How ICBC Secures Its Software with DevSecOps: Practical Insights

In response to the need for secure and efficient production, DevSecOps emerged to embed security awareness into the development process, enhancing automated security testing and making build, test, and release faster and more reliable, which is essential for enterprises building stable technical support systems. After extensive exploration, DevOps has moved from theory to production, offering shorter release cycles and higher frequency, and its model has been widely adopted in the financial sector, providing strong information security for ICBC's smart banking system (ECOS).

Challenges and Opportunities in Building a DevSecOps Security System

Applying DevOps and related technologies improves development efficiency and business response speed, but also introduces new security challenges and opportunities.

First, mature security automation tools must be embedded. The highly automated pipeline of DevOps requires security tools to be integrated in an equally automated manner, preserving the pipeline’s flow.

Second, security must be seamlessly woven throughout the entire development lifecycle. Rather than being a one‑time gate before production, security becomes part of every stage, with automated detection reducing vulnerability remediation costs and improving incident response.

ICBC’s Exploration and Achievements in DevSecOps

Following industry best practices and Microsoft’s SDL model, ICBC built a security toolchain covering white‑box, black‑box, and gray‑box testing, continuously reducing pre‑release defects and repair costs.

The toolchain integrates security guarantees into CI and CD pipelines, scanning code and third‑party plugins to simulate attacks, helping developers discover potential vulnerabilities. A security development support system abstracts, composes, and correlates tool capabilities, mapping them to security requirements and forming a closed‑loop management process.

During continuous integration, security measures such as source‑code scanning identify unsafe coding practices that could lead to data leaks, enabling unified management, automated detection, and defect auditing of source code.

In the continuous delivery stage, security measures include mobile security testing and interactive testing. After building and deploying to test environments, tools perform software composition analysis, black‑box, and gray‑box testing to detect vulnerabilities in the application itself, third‑party components, and container bases, all without manual security expert involvement, providing transparent, automated, end‑to‑end detection and precise code‑level remediation guidance.

ICBC’s Ongoing Planning for a Secure Software Development System

Rapidly evolving financial services generate new business models and accompanying security issues. ICBC treats security as a key future work area, with both security and development teams continuously advancing the DevSecOps model, promoting automation, self‑service, and stronger security controls to improve the immunity of its application systems.