DevOps is a set of practices that combines

software development Software development is the process of conceiving, specifying, designing, programming, documenting, testing, and bug fixing involved in creating and maintaining applications, frameworks, or other software components. Software development invo ...

(''Dev'') and IT operations (''Ops''). It aims to shorten the systems development life cycle and provide

continuous delivery Continuous delivery (CD) is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time and, following a pipeline through a "production-like environment", witho ...

with high

software quality In the context of software engineering, software quality refers to two related but distinct notions: * Software functional quality reflects how well it complies with or conforms to a given design, based on functional requirements or specificatio ...

. DevOps is complementary to

agile software development In software development, agile (sometimes written Agile) practices include requirements discovery and solutions improvement through the collaborative effort of self-organizing and cross-functional teams with their customer(s)/ end user(s), ...

; several DevOps aspects came from the ''agile'' way of working.

Definition

Other than it being a cross-functional combination (and a

portmanteau A portmanteau word, or portmanteau (, ) is a blend of wordsLen Bass, Ingo Weber, and Liming Zhu—three computer science researchers from the

CSIRO The Commonwealth Scientific and Industrial Research Organisation (CSIRO) is an Australian Government agency responsible for scientific research. CSIRO works with leading organisations around the world. From its headquarters in Canberra, CSIRO ...

and the

Software Engineering Institute The Software Engineering Institute (SEI) is an American research and development center headquartered in Pittsburgh, Pennsylvania. Its activities cover cybersecurity, software assurance, software engineering and acquisition, and component capabi ...

—suggested defining DevOps as "a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality". However, the term is used in multiple contexts. At its most successful, DevOps is a combination of specific practices, culture change, and tools.

History

In 1993 the Telecommunications Information Networking Architecture Consortium ( TINA-C) defined a Model of a Service Lifecycle that combined software development with (telecom) service operations. In 2009, the first conference named devopsdays was held in

Ghent Ghent ( nl, Gent ; french: Gand ; traditional English: Gaunt) is a city and a municipality in the Flemish Region of Belgium. It is the capital and largest city of the East Flanders province, and the third largest in the country, exceeded i ...

Belgium Belgium, ; french: Belgique ; german: Belgien officially the Kingdom of Belgium, is a country in Northwestern Europe. The country is bordered by the Netherlands to the north, Germany to the east, Luxembourg to the southeast, France to ...

. The conference was founded by Belgian consultant, project manager and agile practitioner Patrick Debois. The conference has now spread to other countries. In 2012, the State of DevOps report was conceived and launched by Alanna Brown at Puppet. As of 2014, the annual State of DevOps report was published by Nicole Forsgren, Gene Kim, Jez Humble and others. They stated that the adoption of DevOps was accelerating. Also in 2014, Lisa Crispin and Janet Gregory wrote the book More Agile Testing, containing a chapter on testing and DevOps. In 2016 the DORA metrics for throughput (deployment frequency, lead time for changes), and stability (mean time to recover, change failure rate) were published in the State of DevOps report.

Relationship to other approaches

Many of the ideas fundamental to DevOps practices are inspired by, or mirror, other well known practices such as Lean and Deming's Plan-Do-Check-Act cycle, through to The Toyota Way and the Agile approach of breaking down components and batch sizes. Contrary to the "top-down" proscriptive approach and rigid framework of

ITIL The Information Technology Infrastructure Library (ITIL) is a set of detailed practices for IT activities such as IT service management (ITSM) and IT asset management (ITAM) that focus on aligning IT services with the needs of business. ITIL de ...

in the 1990s, DevOps is "bottom-up" and a flexible practice, created by software engineers, with software engineer needs in mind.

Agile

The motivations for what has become modern DevOps and several standard DevOps practices such as automated build and test, continuous integration, and

originated in the Agile world, which dates (informally) to the 1990s, and formally to 2001. Agile development teams using methods such as extreme programming couldn't "satisfy the customer through early and continuous delivery of valuable software" unless they subsumed the operations / infrastructure responsibilities associated with their applications, many of which they automated. Because Scrum emerged as the dominant Agile framework in the early 2000s and it omitted the engineering practices that were part of many Agile teams, the movement to automate operations / infrastructure functions splintered from Agile and expanded into what has become modern DevOps. Today, DevOps focuses on the deployment of developed software, whether it is developed using Agile oriented methodologies or other methodologies.

ArchOps

ArchOps presents an extension for DevOps practice, starting from

software architecture Software architecture is the fundamental structure of a software system and the discipline of creating such structures and systems. Each structure comprises software elements, relations among them, and properties of both elements and relations. ...

artifacts, instead of source code, for operation deployment. ArchOps states that architectural models are first-class entities in software development, deployment, and operations.

CI/CD

Automation is a core principle for achieving DevOps success and CI/CD is a critical component. Plus, improved collaboration and communication between and within teams helps achieve faster time to market, with reduced risks.

Site-reliability engineering

In 2003,

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

developed site reliability engineering (SRE), an approach for releasing new features continuously into large-scale high-availability systems while maintaining high-quality end-user experience. While SRE predates the development of DevOps, they are generally viewed as being related to each other.

Toyota production system, lean thinking, kaizen

Toyota production system, also known under the acronym TPS, was the inspiration for

lean thinking Lean thinking is a management framework made up of a philosophy, practices and principles which aim to help practitioners improve efficiency and the quality of work. Lean thinking encourages whole organisation participation. The goal is to organis ...

with its focus on

continuous improvement A continual improvement process, also often called a continuous improvement process (abbreviated as CIP or CI), is an ongoing effort to improve products, services, or processes. These efforts can seek " incremental" improvement over time or "breakt ...

kaizen is concept referring to business activities that continuously improve all functions and involve all employees from the CEO to the assembly line workers. ''Kaizen'' also applies to processes, such as purchasing and logistics, that cross orga ...

, flow and small batches. The andon cord principle to create fast feedback, swarm and solve problems stems from TPS.

DevSecOps, shifting security left

DevSecOps is an augmentation of DevOps to allow for security practices to be integrated into the DevOps approach. Contrary to a traditional centralized security team model, each delivery team is empowered to factor in the correct security controls into their software delivery. Security practices and testing are performed earlier in the development lifecycle, hence the term "shift left" can be used. Security is tested in three main areas: static, software composition, and dynamic. Checking the code statically via

static application security testing Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers ...

(SAST) is white-box testing with special focus on security. Depending on the programming language, different tools are needed to do such static code analysis. The software composition is analyzed, especially libraries and their versions are checked against vulnerability lists published by CERT and other expert groups. When giving software to clients, licenses and its match to the one of the software distributed are in focus, especially

copyleft Copyleft is the legal technique of granting certain freedoms over copies of copyrighted works with the requirement that the same rights be preserved in derivative works. In this sense, ''freedoms'' refers to the use of the work for any purpose ...

licenses. Dynamic testing is also called black-box testing. The software is tested without knowing its inner functions. In DevSecOps it is on one hand called dynamically (DAST), or penetration testing. The goal is to catch, amongst others, errors like

cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...

, or

SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL in ...

early. Threat types are for example published by the open web application security project, e.g. its TOP10. On the other hand, especially with

microservices A microservice architecture – a variant of the service-oriented architecture structural style – is an architectural pattern that arranges an application as a collection of loosely-coupled, fine-grained services, communicating through lightwe ...

interactive application testing (IAST) is helpful to check which code is executed when running automated functional tests, the focus is to detect vulnerabilities within the applications. Contrary to SAST and DAST, IAST works inside the application. DevSecOps has also been described as a cultural shift involving a holistic approach to producing secure software by integrating security education, secure by design, and security automation.

Cultural change

DevOps initiatives can create cultural changes in companies by transforming the way operations, developers, and testers collaborate during the development and delivery processes. Getting these groups to work cohesively is a critical challenge in enterprise DevOps adoption. DevOps is as much about culture, as it is about the toolchain.

Microservices

Although in principle it is possible to practice DevOps with any architectural style, the

architectural style is becoming the standard for building continuously deployed systems. Small size service allows the architecture of an individual service to emerge through continuous refactoring.

DevOps automation

It also supports consistency, reliability, and efficiency within the organization, and is usually enabled by a shared code repository or version control. As DevOps researcher Ravi Teja Yarlagadda hypothesizes, "Through DevOps, there is an assumption that all functions can be carried out, controlled, and managed in a central place using a simple code."

Automation with version control

Many organizations use version control to power DevOps automation technologies like virtual machines, containerization (or OS-level virtualization), and

CI/CD In software engineering, CI/CD or CICD is the combined practices of continuous integration (CI) and (more often) continuous delivery or (less often) continuous deployment (CD). Comparison * Continuous integration: Frequent merging of sever ...

. The paper "DevOps: development of a toolchain in the banking domain" notes that with teams of developers working on the same project, "All developers need to make changes to the same codebase and sometimes edit even the same files. For efficient working, there has to be a system that helps engineers avoid conflicts and retain the codebase history," with the Git version control system and the GitHub platform referenced as examples.

GitOps

GitOps evolved from DevOps. The specific state of deployment configuration is version-controlled. Because the most popular version-control is

Git Git () is a distributed version control system: tracking changes in any set of files, usually used for coordinating work among programmers collaboratively developing source code during software development. Its goals include speed, data in ...

, GitOps approach has been named after

. Changes to configuration can be managed using

code review Code review (sometimes referred to as peer review) is a software quality assurance activity in which one or several people check a program mainly by viewing and reading parts of its source code, and they do so after implementation or as an inter ...

practices, and can be rolled back using version-controlling.