Securing your pipes with a TACO
TACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls.
TACO stands for Traceability, Access, Compliance, and Operations.
The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how these controls are handed we map them to the organizational controls and identify any gaps.
This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure.
Taking a TACO approach can be considered a part of implementing a DevSecOps program and I’ve used this approach at multiple banks. I’ve given the base talk at three conferences and multiple times to internal teams. It helps build organizational confidence in the automation of software delivery.
During the talk, I’ll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls such as SAST and how to handle long-running processes such as DAST.
Content is fairly high level but I can dig into specifics of each given area as questions arise.
Outline/Structure of the Tutorial
- Introduction - 5 minutes
- Problem description - 10 minutes
- Walkthrough and examples of using TACO - 20 minutes
- Wrap and conclusion - 5 minutes
- Q&A - 5 minutes
Learning Outcome
Attendees should be able to walk away with:
- An approach to building more secure software delivery pipelines
- Ways to help ensure software delivery compliance
- A framework to drive good practices to enable the building of robust and secure systems
Target Audience
People with an interest in how to secure pipelines and meet the governance demands of highly regulated environments.
Prerequisites for Attendees
Having a base understanding of DevOps principals and tools would be valuable.
Video
Links
I have given this talk at Agile2018, GOAT 2018, Agile and Beyond 2019 and SecTor 2019. I've also given this talk internally at companies many times to audiences up 150 people.
The most recent of those is here: Sector presentation link
There is a blog on this topic here: https://www.xodiac.ca/2018/11/28/satisfying-controls-at-speed.html
schedule Submitted 3 years ago
People who liked this proposal, also liked:
-
keyboard_arrow_down
Gino Marckx - Building Powerful Roadmaps
45 Mins
Talk
Beginner
Any organization’s ability to focus on what matters most to their customers is directly related to their ability to get valuable feedback from them. While more and more organizations embrace agile practices during the development of their services, they often lack in how they collect feedback and therefor don’t get the benefits they are after. After all, what is the upside to investing in being able to pivot, if there is no information available to guide the direction of that pivot?
The fact that many roadmaps leave little room for flexibility significantly contributes to this and building powerful roadmaps is a really hard task. How does one get feedback about a house without building it completely? How does one give feedback about a car without being able to drive it around the city for a couple of hours?
This session will provide you with practical techniques on how to build a powerful roadmap for your product or service, one that allows any organization to get valuable feedback from their customers. The session is based on ideas from the draft book Powerful Roadmaps.
-
keyboard_arrow_down
Gino Marckx - Don't hire more coaches, increase your coaching capacity!
90 Mins
Workshop
Advanced
Many organizations have difficulty hiring coaches to support their teams in applying agile principles and practices. As a result, many teams are left to their own devices and often face challenges that can lead to mediocre results and even demotivated teams, quite the opposite what the introduction of agile principles intended to achieve.
I believe that many organizations are trying to solve the wrong problem. It is not the lack of coaches on the market that is causing the lack of support for the teams, but the lack of coaching capacity. What if there are alternative ways to address this redefined problem besides only hiring more coaches?
I have helped small and large organizations increase their coaching capacity with programs that structure coaching for both the coaches and the teams. Join this session to hear about these experiences and understand how you as well can gradually increase the coaching capacity of your teams.
-
keyboard_arrow_down
Gino Marckx - Going undercover: understanding Agile inside out
90 Mins
Workshop
Beginner
The success of agile practices has impacted the masses’ understanding of what’s really happening behind the scenes. This too often leads to blind adoption and mediocre results. In order words, for many teams agile practices have become the new waterfall.
With a deeper understanding of the core tenets of the agile mindset and a simple process to help you think in an agile way, you will become a master of sustainable improvement with tangible results and with a lot less frustration.
Expect this session to energize you with a healthy combination of theory and practice.