TACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls. TACO stands for Traceability, Access, Compliance, and Operations. The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how these controls are handed, we map them to the organizational controls and identify any gaps. This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure. Taking a TACO approach can be considered a part of implementing a DevSecOps program and I’ve used this approach at multiple banks.
During the talk I’ll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls such as SAST.
Attendees should be able to walk away with:
- An approach to build more secure software delivery pipelines
- Ways to help ensure software delivery compliance
- A framework to drive good DevSecOps practices