How China Postal Savings Bank Reached Advanced DevSecOps Standards

Domestic and international large enterprises have demonstrated that standardization and tool empowerment are key to success, and DevOps standards with continuous delivery pipelines can significantly improve quality, efficiency, and safety.

China Information Communication Research Institute (CAICT) released the "R&D Operations Integration (DevOps) Capability Maturity Model" standards, guiding enterprises in DevOps implementation. On December 15, 2023, the GOLF+ IT New Governance Leadership Forum in Beijing announced the latest DevOps and AIOps assessment results.

China Postal Savings Bank participated with its "Precious Metals Cloud Mall" project, passing the CAICT DevSecOps Level‑2 security delivery assessment, indicating an advanced domestic level.

Assessment Unit: China Information Communication Research Institute

The bank passed multiple DevOps assessments, including one DevSecOps item, three system and tool items, and two continuous testing items, totaling 17 DevOps standard evaluations.

Q: Please introduce yourself, your company, and the project you evaluated.

Hu Junfeng (General Manager, Software R&D Center): We invest 3% of annual revenue in IT, focus on secure, efficient financial services, and have built a DevSecOps capability with automated pipelines and security gates to ensure safe product delivery.

Q: How does achieving the DevSecOps Level‑2 assessment feel?

Hu Junfeng: It reflects our advanced security delivery, thanks to team effort, institutional support, and comprehensive security tools.

Q: Why did your company decide to participate in the DevSecOps assessment?

Hu Junfeng: Internally, we recognized the importance of DevSecOps for fintech; externally, we wanted to demonstrate our commitment to security to customers and partners.

Q: What benefits has the security and risk management assessment brought?

Hu Junfeng: It helped us adopt best practices, improve internal controls, bridge development, operations, and security teams, increase security requirement coverage by 40%, cut vulnerability fix costs, and achieve 100% fix rate.

Q: What are the project’s characteristics and security challenges?

Pan Hua (Senior IT Expert): The cloud mall faces a large attack surface and complex business scenarios; we use DevSecOps to embed security into the pipeline, addressing rapid iteration and detection latency.

Q: How does your organization implement DevSecOps across culture, process, and technology?

Pan Hua: Culturally, we promote open collaboration and regular security training; process‑wise, we redesign pipelines with integrated security checks; technically, we built an automated security platform for testing, scanning, and auditing.

Q: What difficulties did you encounter during assessment preparation and how were they solved?

Pan Hua: Coordinating across multiple departments was challenging; we established communication channels and regular coordination meetings to align workflows and tools.

Q: What are your next steps for DevSecOps implementation?

Pan Hua: We plan to broaden the scope by adding more projects to the DevSecOps platform and deepen the practice by optimizing processes and metrics to further enhance security.

Industry participation details show that state‑owned banks have evaluated numerous DevOps modules, with data up to December 15, 2023.

The "R&D Operations Integration (DevOps) Capability Maturity Model" standards, led by CAICT and endorsed by the Ministry of Industry and Information Technology, are the first comprehensive DevOps standards globally, also recognized by ITU‑T.

For assessment inquiries, contact CAICT representatives (Liu Kailin, Bai Hanxiong) or GreatOps community (Wei Huanxin).