The 19^th GOPS was held in Shanghai on 28 October. Mr Wei Kai, vice president of Cloud Computing and Big Data Research Institute of the China Academy of Information and Communication Technology, announced the result in “The Capability Maturity Model of DevOps-Part 6: Security Risk Management”. We are proud that eSurfing Cloud has passed the assessment of Maturity Level 1+. More importantly, China Telecom becomes the first cloud service provider and operator within the industry which passes the assessments in terms of security development, security operation, and secure delivery at the same time. This marks a huge success and demonstrates that our security development, product development, and efficiency is taking the lead in the industry.

The standard of “The Capability Maturity Model of DevOps” is ledby the China Academy of Information and Communication Technology, and jointly developed by the leading companies from internet, finance and communication industries in China. These include OpenSource Cloud Alliance for Industry (OSCAR) , GreatOPS Community, Baidu, Alibaba, Tencent and JD.com (BATJ). It is one of the most comprehensive, authoritative, and industry leading DevOps standard. DevSecOps is a security development framework based on DevOps, and it empowers the R&D team to deliver effective and safe business value by integrating each software delivery processes with a series of security control measures.   

The assessment of Security Risk Management Maturity Model of DevSecOps will evaluate the product from 4 key aspects, 15 sub-aspects and additional more 90 minor aspects. eSurfing Cloud has passed the assessment through on-site interview, presentation and expert reviews.

eSurfing Cloud DevSecOps delivers a comprehensive security infrastructure and an integrated security management system through developing stage, delivery stage, and operation stage. It mainly demonstrates (1) the Design Stage which develops security needs integrated with security requirements and policies, to identify potential risks and threats through the Threat Modeling Tool and to ensure product compliance; (2) the Test and Development Stage which scans coding specifications and open source components with different security scanning tools such as SAST and SCA, and sets up quality access control to ensure product security during delivery stage, as well as building DAST tool with specific test cases and composition to verify the safety of applications in multiple directions; (3) Launch stage which sets up a specific security checkpoint to audit relevant material and deliver closed-loop management of security control. (4) Operation stage which sets up a perfect monitoring and warning system to detect security issues in advance and fix them in an effective way.

Through the DevSecOps standard assessment, eSurfing Cloud has improved its core security capability, security management capability, and basic platform capability. Our security system has been recognised by the DevSecOps industry, which marks a significant milestone.  We are continuously developing a comprehensive life cycle with security needs, security design, security development, security test, and launch stages. eSurfing Cloud is committed to providing the best security development management to becoming a trusted security cloud.

Moving forwards, eSurfing Cloud will take DevSecOps as the core value of security quality and apply it to the four main areas including application security, internet security, data security, and cloud native security, covering products such as edge cloud to  better service our enterprise customers.