How ICBC Built a DevSecOps Security Framework to Accelerate Safe Software Delivery

Under the pressure of security and efficiency, DevSecOps emerged to embed security awareness into the development process, improving automation and reliability, and supporting ICBC's smart banking system transformation.

Building a DevSecOps Security Support System

ICBC's software development center set the core goal “one improvement, two reductions” for its software security development system.

One improvement : raise application security development technology and personnel capability by building a unified security platform, integrating security activities across development stages, and creating a closed‑loop security management capability throughout the software lifecycle. The platform automates tool orchestration, aggregates expert knowledge, and offers componentized and service‑oriented security capabilities, turning expert skills into reusable assets. Two reductions : lower the number of vulnerabilities and reduce compliance risk, using quantifiable metrics that feed back to development teams for continuous improvement.

Based on these goals, the center focuses on four key areas: security awareness integration, full‑process toolchain, metric‑driven assessment, and management efficiency.

1. Security Awareness Integrated Across the Full Lifecycle

By constructing a security development support platform that consolidates existing development management platforms, technology stacks, and security tools, the bank creates an expert knowledge base, reduces reliance on individual personnel, and enables “shift‑left” security throughout the software lifecycle.

2. Comprehensive Security Toolchain Covering All Stages

DevSecOps tools are integrated into CI/CD pipelines. In the continuous integration stage, white‑box source‑code scanning tools (IDE plugins, sensitive data checkers, static application security testing) detect coding defects and data leaks. In the continuous delivery stage, software composition analysis, black‑box and gray‑box testing identify application, third‑party, and container vulnerabilities. The support system abstracts, composes, and correlates tool capabilities to form a closed‑loop security management process.

3. Multi‑Dimensional Assessment and Digital Metrics

Traditional security maturity models focus on single‑point vulnerabilities or overall enterprise scores, which do not suit project‑level evaluation. Leveraging years of practice and data from the security platform, ICBC established a multi‑dimensional security maturity measurement for software projects, enabling continuous feedback, tracking, and closed‑loop management of security issues.

4. Improving Management Efficiency and Reducing Personnel Dependence

By codifying security processes into reusable templates, security portraits, baselines, components, and knowledge bases, the bank transforms personal expertise into standardized, service‑oriented assets. Analyzing security activity data across development creates industry‑level security big data that supports further analysis, quantification, and evaluation.

Software Security Architecture Enters a New Phase

With the bank’s shift toward cloud computing and distributed architectures, the security roadmap now focuses on cloud‑native security, embedding security quality into delivery pipelines and protecting APIs across the full stack, thereby supporting rapid development of the smart banking ecosystem.