How HaiTong Securities Achieved Advanced DevSecOps Maturity: An Inside Look

Background and Assessment Results

On December 26, 2022, the China Academy of Information and Communications (CAICT) announced the latest batch of DevOps standard assessment results, highlighting that standardization and tooling are key to enterprise success. HaiTong Securities' eHaiTongCai Data Application Service System passed the DevSecOps Level‑2 security and risk management assessment, demonstrating a leading domestic capability.

Project Overview

The evaluated project, eHaiTongCai Information Center – Data Application Service System , supports the eHaiTongCai APP/PC client with market data across securities, funds, bonds, precious metals, options, and more. It provides real‑time news, diagnostics, valuation, and other value‑added data for users.

Interview with Lu Songhua (Deputy General Manager, Software Development Center)

Q: Please introduce HaiTong Securities and the evaluated project. HaiTong Securities is a leading integrated securities firm in China with a comprehensive business platform, extensive marketing network, and over 20 million customers. The eHaiTongCai platform offers a one‑stop wealth management service, and the data service system supplies timely, accurate market information to downstream systems.

Q: How does the DevSecOps Level‑2 assessment reflect your capabilities? Achieving Level‑2 confirms that HaiTong’s DevSecOps framework and transformation are recognized, providing clear direction for further security development.

Q: What motivated you to join the DevSecOps assessment? Since 2020 HaiTong has built a DevOps capability, reaching Level‑3 continuous delivery in 2021. To strengthen security, the company aligned its risk‑focused strategy with a comprehensive security protection line, establishing a DevSecOps system covering third‑party management, secure design, secure development, testing, baseline, and operations.

Q: What are the main characteristics and security challenges of the project? The system is large‑scale, high‑frequency, and rapidly iterated, requiring standardized security processes for each upgrade, secure design for diverse data types, and protection against interface abuse and replay attacks.

Q: What are the biggest gains from this year’s DevSecOps implementation? HaiTong has shifted security left, embedding security culture, processes, and technology early in the development lifecycle, and extending security management across the entire software lifecycle.

Q: What are your next steps? The company plans to further refine its security capability system, extend secure development, delivery, and operation practices to more project teams, and tailor security coverage for different development models.

Interview with Wang Dong (Deputy General Manager, Data Center)

Q: How does HaiTong implement DevSecOps in culture, process, and technology? Culturally, regular training and awareness activities embed security throughout the tech line. Process‑wise, security reviews are added to requirement and design phases, and security gates ensure quality during development, testing, and release. Technologically, a unified security toolchain integrates automated checks, a security operations center, and a DevOps platform to manage tools, processes, and personnel.

Q: Was the assessment process smooth? What challenges arose? The assessment spanned multiple departments, requiring extensive cross‑team collaboration. A virtual task force of experts from security, development, data, and management facilitated cooperation and helped achieve comprehensive security coverage.

Q: How has the assessment helped your security architecture? It prompted a holistic review of HaiTong’s security capabilities, reinforced a “one HaiTong” security mindset, strengthened network security foundations, and refined technical standards and toolchains across development, testing, and platform teams.

Future Outlook for DevOps

HaiTong plans to extend maturity to the operations side and integrate with PaaS capabilities, offering more self‑service, mature technical platforms from architecture design through development.

DevOps Maturity Model Overview

The R&D Operations Integration (DevOps) Capability Maturity Model was jointly developed by CAICT, the Cloud Computing Open Source Industry Alliance, the Efficient Operations Community, BATJ, and leading enterprises. It is the first international DevOps standard, recognized by the ITU‑T in 2020, and covers process, application design, security & risk management, system & tool, business value, collaborative development, and continuous testing.

Key Visuals