Imagine a world where product owners, Development, QA, IT Operations, and Infosec work together, not only to help each other, but also to ensure that the overall organization succeeds. By working toward a common goal, they enable the fast flow of planned work into production, while achieving world-class stability, reliability, availability, and security. [1]

—The DevOps Handbook

DevOps


Note: This is the home page for the three-part SAFe DevOps series. This article is the first in the series which introduces the foundational DevOps concepts. The following links provide access to the next articles in the series: A CALMR Approach to DevOps and SAFe’s DevOps Practice Domains.


Ready to start training?

Use our finder to explore current offerings or learn more about a specific course

DevOps is a mindset, culture, and set of technical practices that supports the integration, automation, and collaboration needed to effectively develop and operate a solution.

DevOps is part of the Agile Product Delivery competency and is a combination of two words: development and operations. Without DevOps, there is often significant tension between those who build Solutions and those who support and maintain them. DevOps helps break down organizational silos and develop a Continuous Delivery Pipeline (CDP)— a high-performance innovation engine capable of delivering market-leading solutions at the speed of business.

Figure 1. The Continuous Delivery Pipeline
Figure 1. The Continuous Delivery Pipeline

The goal of DevOps is simple, to deliver value whenever there is a business need. Indeed, teams that successfully adopt DevOps, on average: deploy 208 times more frequently, 106 times faster, experience seven times fewer failures, and recover from incidents 2,604 times faster than low-performing teams. [2]

DevSecOps

DevSecOps is a term that emphasizes the importance of proper information security practices in the pursuit of continuous delivery. Because the origins of DevOps did not explicitly include security as a top-level concern (as it did for development and operations), DevSecOps has emerged as a popular term that avoids any risk of security being an afterthought.

The security community has evolved DevOps thinking beyond its development and operations roots. The State of DevOps Report—the world’s longest-running and most widely cited DevOps research project—has revealed that an organization’s security improves when it’s wholly integrated into the Value Stream. [3] In one of the most-read DevSecOps articles on the Internet, RedHat reminds us that “outdated security practices can undo even the most efficient DevOps initiatives.” [4]

The top ten list of software vulnerabilities from the Open Web Application Security Project (OWASP) foundation has become one of the most relied-on tools for fostering collaboration between development, operations, and security teams. [5]

The US Air Force pioneered the DevSecOps Platform (DSOP) initiative, demonstrating that combining advanced DevOps and security practices can provide some of the most highly regulated organizations in the world with ‘plug and play’ software factories and radically streamlined delivery processes.

Thanks to these contributions, security has become deeply ingrained in DevOps culture. As a result, DevOps and DevSecOps have come to mean the same concept for all practical purposes. Each implies a set of blended practices from multiple domains—development, operations, security, infrastructure, architecture, and so on throughout the value stream—that work together to enable collaboration, speed, quality, and safety.

Figure 2. Security is built into DevOps in SAFe
Figure 2. Security is built into DevOps in SAFe

SAFe carries this sentiment forward, treating security as a primary concern. In SAFe, to say “DevOps” means “DevSecOps.” Protecting customers, employees, citizens, soldiers, families, and businesses is not something we choose to do or not do in DevOps. It is simply in our DNA. As such, modern security practices shine through in many areas of SAFe, including the Big Picture, Framework guidance, courseware, assessments, Extended SAFe Guidance articles, and more.

These are just a few examples of how the DevSecOps movement has lifted DevOps to new standards of excellence.

Agile Release Trains (ARTs) are the primary value delivery construct in SAFe. Each ART has all the skills necessary to build and release the solution, including those responsible for Security, Compliance, Quality Assurance (QA), Testing, and Verification and Validation (V&V). Each increment the ARTs builds assesses the viability of the current solution and its progress toward security, quality, and compliance, providing early feedback on the system’s ultimate fitness for use. Second, specifications are created early and evolve in small batches, with faster feedback on decisions and the opportunity for continuous review and assessment. ARTs cannot implement security through inspection; it must be built into the solution during each iteration. Security testing should shift left to prevent vulnerabilities and be automated to increase the speed and accuracy of compliance.

Details

DevOps makes continuous delivery possible. Indeed, enterprises wishing to deliver value to customers and stakeholders continually should master the DevOps mindset and technical practices. These skills are critical in this era of constant digital disruption and innovation. Achieving continuous delivery, however, at scale, is not easy. SAFe’s approach to DevOps helps enterprises navigate these complexities.

A Paradigm Shift

IT organizations worldwide are troubled by a core, chronic conflict: technology delivery processes rely on teams with seemingly opposing goals and incentives. [1] Agile Teams deliver changes quickly to keep pace with business needs. Operations regulate the flow of changes to maintain the stability of solutions that run the business. Security teams institute policies to prevent changes from introducing vulnerabilities that can cause data breaches.

Keeping pace requires a new delivery system —a ‘software factory’ —which aligns teams and increases delivery speed while simultaneously increasing solution quality, security, and stability. Only then can the needs of customers and teams be predictably and effectively met.


Note: ‘Software factory’ is an increasingly popular term for this new delivery system. In his SAFe Community Contributions article, Peter Vollmer, Distinguished Technologist at Micro Focus, describes a software factory as “standardized tooling and engineering services” that supports and enhances [the value stream].” [6]


These software factories are integrated sets of tooling, services, data, and processes that help move products through the plan, build, test, and release cycles. [7] The US Department of Defense (DoD) maintains a growing ecosystem of software factories, leveraging a common DevSecOps Platform (DSOP) to rapidly deliver specialized digital products and services. [8] Regardless of the term used to describe the system, enterprises leverage DevOps to achieve this level of sophistication in their value streams.

Unfortunately, most IT organizations do not natively support this kind of system. Their processes and policies are optimized to prevent frequent changes to production systems, not enable them. Therefore, a paradigm shift is needed. Just as Agile represents a paradigm shift in how we work, DevOps represents a similar shift in how we build. Leveraging DevOps to usher in a new way of building digitally-enabled solutions is the key to transforming outdated development life cycles into CDPs.

Continuous Learning and Experimentation

CDPs are the result of applying DevOps effectively to value streams. And value streams need to behave differently than they did in the old model because today’s technology delivery objectives differ.

Enterprises must release features faster than ever to remain relevant in their markets. But out-deploying the competition is not the goal. Out-learning them is. And that learning comes from understanding the new functionality’s value in the market. Since features have no value until released, enterprises must constantly build, measure, and learn to evolve digital solutions that quickly attract and retain customers. Figure 3 shows that SAFe’s CDP operates as a closed-loop system that fosters rapid, low-risk experimentation and continuous learning about customers’ needs, habits, and preferences.

Figure 3. The CDP as a Continuous Learning Loop
Figure 3. The CDP as a Continuous Learning Loop

This relentless learning and experimentation engine is starkly different than traditional delivery processes. Enabling it requires a different mindset, skills, and tools across the entire value stream. Large batches, siloed teams, handoffs, monolithic architectures, change review boards, politics, and heroics have no place here. Instead, this new system needs to be guided by shared values, cross-functional collaboration, objective measurements, automation, and modern technical practices.

Enter DevOps.

Figure 4 illustrates how DevOps enables the CDP. It does this by supplying the mindset, practices, and tooling required to foster rapid delivery and learning at every step.

Figure 4. DevOps enables the CDP
Figure 4. DevOps enables the CDP

At its core, DevOps is a mindset that guides behavior and decision-making throughout the value stream. SAFe’s CALMR approach to DevOps embodies this mindset, is central to the figure above, and permeates all aspects of the CDP. DevOps technical skills, practices, and tooling evolve and sustain solutions directly. In SAFe,  practice domains represent this knowledge within the inner rings of the CDP model shown in Figure 4.

Measuring and Managing DevOps Maturity

Measuring DevOps performance and tracking incremental progress are essential to building a thriving DevOps culture.

The SAFe DevOps Health Radar (Figure 5) is a tool that helps ARTs and Solution Trains optimize their value stream performance. It provides a holistic DevOps health check by assessing the maturity of the CDP’s four aspects and 16 activities. The Health Radar measures baseline maturity at any point in a DevOps transformation and help guide fast incremental progress.

DevOps Health Radar

Figure 5. The SAFe DevOps Health Radar
Figure 5. The SAFe DevOps Health Radar

Download the free DevOps Health Radar assessment here.


Note for SAFe Studio Members: All the SAFe assessments, including the DevOps Health Radar, are available for SAFe Studio Members online through our partner Comparative Agility. This provides additional data collection, analysis, comparison, and trending capabilities that can be used to improve performance. Access these from the Measure and Grow SAFe Studio page.


More in the DevOps Series

Article 1: DevOps Home Page (this page)

Article 2: A CALMR Approach to DevOps

Article 3: SAFe’s DevOps Practice Domains


Learn More

[1] Kim, Gene, Jez Humble, Patrick Debois, and John Willis. The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. IT Revolution Press, 2016.

[2] Accelerate – State of DevOps 2019. https://services.google.com/fh/files/misc/state-of-devops-2019.pdf

[3] 2019 State of DevOps Report. https://puppet.com/resources/report/2019-state-of-devops-report

[4] What is DevSecOps? https://www.redhat.com/en/topics/devops/what-is-devsecops

[5] OWASP Top 10 Application Security Risks. https://owasp.org/www-project-top-ten/

[6] Accelerating Flow with DevSecOps and the Software Factory. https://www.scaledagileframework.com/accelerating-flow-with-devsecops-and-the-software-factory/

[7]  Why a Software Factory Is Key to Your DevOps Success. https://techbeacon.com/devops/why-software-factory-key-your-enterprise-devops-success

[8] U.S. Air Force Software Factories. https://software.af.mil/

Last update: 14 March 2023