How GuoXin Securities Achieved Advanced DevSecOps Maturity in Its GoldSun App

Standardization and tool empowerment are key to success in technology companies; standards gather best practices, and embedding them in tools guides DevOps, focusing on people, processes, and products, creating a collaborative culture that reduces production risk.

On December 24, the China Academy of Information and Communications Technology (CAICT) launched the 2021 GOLF+ IT New Governance Leadership Forum, discussing new governance ecosystems and XOPS innovation.

During the forum, GuoXin Securities announced that its GoldSun Information Platform passed the CAICT's DevOps Capability Maturity security and risk management (DevSecOps) Level‑2 assessment, indicating advanced domestic security operation capability.

Interview with Yang Yang, General Manager of System Operations, GuoXin Securities

Q: Please introduce your company and the evaluated project.

Yang Yang explained that GuoXin Securities, founded in Shenzhen, has become a leading nationwide securities firm. The GoldSun app is a self‑developed, one‑stop financial investment platform serving over 16 million registered users and 7 million securities customers, handling more than 50 % of transaction orders.

Q: How does passing the DevSecOps Level‑2 assessment feel?

He noted that the assessment validates their security operations improvements, including a security platform, intelligent security operations, and a complete monitoring and response system, moving toward automated, standardized risk management.

Q: Why did you decide to participate in the DevSecOps assessment?

GuoXin Securities seeks to strengthen information security, align with agile delivery, and use the authoritative assessment to benchmark and improve its risk management capabilities.

Q: What challenges does the GoldSun app face in daily security risk management?

Three main challenges: massive user base with critical financial transactions requiring continuous robust protection; diverse business scenarios demanding extensive threat modeling; and rapid iteration cycles that pressure security tools for comprehensive, fast, and accurate detection.

Q: What difficulties did you encounter preparing for the assessment?

Preparation began in August, with only three months before review, compounded by remote collaboration challenges due to the pandemic. A dedicated project team performed gap analysis, task decomposition, and close cooperation between development and operations to meet the deadline.

Q: What are the next steps for DevSecOps implementation?

The company plans to promote DevSecOps practices, expand systematic construction to other applications, and strive for higher maturity levels.

The DevOps Capability Maturity Model, jointly developed by CAICT, industry alliances, and leading internet companies, is the first comprehensive DevOps standard in China and has been recognized as an international standard by ITU‑T.