How China Postal Savings Bank Reached Advanced DevSecOps Maturity – Lessons and Practices

Large enterprises worldwide have proven that standardization and tool empowerment are key to success. The DevOps standards and the associated continuous delivery pipeline platform can significantly improve quality, efficiency, competitiveness, security, and agility.

2023 GOPS Global Operations Conference

On April 7, 2023, the 20th GOPS Global Operations Conference was held in Shenzhen, jointly organized by GreatOPS and OOPSA. The event, the largest in China's operations industry, targeted technical staff from internet, finance, and telecom sectors to share advanced technologies and best practices.

During the conference, the China Academy of Information and Communications Technology (CAICT) announced the latest DevOps capability maturity assessment results. China Postal Savings Bank (CPSB) participated with its "Operational Risk Management System" project, which passed the Level‑2 security and risk management (DevSecOps) assessment, demonstrating an advanced domestic level.

CPSB has now passed nine CAICT DevOps standard assessments: three continuous delivery, five system and tool, and one DevSecOps.

Interview Highlights

Q: Please introduce yourself and the project you assessed.

A: CPSB is a large state‑owned commercial bank serving rural customers, individuals, and SMEs. Its Software R&D Center, the main force behind the bank’s digital transformation, developed the Operational Risk Management System to support risk identification, assessment, control, and reporting across the bank.

Q: How does the DevSecOps assessment make you feel?

A: We are honored that the system passed the DevSecOps security and risk management standard. The standard provides clear guidance and best‑practice references for embedding security throughout the DevOps lifecycle.

Q: Why did CPSB decide to participate in the DevSecOps assessment?

A: Following the Party’s 20th‑Congress report, we aligned our security roadmap with national goals, built a dedicated security team, and established a three‑year capability‑enhancement plan. We also created internal security policies, tools, and a DevOps pipeline that integrates automated security testing.

Q: What benefits has the assessment brought?

A: By aligning with the CAICT "R&D‑Operations Integration Maturity Model" (Security and Risk Management), we embedded security into the development and delivery of the risk management system, reducing compliance risks and supporting rapid, secure delivery.

Q: What are the key features of the project and its security challenges?

A: The system supports critical processes, risk self‑assessment, KPI tracking, loss data collection, and more. Developed over 14 agile iterations across nine business modules, it demands fine‑grained, automated security controls.

Q: How does CPSB implement DevSecOps in culture, process, and technology?

A: Culturally, we built a professional security team, provided certifications, and conducted regular security training and phishing drills. Process‑wise, after ISO‑27001 certification, we established end‑to‑end security governance from requirements to production, with metrics for continuous improvement. Technologically, we deployed threat‑modeling tools, automated code‑review and open‑source scanning, integrated security plugins into the DevOps pipeline, and implemented WAF, IPS, and security monitoring.

Q: What difficulties were encountered and how were they solved?

A: The assessment spanned multiple departments and required cross‑team collaboration, especially during the COVID‑19 pandemic. Through remote coordination, training, and strong leadership support, the team overcame challenges and completed the remediation on schedule.

Q: What are the next steps for DevSecOps at CPSB?

A: We will continue to promote DevSecOps across the bank, extend support to branches and subsidiaries, refine security metrics, and enhance the maturity of security management to achieve both quality and efficiency gains.

DevOps Maturity Model Overview

The "R&D‑Operations Integration (DevOps) Capability Maturity Model" was jointly developed by CAICT, cloud‑computing alliances, major internet companies, and leading financial and telecom enterprises. It is the most comprehensive and authoritative DevOps standard in China, recognized by the Ministry of Industry and Information Technology and adopted by many enterprises.

The model covers agile development management, continuous delivery, technical operations, security and risk management, system and tool assessment, business value management, collaborative development, and continuous testing.