Securing your pipes with a TACO

TACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls.

TACO stands for Traceability, Access, Compliance, and Operations.

The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how these controls are handed we map them to the organizational controls and identify any gaps.

This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure.

Taking a TACO approach can be considered a part of implementing a DevSecOps program and I’ve used this approach at multiple banks. I’ve given the base talk at three conferences and multiple times to internal teams. It helps build organizational confidence in the automation of software delivery.

During the talk, I’ll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls such as SAST and how to handle long-running processes such as DAST.

Content is fairly high level but I can dig into specifics of each given area as questions arise.

 
 

Outline/Structure of the Tutorial

  1. Introduction - 5 minutes
  2. Problem description - 10 minutes
  3. Walkthrough and examples of using TACO - 20 minutes
  4. Wrap and conclusion - 5 minutes
  5. Q&A - 5 minutes

Learning Outcome

Attendees should be able to walk away with:

  1. An approach to building more secure software delivery pipelines
  2. Ways to help ensure software delivery compliance
  3. A framework to drive good DevSecOps practices to enable the building of robust and secure systems

Target Audience

People with an interest in how to secure pipelines and meet the governance demands of highly regulated environments.

Prerequisites for Attendees

Having a base understanding of DevOps principals and tools would be valuable.

schedule Submitted 4 months ago

Public Feedback

comment Suggest improvements to the Speaker
  • Aino Corry
    By Aino Corry  ~  2 months ago
    reply Reply

    Hi Peter, thank you for your submission. 

    Would it be possible for you to make the talk less high-level, and dive into the most important part from the beginning?

    • Peter Maddison
      By Peter Maddison  ~  1 month ago
      reply Reply

      Hi Aino, 

      Yes, for sure. I gave the talk recently and changed up the format to provide examples of real-world problems we used this model to help solve and how it does that. Out of curiousity, to help me improve the content, what do you see as the most important part?

      Cheers

      Peter

      • Aino Corry
        By Aino Corry  ~  1 month ago
        reply Reply

        Hi Peter

        I am not sure, actually. Because it all sounds very important to me, so I understand why you wrote: "Content is fairly high level but I can dig into specifics of each given area as questions arise." but I think that you should dive into at least one aspect and tell people why you chose this aspect. Does that make sense?

        Aino

        • Peter Maddison
          By Peter Maddison  ~  1 week ago
          reply Reply

          Hi Aino, 

          I gave this talk again last week to an IT Security meetup. Focused more on the DevSecOps components. From that, the piece I think I'd dig into most is how to integrate the security tooling such as SAST and DAST so as to create feedback loops. Especially when dealing with legacy code bases where there are often many outstanding issues to be resolved. 

          For DAST it is about how to get a dataset you can happily destroy for testing purposes. 

          Would that be a good focus point?

          Cheers

          Peter

  • Deepti Tomar
    By Deepti Tomar  ~  2 months ago
    reply Reply

    Hello Peter,

    Thanks for your submission!

    In order to help the program committee review the proposal from all its aspects, could you please upload a video of your past presentations? If it's not available, request you to record a small 1 mins trailer of your talk and share the link to the same.

    Thanks,

    Deepti

    • Peter Maddison
      By Peter Maddison  ~  1 month ago
      reply Reply

      Of course. I don't have a recent copy of me talking unfortunately but I've uploaded a clip of a practice session from last week. 

      Is this what you are looking for?

      Cheers

      Peter


  • Liked Gino Marckx
    keyboard_arrow_down

    Gino Marckx - Building Powerful Roadmaps

    45 Mins
    Talk
    Beginner

    Any organization’s ability to focus on what matters most to their customers is directly related to their ability to get valuable feedback from them. While more and more organizations embrace agile practices during the development of their services, they often lack in how they collect feedback and therefor don’t get the benefits they are after. After all, what is the upside to investing in being able to pivot, if there is no information available to guide the direction of that pivot?

    The fact that many roadmaps leave little room for flexibility significantly contributes to this and building powerful roadmaps is a really hard task. How does one get feedback about a house without building it completely? How does one give feedback about a car without being able to drive it around the city for a couple of hours?

    This session will provide you with practical techniques on how to build a powerful roadmap for your product or service, one that allows any organization to get valuable feedback from their customers. The session is based on ideas from the draft book Powerful Roadmaps.

  • Liked Gino Marckx
    keyboard_arrow_down

    Gino Marckx - Don't hire more coaches, increase your coaching capacity!

    90 Mins
    Workshop
    Advanced

    Many organizations have difficulty hiring coaches to support their teams in applying agile principles and practices. As a result, many teams are left to their own devices and often face challenges that can lead to mediocre results and even demotivated teams, quite the opposite what the introduction of agile principles intended to achieve.

    I believe that many organizations are trying to solve the wrong problem. It is not the lack of coaches on the market that is causing the lack of support for the teams, but the lack of coaching capacity. What if there are alternative ways to address this redefined problem besides only hiring more coaches?

    I have helped small and large organizations increase their coaching capacity with programs that structure coaching for both the coaches and the teams. Join this session to hear about these experiences and understand how you as well can gradually increase the coaching capacity of your teams.

  • Liked Gino Marckx
    keyboard_arrow_down

    Gino Marckx - Going undercover: understanding Agile inside out

    90 Mins
    Workshop
    Beginner

    The success of agile practices has impacted the masses’ understanding of what’s really happening behind the scenes. This too often leads to blind adoption and mediocre results. In order words, for many teams agile practices have become the new waterfall.

    With a deeper understanding of the core tenets of the agile mindset and a simple process to help you think in an agile way, you will become a master of sustainable improvement with tangible results and with a lot less frustration.

    Expect this session to energize you with a healthy combination of theory and practice.