering personalized, convenient services while facing high security risks. By applying DevSecOps, we reduced system security risks and ensured data and fund protection.

Q: How does achieving the DevSecOps Level‑2 assessment feel?

A: It demonstrates that our secure delivery capability reaches the domestic advanced level, reflecting our team’s effort and our commitment to agile, secure development.

Q: Why did you decide to participate in the DevSecOps assessment?

A: Internally, we recognized the critical role of DevSecOps in the fast‑evolving fintech era. Externally, we wanted to show customers and partners our strong security posture and fulfill industry and social responsibilities.

Q: What benefits has the assessment brought?

A: It provided best‑practice references, helped improve internal security controls, closed tool‑chain gaps, and enhanced collaboration between development, operations, and security teams. Security coverage increased by 40%, vulnerability‑fix cost dropped, average fix time halved, and fix rate reached 100%.

Interview with Pan Hua, Senior IT Specialist

Q: What are the project’s characteristics and daily security challenges?

A: The Gold‑Metal Cloud Mall faces a complex external network, wide attack surface, and intricate business scenarios, making it a target for malicious actors. Rapid iteration creates challenges for timely security testing, which we address by embedding security checks into the CI/CD pipeline.

Q: How does your organization implement DevSecOps culturally, procedurally, and technically?

A: Culturally, we promote an open, collaborative environment where every member owns security, supported by regular training and metric‑driven monitoring. Procedurally, we redesigned the artifact pipeline to embed continuous security integration and enforce quality gates. Technically, we built a comprehensive DevSecOps platform that automates security testing, vulnerability scanning, and audit, leveraging modern security tools.

Q: What difficulties did you encounter during the assessment preparation?

A: Coordinating across multiple departments (software R&D center, data center, data management) required establishing communication channels, regular cross‑team meetings, and workflow optimization to break silos.

Q: What are your next steps for DevSecOps?

A: We plan to broaden the scope by adding more projects to the DevSecOps platform, ensuring security checks are embedded throughout the software lifecycle, and deepen the practice by refining processes and metrics to better suit our financial business needs.

Key Metrics

Security coverage increased by 40%; vulnerability‑fix cost reduced; average fix time cut by 50%; fix rate reached 100% across 290+ projects and 2000+ system changes.

About the DevOps Capability Maturity Model

The model, led by CAICT with contributions from the Cloud Computing Open Source Alliance, Efficient Operations Community, BATJ, and major telecom and internet firms, is the first comprehensive DevOps standard worldwide. It was officially adopted by the Ministry of Industry and Information Technology and recognized by the ITU‑T in July 2020 as the first global DevOps standard.

The framework covers agile development management, continuous delivery, technical operations, application design, security and risk management (DevSecOps), system and tool assessment, business value management, collaborative development and operations, continuous testing, performance measurement, platform engineering, and Site Reliability Engineering (SRE).

Contact Information

For DevOps assessment inquiries, contact CAICT representatives Liu Kailin (phone 156 5078 6171, email [email protected]) and Bai Hanyong (phone 159 1076 9206, email [email protected]), or Wei Huanxin of the Efficient Operations Community (phone 185 0025 5645, email [email protected]).