How Huatai Securities Achieved Advanced DevSecOps Maturity in Its Data Science Platform

Editor’s note: Standardization and tool empowerment are key to success for technology companies; DevOps focuses on people, processes, and products, reducing risk by fostering a collaborative culture.

On December 23 2020, the 2020 GOLF+ IT New Governance Leadership Forum was held in Beijing, aiming to integrate IT governance with technological innovation and focusing on "Empowering Governance, Leading New Tech Ecology" and "XOPS Driving New Operations".

The forum announced the first trial evaluation results of the DevOps capability maturity security and risk management standard. Huatai Securities participated with its Data Science Development Platform and successfully passed the security and risk management (DevSecOps) assessment, achieving Security Operation Level 2, which represents an advanced domestic level.

Q: Please introduce your company and the project you evaluated.

A (Chen Dong): Huatai Securities is a leading technology‑driven securities group founded in 1991, leveraging fintech for transformation and offering comprehensive financial services. Our global depositary receipts are listed on the London Stock Exchange, making us a Chinese financial institution listed in Shanghai, Hong Kong, and London.

A (Kong Yaze): The Data Science Development Platform is the core tool of our data‑mid‑platform, providing data development, scheduling, data APIs, deployment, and release functions. It breaks data silos, turning data into assets and establishing a full‑chain data management and service ecosystem.

The platform supports both pre‑production and production environments, allowing internal staff and external partners to develop code, models, and workflows, and to provide offline data exploration and online model training services for research, investment, and asset management.

Security challenges include high demands on user management, authentication, permission control, logging, and auditing, especially given the large amount of data assets and the rapid iteration of versions.

To address these, Huatai has implemented DevSecOps from three dimensions:

Culture: Security awareness campaigns, training, a security academy, and security consultants promote the idea that security is everyone's responsibility.

Process: A complete Software Security Development Lifecycle (SDL) is integrated into the development process, with security consultants embedding security activities at each stage.

Technology: An end‑to‑end security toolchain is in place, automating SAST, SCA, mobile app hardening, Docker security scanning, DAST, and IAST within the DevOps pipeline.

Q: What benefits has the security and risk management assessment brought to your enterprise?

A (Chen Dong): The assessment validates our comprehensive and advanced security risk management in the DevOps transformation, provides systematic guidance on DevSecOps implementation, uncovers improvement areas, and strengthens collaboration between development, operations, and security teams, enhancing overall organizational efficiency.

Q: What are the next steps for your DevSecOps practice?

A (Kong Yaze): We will continue to close gaps toward higher maturity levels, study additional standards such as general risk and secure delivery, and advance our SDL platform, automated security testing, and risk profiling capabilities.

Q: How does your platform illustrate the core concepts of DevSecOps?

A (Chen Dong): The platform provides web‑based project development, code and model development, workflow orchestration, scheduling, and API services, with strong monitoring, scaling, and logging capabilities, all secured by the integrated toolchain.