Conf42: DevSecOps 2021

...

Securing Your Pipes with a TACO

Peter Maddison
Managing Partner @ Xodiac

Peter Maddison's LinkedIn account Peter Maddison's twitter account


In highly regulated environments, governing bodies of the organization can quickly get in the way of your delivery. What I present is a straw man for architecture, compliance, security and development to come to agreement on their minimum viable bureaucracy.

TACO stands for Traceability, Access, Compliance, and Operations and is a set of 20 controls I use as a guideline for helping organizations define automated governance for their software delivery pipelines. However, the primary purpose of TACO is to provide a common language for the organization to understand what “”good”” pipelines mean for them and how to get there.

This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure. Taking a TACO approach can be considered a part of implementing a DevSecOps program and I’ve used this approach at multiple banks. Having this baseline helps build organizational confidence in the automation of software delivery.

During the talk, I’ll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls.

Awesome conferences for

Priority access to all content

Community Discord

Exclusive promotions and giveaways