How CICC Reached Advanced DevSecOps Standards: Inside Their Security Success

Background

Standardization and tool empowerment are key for enterprise success. DevOps standards and continuous‑delivery pipeline platforms significantly improve quality, efficiency, and security, helping companies enhance market competitiveness.

GOPS Conference and Evaluation Results

On 26 October 2023, the 21st GOPS Global Operations Conference was held in Shanghai. The China Academy of Information and Communications Technology (CAICT) announced the latest batch of DevOps standards assessment results.

CICC participated with two projects: Integrated Risk Management System Business Platform and CICC Integrated Investment Banking Platform (iBanker) . Both projects passed the Level 2 assessment of the DevSecOps Security Development module and the Level 2 Security Delivery module, indicating that CICC’s DevSecOps capabilities have reached an advanced domestic level.

CICC also passed one Continuous Testing (CT) assessment. In total, CICC has passed 10 continuous‑delivery assessments, 2 DevSecOps assessments, 1 CT assessment, and 1 system‑and‑tool assessment.

Interview Highlights

Chief Information Officer Cheng Long described CICC’s mission to become a world‑class investment bank, emphasizing high‑quality financial services, sustainable development, and corporate social responsibility.

In the Q&A, Cheng explained that the Level 2 DevSecOps assessment validates the company’s security‑management efforts and provides valuable guidance for future security initiatives.

Rong Chang detailed how CICC built a complete security‑development lifecycle covering security requirements, design, coding, testing, deployment, and operation, and integrated security gates into the DevOps pipeline to automate security checks while maintaining development efficiency.

Lin Tao discussed challenges such as increasing R&D scale, complex system architecture, and rising external cyber threats, which demand a more comprehensive security‑risk‑management framework.

Ye Mingdeng explained CICC’s cultural, process, and technical measures for DevSecOps implementation: regular security‑awareness training, revised workflows that embed security checkpoints throughout the software lifecycle, and the use of automated security testing tools (static analysis, vulnerability scanning, penetration testing) on the internal DevOps “Tianji” platform.

Industry Participation Statistics

As of 26 October 2023, the securities and fund industries have the following numbers of enterprises and assessment items for the DevOps capability maturity model (see image).

DevOps Capability Maturity Model Overview

The DevOps Capability Maturity Model series, led by CAICT together with the Cloud Computing Open Source Industry Alliance, GreatOps Community, BATJ and other leading internet, finance, and telecom companies, is the first comprehensive and authoritative DevOps series standard in China. It has been released by the Ministry of Industry and Information Technology and adopted by many enterprises.

The model covers agile development management, continuous delivery, technical operations, security and risk management (DevSecOps), system and tool assessment, business value management, collaborative development‑operations, continuous testing, performance measurement, platform engineering, and Site Reliability Engineering (SRE).