How ICBC’s Mobile Banking Achieved DevSecOps Maturity: A Deep Dive

Standardization and tool empowerment are key to success in technology companies; standards encapsulate best practices, and embedding them in tools drives DevOps focus on people, processes, and products, reducing risk by limiting production‑environment changes.

On December 23, 2020, the 2020 GOLF+ IT Governance Leadership Forum in Beijing announced the first batch of DevOps capability maturity security and risk‑management assessment results. Industrial and Commercial Bank of China (ICBC) participated with its mobile banking project, achieving a Level‑2 security development assessment, indicating an advanced domestic security capability.

ICBC’s software development center, established in 1996 and operating across seven cities, supports a wide range of banking services through its mobile app, leveraging AI, big data, and other advanced technologies to deliver secure, personalized online services.

Key benefits of the DevSecOps assessment: the project demonstrated a robust security development capability, provided a benchmark for the financial sector, and enriched ICBC’s best‑practice experience for future security enhancements.

Why ICBC pursued the DevSecOps evaluation: security is paramount in finance; adopting DevSecOps addressed issues such as isolated testing, delayed feedback, and inconsistent security enforcement by embedding security into the entire development pipeline.

Features of ICBC’s DevSecOps implementation:

Systematic coverage of organizational responsibilities, personnel skills, tool maintenance, third‑party components, data management, and infrastructure.

End‑to‑end security standards across requirements, design, and development phases.

Security built into tools and daily inspections, including lightweight threat modeling, open‑source component analysis, and security requirement codification.

Security challenges for the mobile banking app:

Complex customer environments with diverse usage scenarios and potential malicious attacks.

Hundreds of business scenarios increasing development complexity.

Over 400 million users, demanding rapid incident response.

Fast‑paced iterative releases involving many stakeholders and varied security requirements.

The assessment enriched ICBC’s internal security processes, reduced vulnerabilities, and created a reusable DevSecOps framework for other development units. Future plans include scaling the pilot experience to all seven R&D departments, aiming for Level‑3 maturity and deeper security integration.

The DevOps Capability Maturity Model, jointly developed by China Information Communication Research Institute, cloud‑computing alliances, and leading internet companies, defines standards for agile management, continuous delivery, technical operations, application design, security and risk management, and tooling. It became the world’s first international DevOps standard in July 2020.