How Shenwan Hongyuan Achieved National‑Level DevSecOps Excellence

Event Overview

On July 18, 2023, the China Academy of Information and Communications Technology (CAICT) hosted the 2023 XOps Industry Innovation Development Forum in Beijing. The forum’s theme, “Quality‑Efficiency Integration, Stable and Intelligent Future,” focused on enhancing enterprise R&D‑operations capabilities and exchanging XOps best practices. During the event, CAICT announced the latest batch of DevOps/AIOps standard assessment results.

Shenwan Hongyuan's Assessment Results

Shenwan Hongyuan Securities participated with its Business Middle‑Platform Project and successfully passed the CAICT’s DevSecOps Security and Risk Management (Level 2) assessment , demonstrating an advanced domestic capability in secure development and delivery. The company also achieved Level 3 in the DevOps Continuous Delivery standard, confirming its strong quality‑efficiency improvements.

The assessment was conducted by the CAICT, with senior officials from the China Communications Standardization Association and CAICT presenting the award.

Q&A Highlights

Company Introduction & Project Scope – CIO Xie Chen described Shenwan Hongyuan as a state‑owned securities firm with a nationwide presence and overseas branches. The Business Middle‑Platform, launched in 2018, is a micro‑service‑based system offering interfaces for account opening, business processing, data services, and AI capabilities.

Benefits of the DevSecOps Assessment – The assessment helped the company build a “security‑left‑shift” model, embedding security policies, processes, and toolchains into requirement, design, development, build, and deployment stages, thereby securing the entire software lifecycle.

Implementation Details – Shenwan Hongyuan established clear responsibilities and technical guidelines for each software development phase, refined processes for different development models (independent, collaborative, outsourced), and deployed an integrated, platform‑based security toolchain that provides real‑time metrics for developers and security teams.

Cultural, Process, and Technical Practices – The firm delivered 17 security training modules across design, development, CI, testing, deployment, and release, fostering a security‑first mindset. Process improvements included risk‑based security coverage policies and security gates in the CI pipeline. Technically, a plug‑in‑based platform unified tool management and enabled seamless integration with the DevOps pipeline.

Future Plans – Shenwan Hongyuan aims to extend its security capabilities to more project teams, achieving full‑lifecycle security coverage across the organization.

Challenges and Solutions – Time constraints were addressed by adopting a platform‑centric design that reduced tool‑by‑tool implementation effort, leveraging tool‑driven processes, and forming cross‑functional virtual teams to accelerate deployment.

Industry Participation Statistics

The chart shows the number of securities, fund, and futures companies that have participated in DevOps maturity model assessments up to July 18, 2023.

About the DevOps Maturity Model

The “Research‑Development‑Operations Integration (DevOps) Capability Maturity Model” series, led by CAICT with contributions from major internet, finance, and telecom enterprises, is the first comprehensive DevOps standard in China and has been recognized by the ITU‑T as the world’s first international DevOps standard.

The model covers process management, continuous delivery, technical operations, application design, security & risk management, system & tool integration, business value management, collaborative development, continuous testing, performance measurement, platform engineering, and reliability engineering.