How Enterprise DevSecOps Transforms Security in Modern IT Operations

On June 23, 2020, the China Academy of Information and Communications Technology, together with the Cloud Computing Open Source Industry Alliance and the Open Operations Alliance, hosted the fourth Enterprise DevOps Empowerment (Co‑promotion) conference online.

The participants were mainly from cooperating units of the empowerment plan.

The discussion centered on the theme of DevSecOps. Within the DevOps collaboration framework, security protection is a shared responsibility across the entire IT lifecycle, requiring early involvement of security teams, automated security plans, and continuous protection.

Speaker: Niu Xiaoling (China Academy of Information and Communications) presented “Jointly Advancing the Enterprise‑level DevOps Empowerment (Co‑promotion) Plan,” introducing new cooperating units and the "DevOps Capability Maturity Model – Part 6: Security and Risk Management".

Speaker: Zhuang Fei (Huatai Securities) shared the "Huatai Securities DevSecOps Implementation Practice," discussing security challenges, the propagation of DevSecOps concepts, practical experiences, and the construction of a security tool platform.

Speaker: Zhang Zuyou (Tencent Security) presented “From Chaos to Systematic: Tencent’s DevSecOps Practices,” covering Tencent Cloud product systems, security challenges, boundary security, risk‑based security architecture, and practical attempts at DevSecOps implementation.

During the interactive Q&A, experts addressed numerous practical issues:

Q: How to accumulate lightweight threat models and threat tables? Zhuang explained the use of a compiled "monitoring requirements compilation" document aligned with national regulations, updating it annually to form a comprehensive software requirement library that serves as a threat list.

Q: Scope and frequency of internal penetration testing? Zhuang described internal testing performed by dedicated staff, supplemented by rapid external testing when needed, noting that a full system test may take a day internally but can be completed in two days by external providers.

Q: How is security embedded throughout the lifecycle and measured at each stage? Zhuang highlighted automated security requirement generation, selective vulnerability handling during development, and rule optimization during testing to reduce manual security involvement.

Q: What does sensitive information inspection in the pipeline mean? Zhang noted that Tencent checks code for exposed API keys or other sensitive data to prevent accidental leaks.

Q: When are external IP security approvals denied? Zhang stated approvals require clear development necessity and security hardening; unnecessary external exposure is rejected.

Q: What does “person asset” management involve? Zhang explained it involves clarifying roles and responsibilities within Tencent’s complex organizational structure to ensure comprehensive security coverage.

Q: How are high‑risk port scans conducted efficiently? Zhang described targeted rapid scans of high‑risk ports within Tencent’s self‑developed servers, with broader scans performed less frequently to balance performance.

Q: Are internal SAST/DAST tools open‑source? Zhang clarified that internal tools are collaboratively built across security teams and currently have no open‑source plans.

Q: How are security requirements and design integrated in DevSecOps? Zhuang outlined a questionnaire‑driven approach to capture security needs during architecture design, generating automated security requirements that guide development and testing.

Q: What changes does DevSecOps bring to operations? Zhang emphasized unified traffic design, firewall integration, and platform standardization to embed security into operational processes.

Q: How are vulnerability scans and remediation handled in the operation phase? Zhang explained continuous scanning, differentiated scanning for high‑risk ports versus full scans, and a strict 100% remediation policy enforced via security tickets.

Q: How are security tickets prioritized and resolved? Zhang detailed a three‑level severity system with specific timeframes for temporary mitigation and full remediation, and noted the possibility of false‑positive handling.

Performance metrics are not directly tied to tickets, though severe vulnerabilities may affect team evaluations.

The event concluded with a group photo of all participants and a summary of cooperating units that have joined the empowerment plan.

For more information about the Enterprise‑level DevOps Empowerment plan, contact Liu Kailin (China Academy of Information and Communications) at 156‑5078‑6171 or [email protected], or Dong Hui (Efficient Operations Community) at 185‑1511‑5139 or [email protected].