Securing your pipes with a TACO

devex-and-devops Accepted Tutorial 45 Mins Intermediate
Peter Maddison
Peter Maddison
CTO
Xodiac
location_city Virtual schedule Oct 15th 06:30 - 07:15 PM IST place Online people 19 Interested

TACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls.

TACO stands for Traceability, Access, Compliance, and Operations.

The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how these controls are handed we map them to the organizational controls and identify any gaps.

This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure.

Taking a TACO approach can be considered a part of implementing a DevSecOps program and I’ve used this approach at multiple banks. I’ve given the base talk at three conferences and multiple times to internal teams. It helps build organizational confidence in the automation of software delivery.

During the talk, I’ll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls such as SAST and how to handle long-running processes such as DAST.

Content is fairly high level but I can dig into specifics of each given area as questions arise.

 
6 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/Structure of the Tutorial

  1. Introduction - 5 minutes
  2. Problem description - 10 minutes
  3. Walkthrough and examples of using TACO - 20 minutes
  4. Wrap and conclusion - 5 minutes
  5. Q&A - 5 minutes

Learning Outcome

Attendees should be able to walk away with:

  1. An approach to building more secure software delivery pipelines
  2. Ways to help ensure software delivery compliance
  3. A framework to drive good practices to enable the building of robust and secure systems

Target Audience

People with an interest in how to secure pipelines and meet the governance demands of highly regulated environments.

Prerequisites for Attendees

Having a base understanding of DevOps principals and tools would be valuable.

Slides


Video


Links

I have given this talk at Agile2018, GOAT 2018, Agile and Beyond 2019 and SecTor 2019. I've also given this talk internally at companies many times to audiences up 150 people.

The most recent of those is here: Sector presentation link

There is a blog on this topic here: https://www.xodiac.ca/2018/11/28/satisfying-controls-at-speed.html

schedule Submitted 3 years ago

People who liked this proposal, also liked:

  • Gino Marckx
    keyboard_arrow_down

    Gino Marckx - Building Powerful Roadmaps

    design-innovation Accepted Talk 45 Mins Beginner product-owner product-development risk-management
    Gino Marckx
    Gino Marckx
    Business Improvement Consultant
    Xodiac Inc.
    schedule 3 years ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    Any organization’s ability to focus on what matters most to their customers is directly related to their ability to get valuable feedback from them. While more and more organizations embrace agile practices during the development of their services, they often lack in how they collect feedback and therefor don’t get the benefits they are after. After all, what is the upside to investing in being able to pivot, if there is no information available to guide the direction of that pivot?

    The fact that many roadmaps leave little room for flexibility significantly contributes to this and building powerful roadmaps is a really hard task. How does one get feedback about a house without building it completely? How does one give feedback about a car without being able to drive it around the city for a couple of hours?

    This session will provide you with practical techniques on how to build a powerful roadmap for your product or service, one that allows any organization to get valuable feedback from their customers. The session is based on ideas from the draft book Powerful Roadmaps.

    2 comments
    View Details play_arrow
  • Gino Marckx
    keyboard_arrow_down

    Gino Marckx - Don't hire more coaches, increase your coaching capacity!

    agile-mindset Workshop 90 Mins Advanced agile-thinking agile-coaching leadership
    Gino Marckx
    Gino Marckx
    Business Improvement Consultant
    Xodiac Inc.
    schedule 3 years ago
    Sold Out!
    90 Mins
    Workshop
    Advanced

    Many organizations have difficulty hiring coaches to support their teams in applying agile principles and practices. As a result, many teams are left to their own devices and often face challenges that can lead to mediocre results and even demotivated teams, quite the opposite what the introduction of agile principles intended to achieve.

    I believe that many organizations are trying to solve the wrong problem. It is not the lack of coaches on the market that is causing the lack of support for the teams, but the lack of coaching capacity. What if there are alternative ways to address this redefined problem besides only hiring more coaches?

    I have helped small and large organizations increase their coaching capacity with programs that structure coaching for both the coaches and the teams. Join this session to hear about these experiences and understand how you as well can gradually increase the coaching capacity of your teams.

    2 comments
    View Details play_arrow
  • Gino Marckx
    keyboard_arrow_down

    Gino Marckx - Going undercover: understanding Agile inside out

    agile-mindset Workshop 90 Mins Beginner agile-thinking
    Gino Marckx
    Gino Marckx
    Business Improvement Consultant
    Xodiac Inc.
    schedule 3 years ago
    Sold Out!
    90 Mins
    Workshop
    Beginner

    The success of agile practices has impacted the masses’ understanding of what’s really happening behind the scenes. This too often leads to blind adoption and mediocre results. In order words, for many teams agile practices have become the new waterfall.

    With a deeper understanding of the core tenets of the agile mindset and a simple process to help you think in an agile way, you will become a master of sustainable improvement with tangible results and with a lot less frustration.

    Expect this session to energize you with a healthy combination of theory and practice.



    0 comments
    View Details play_arrow
Agile India 2020

Virtual, Online

Virtual Venue launch

Sun, 11th - Fri, 30th Oct 2020

email Contact Us
Recent Activities
Call for Proposals CLOSED
Ended on Aug 20 '19 11:59 PM IST

All proposals will be public. Registered user of the submission system will be able to comment on your proposal. You are required to reply to those comments to provide clarifications, explain revisions and respond to questions. The program team will look at how well you've responded to comments and updated your proposal to incorporate public suggestions. Ultimately the decision to accept a session resides with the program team.

Your proposal stands the best chance to be selected, if it's unique, fully flushed, ready-to-go. Please ensure you've read:

  1. Selection Criteria
  2. Good Proposal Attributes
  3. Best Selection Chance
  4. Tips for Proposals

To encourage early submissions and iterative improvement of proposals, we'll start accepting proposals as soon as we find them a good fit. As time passes by, the competition gets tougher. So don't wait till the last date to submit your proposal.

Details play_arrow
Speaker Compensation
flightTravel covered info_outline
hotelAccommodation covered info_outline
confirmation_numberFree conference pass info_outline
Please refer to our Speaker Compensation Policy
Active Members
help