Ctrip's DevSecOps Practices and Challenges

As an online travel platform serving millions of users across ticketing, hotels, payments, and more, Ctrip faces the massive challenge of ensuring the security of tens of thousands of weekly application releases, making DevSecOps security integration a critical concern.

To address manpower constraints, Ctrip established a Security Business Partner (BP) model, assigning a security lead within each business unit who acts as a bridge between the security team and development, facilitating early security involvement and promoting security awareness.

Security reviews and threat modeling are embedded into the product backlog via a board system that maps business scenarios to threat tags and mitigation measures, enabling automated threat modeling when product managers select relevant scenarios.

Software Composition Analysis (SCA) is integrated into CI pipelines, with triage based on vulnerability severity, presence of PoC, and internal/external application attributes, reducing noise and prioritizing critical third‑party component fixes.

Static Application Security Testing (SAST) employs both fast regex‑based scans for quick CI feedback and deeper data‑flow/ control‑flow analysis for higher accuracy, with rule optimization to balance false positives and false negatives.

IAST and DAST are combined in a distributed architecture: agents instrument Docker containers to capture runtime traffic, which is streamed via Kafka to a central service that de‑duplicates requests and triggers active scanning, achieving high coverage and low false‑positive rates.

A self‑developed vulnerability management platform tracks the entire lifecycle from discovery to remediation, providing statistics, root‑cause analysis, and post‑mortems to continuously improve detection capabilities.

Overall, Ctrip processes around 30,000 SAST/SCA tasks weekly, conducts ~100 security reviews, and achieves a 100% closure rate, demonstrating that embedding security into CI/CD with automation and close collaboration reduces development friction while enhancing protection.

The article concludes with a recruitment notice inviting experienced security engineers to join Ctrip's Information Security team, outlining responsibilities and requirements.