How CICC Achieved Advanced DevSecOps Standards: A Deep Dive into Their Success

Overview

Large enterprises worldwide have proven that standardization and tooling are key to success. The DevOps standards and the associated continuous delivery pipeline platform can significantly improve quality, efficiency, and security, boosting market competitiveness.

Assessment Results

At the 21st GOPS Global Operations Conference on 26 October 2023 in Shanghai, the China Academy of Information and Communications Technology (CAICT) announced the latest DevOps standards assessment results.

CICC (China International Capital Corp.) participated with two projects: Comprehensive Risk Management System Unified Business Management Platform and CICC Integrated Investment Banking Platform (iBanker) .

Both projects passed the CAICT’s DevSecOps Security Development Module Level 2 assessment, and the iBanker project also passed the Secure Delivery Module Level 2 assessment, indicating that CICC’s DevSecOps capabilities are at an advanced domestic level.

CICC also passed one Continuous Testing (CT) assessment. In total, CICC has passed ten continuous delivery assessments, two DevSecOps assessments, one CT assessment, and one system and tool assessment.

Interview Highlights

Chief Information Officer Cheng Long described CICC’s mission to become a world‑class investment bank and emphasized the importance of sustainable development and social responsibility.

Cheng noted that passing the DevSecOps Level‑2 assessment validates the company’s security management efforts and provides significant value for future security initiatives.

IT Executive Luo Chang explained that the DevSecOps assessment helped establish a complete security development lifecycle covering requirements, design, coding, testing, deployment, and operations, and that security controls have been automated within the DevOps pipeline.

Security Lead Lin Tao highlighted challenges such as increasing system complexity, high‑frequency releases, and a growing external threat landscape, which demand a comprehensive security risk management framework.

Technology Platform Lead Ye Mingdeng detailed process and technical improvements, including integrating security checks into agile and DevOps workflows, adopting secure coding practices, automated vulnerability scanning, penetration testing, and continuous monitoring.

The interviewees also discussed difficulties encountered during preparation, such as strengthening the security management system, expanding coverage across the full development lifecycle, and acquiring suitable security tools. Solutions involved forming cross‑functional security teams, enhancing training, and automating security gate checks.

Future Plans

Continue strengthening security awareness and training for all staff.

Enhance security testing, vulnerability management, and automated remediation.

Improve security monitoring and rapid incident response capabilities.

Promote further automation in operations and security tooling.

Industry Statistics

As of 26 October 2023, the securities and fund industries have participated in the DevOps Capability Maturity Model assessments with numerous enterprises achieving various levels across continuous delivery, technical operation, security and risk management, and system/tool evaluations.

About the DevOps Capability Maturity Model

The DevOps Capability Maturity Model series, led by CAICT and co‑created with top internet, finance, and telecom companies, is the first comprehensive DevOps standard worldwide. It has been officially released by the Ministry of Industry and Information Technology and adopted by many leading enterprises.

The model covers process management (agile development, continuous delivery, technical operation), application design, security and risk management (DevSecOps), system and tool evaluation, business value management, collaborative development and operation, continuous testing, performance measurement, platform engineering, and Site Reliability Engineering (SRE).