Zhongtai Securities’ Path to Advanced DevSecOps Maturity – Key Takeaways

Key Takeaways from the 2021 GOLF+ IT Governance Forum

Industry practice shows that standardization and tool enablement are critical for technology companies. Standards embody best practices, and embedding them in tools helps DevOps focus on people, processes, and products, reducing risk in production environments.

DevSecOps Assessment Results

At the forum, the first batch of DevOps capability maturity security and risk management assessment results were released. Zhongtai Securities’ online business processing system passed the second‑level security and risk management assessment of the “DevSecOps” standard, indicating an advanced domestic level.

Assessing organization: China Academy of Information and Communications Technology (CAICT).

Interview Highlights

Q: Please introduce your company and the evaluated project. He Bo, Director of the FinTech Committee of Zhongtai Securities, explained that the company was founded in 2001, operates nationwide, and the evaluated project is the online business processing system, a critical portal for investor account registration and management.

Q: What benefits did the security and risk management assessment bring? He Bo noted that the assessment enriched the company’s best‑practice experience in application security and will guide continuous improvement of DevSecOps capabilities.

Q: How did you decide to participate in the DevSecOps assessment? Since 2019 the company has been transforming to agile and DevOps. Lacking security resources and traditional pre‑release scans prompted the adoption of DevSecOps in 2020 to integrate development, security, and operations, and to obtain an objective maturity metric.

Q: How are cultural, process, and technical aspects of DevSecOps implemented? Culture: Ongoing security awareness training and education for developers and operations staff. Process: Embedding security steps into rapid development cycles, shifting security left. Technology: Integrating security checks into the CI/CD pipeline, automating security testing and toolchain orchestration.

Q: What are the next steps? The company plans to continue refining the DevSecOps framework, enhancing systematic security capabilities, and promoting the methodology across projects.

Industry Participation

As of December 24 2021, the securities industry participants in the DevOps capability maturity model include Zhongtai Securities and other leading firms, with assessment data sourced from the official DevOps evaluation portal.

DevOps Capability Maturity Model

The model, jointly developed by CAICT, the Cloud Computing Open Source Alliance, the Efficient Operations Community, and major internet companies, defines standards for agile management, continuous delivery, technical operations, application design, security and risk management, and system/tool evaluation. It was finalized as an international standard by ITU‑T in July 2020.

Contact Information

For inquiries about the DevOps standard assessment, contact CAICT (Liu Kailiang, phone 156 5078 6171, email [email protected]) or the Efficient Operations Community (Dong Hui, phone 185 1511 5139, email [email protected]).