How Zhongyuan Bank Achieved Advanced DevSecOps Maturity: A Success Story

From the practice of many enterprises, standardization and tool empowerment are key to the success of technology companies. Standards, as collections of best practices, bring each step closer to the goal, and embedding standards in tools enables DevOps to focus on people, processes, and products, achieving continuous success and positive feedback.

On December 24, 2021, the 2021 GOLF+ IT New Governance Leadership Forum was held online to improve corporate IT governance and promote industry experience sharing. The forum announced the first official assessment results of DevOps capability maturity in security and risk management.

Assessment Result : Zhongyuan Bank’s personal mobile banking project participated in the CAICT "Research and Development Operations Integration (DevOps) Capability Maturity Model" security and risk management (DevSecOps) Level‑2 assessment, indicating that its security development capability has reached an advanced domestic level.

Interview Highlights

Q: Please introduce your bank and the project involved in the assessment. Zhongyuan Bank, founded in 2014, is the only provincial commercial bank in Henan with full‑province branch coverage. Its personal mobile banking app offers account management, payments, investment, credit card, loan, and lifestyle services, serving customers through a mobile platform.

Q: How did you feel about passing the DevSecOps Level‑2 assessment? The team expressed great satisfaction, noting that the achievement marks a milestone and confirms that their DevSecOps practice meets advanced national standards.

Q: Why did the bank decide to participate in the DevSecOps assessment? The bank has been building a full‑lifecycle security management system since 2017, developing a security technology service platform, and integrating security controls into agile delivery to enable efficient, safe delivery of business value.

Q: What benefits has the assessment brought? It provided a benchmark against industry best practices, helped standardize and professionalize the DevSecOps capability, and laid a solid foundation for scaling DevSecOps across the organization.

Q: How does the bank implement DevSecOps in culture, process, and technology? Culturally, the security team conducts regular training and promotes DevSecOps awareness. Technologically, the bank uses a security service platform with interactive requirement tools, lightweight threat modeling, source‑code scanning, and automated security testing. Process‑wise, the platform integrates security requirements, tools, penetration testing, and vulnerability management into the DevOps pipeline.

The personal mobile banking system faces challenges such as frequent feature updates across hundreds of scenarios and external threats like fraud and hacking, requiring continuous, efficient security controls.

Looking ahead, the bank plans to promote its DevSecOps experience to other technology projects, pursue higher maturity levels, and advance security practices toward deeper standardization, tool integration, automation, and metric‑driven evolution.

The "Research and Development Operations Integration (DevOps) Capability Maturity Model" series, led by CAICT with contributions from major internet, telecom, and financial enterprises, is the first comprehensive DevOps standard in China and has been adopted by many leading companies. It covers agile development management, continuous delivery, technical operations, application design, security and risk management, and system/tool evaluation.