OPPO’s DevSecOps Practice: Embedding Security and Privacy Across the Development Lifecycle

OPPO’s Security Emergency Response Center and Ziwu Lab present a comprehensive overview of OPPO’s DevSecOps practice, illustrating the transition from traditional SDL to a security‑by‑design development model.

Security and privacy activities are integrated into every stage of the product lifecycle, including requirement reviews, architecture design, coding, testing, release, and operation. Key checkpoints such as privacy compliance review during the requirement phase and security & privacy testing before release form the backbone of the process.

The team built an IT support system that embeds security gates into the CI/CD pipeline: static source code analysis (SAST), backend dynamic testing (IAST), open‑source component analysis (SCA), Android app static and dynamic security & privacy scans, and SDK feature scanning. These checks run automatically during build, test, and deployment phases, and the pipeline is configurable for future extensions.

Automation capabilities cover static code scanning, IAST, SCA, Android app security & privacy scanning, and SDK feature detection, reducing manual effort and aligning with DevOps speed.

OPPO also provides multi‑layered basic security protection services: host‑level intrusion detection and situational awareness, network‑level security gateways, traffic detection, dynamic firewalls, DDoS protection, and application‑level key management, risk control, captcha, and security components.

Security culture is fostered through a company‑wide security & privacy committee, representative制度, embedding security principles into product philosophy, regular training, and knowledge sharing.

External cooperation includes the OPPO Security Response Center, collaborations with vulnerability platforms, academia, security vendors, participation in certifications (ISO/IEC 27001, 27018, 27701, etc.), and contributions to security conferences and CVE disclosures.

Future directions focus on enhancing automation, adopting default‑secure infrastructure, and continuously strengthening security culture to meet challenges posed by cloud computing, big data, and AI.