SlideShare a Scribd company logo

Securing Pipelines with TACO

Download as PPTX, PDF
P
Peter Maddison

The document discusses how to secure software delivery pipelines using a TACO (Traceability, Access, Compliance, Operations) model. It describes mapping controls to different stages of a pipeline to ensure issues are addressed, traceability exists, access is validated, and operations are monitored. Implementing automated controls in a pipeline can help govern risk while allowing rapid software delivery. The presentation provides examples of how organizations like Capital One have implemented pipeline controls and governance. It emphasizes that safety is about behaviors, not just tools, and addresses how to get teams onboard with these ideas.

Technology
1 of 46
© 2020, Xodiac Inc. All rights reserved.© 2018, Xodiac Inc. All rights reserved.cab Author – Title Securing your pipes with a TACO Peter Maddison © 2019, Xodiac Inc. All rights reserved.cb vxla – Factory and Pipeline
© 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
© 2020, Xodiac Inc. All rights reserved. Who am I? Peter Maddison Coach, consultant, founder… peter.maddison@xodiac.ca @pgmaddison https://www.linkedin.com/in/peter-maddison/
© 2020, Xodiac Inc. All rights reserved. “ ” I cannot teach anybody anything. I can only make them think - Socrates
© 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
© 2020, Xodiac Inc. All rights reserved. What problem are we solving?
© 2020, Xodiac Inc. All rights reserved. Where to begin? Photo by Jukan Tateisi on Unsplash
© 2020, Xodiac Inc. All rights reserved. Introducing change cbnd Kevin Spear – http://kevinspear.com/growth/resolving-avoid “This year, I resolve to stay away from unnecessary risks.”
© 2020, Xodiac Inc. All rights reserved. “ ” People, processes and tools working together to enable rapid and continuous delivery of value to customers. - A bunch of people
© 2020, Xodiac Inc. All rights reserved. Time to deliverTime to ideation Pipeline overview Customers Channels (forums, focus groups, social media) Product Owner Team members Delivery Team A B C SCM App Test Infra A 1. 2. 3. Automated Pipeline Build Test Deploy Feedback (monitoring, logging, test results) auto triggered manually triggered 1.
© 2020, Xodiac Inc. All rights reserved. ? © 2019, Xodiac Inc. All rights reserved.
© 2020, Xodiac Inc. All rights reserved. Bunch of pictures
© 2020, Xodiac Inc. All rights reserved.cab Author – TitlePhoto by Michael Longmire on Unsplash Hitting a wall
© 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
© 2020, Xodiac Inc. All rights reserved. Conversation
© 2020, Xodiac Inc. All rights reserved.cab Author – Title GRC Governance: Cost effectively govern the organizations risk landscape Compliance: Documenting and reporting on how we address risk Risk: Identifying and mitigating risks
© 2020, Xodiac Inc. All rights reserved.cab Author – Title IRM (Satisfying the industry need for acronyms)
© 2020, Xodiac Inc. All rights reserved. Lost in translation Developers Security Compliance Testing Operations Architecture
© 2020, Xodiac Inc. All rights reserved. Is there a risk? Photo by NordWood Themes on Unsplash
© 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
© 2020, Xodiac Inc. All rights reserved. Collaboration Photo by John Schnobrich on Unsplash
© 2020, Xodiac Inc. All rights reserved. Modeling Traceability Access Compliance Operations Identify what happens in the pipe Secure the delivery process Validate the payload in the pipe Record execution and monitor © 2019, Xodiac Inc. All rights reserved. • Source code managed • Creator tracked • Build once, deploy many • Pipelines only 2 • Peer review • Scan the code • Scan the artifact • Manage the data 3 • Validate the target • Validate quality • Check it works • Watch it live 4 1 • Chain of custody • Test results for all • Deployed version is tracked • Change is recorded Ensure issues are addressed Strengthen team behaviour Ensure traceability exists Validate access
© 2020, Xodiac Inc. All rights reserved. TACO!
© 2020, Xodiac Inc. All rights reserved. Example Then link this to the tasks to create and the impediments to success
© 2020, Xodiac Inc. All rights reserved. Visualize how much TACO 0 5 10 15 20 25 30 Access Compliance Operations Traceability
© 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
© 2020, Xodiac Inc. All rights reserved. How can you apply TACO and make it work for you?
© 2020, Xodiac Inc. All rights reserved. CapitalOne example • Source code version control • Optimum branching strategy • Static analysis • >80% code coverage • Vulnerability scan • Open source scan • Artifact version control • Auto provisioning • Immutable servers • Integration testing • Performance testing • Build deploy testing automated for every commit • Automated rollback • Automated change order • Zero downtime release • Feature toggle
© 2020, Xodiac Inc. All rights reserved.
© 2020, Xodiac Inc. All rights reserved. Mapping the controls Build Validate Test Deploy If controls fail, break the build and radiate back to team for resolution
© 2020, Xodiac Inc. All rights reserved. Pipeline Source Code Repository Build Dependency Management Package Artifact Repository Non- production deploy Production deploy
© 2020, Xodiac Inc. All rights reserved. Mapping the controls Build Validate Test Deploy If controls fail, break the build and radiate back to team for resolution Source Code Repository Build Dependency Management Package Artifact Repository Non- production deploy Production deploy
© 2020, Xodiac Inc. All rights reserved. Initial controls design
© 2020, Xodiac Inc. All rights reserved. Mapping the controls
© 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
© 2020, Xodiac Inc. All rights reserved. Automating Governance • Not about keeping audit off your back • Start small, get one team working and grow from there • Engage leaders, focus on conversation, not tooling
© 2020, Xodiac Inc. All rights reserved. Running the pipe Define work here SCM Service state Artifacts CI build 1 2 Build Results CI run 2 Quality tests 3 4 Organisational tests 5 6 7 8 Cycle time X X
© 2020, Xodiac Inc. All rights reserved. Auditing the pipe Work item Work item log CI build Build Results Unit test results QA test results URL to stages of pipeline as they execute Code review System design record Logs Tools Work item number
© 2020, Xodiac Inc. All rights reserved. Paved road Photo by Jon Flobrant on Unsplash
© 2020, Xodiac Inc. All rights reserved. Beyond roadmaps
© 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
© 2020, Xodiac Inc. All rights reserved. What have we learned?
© 2020, Xodiac Inc. All rights reserved. “ ” We cannot solve our problems with the same thinking we used when we created them - Albert Einstein
© 2020, Xodiac Inc. All rights reserved. References CapitalOne Focusing on the DevOps Pipeline: https://medium.com/capital-one-tech/focusing-on-the-devops-pipeline-topo-pal-833d15edf0bd Automated Governance – John Willis https://www.youtube.com/watch?v=_j9eB0flTtY Risk & Control is Dead, Long Live Risk & Control — Jon Smart https://www.youtube.com/watch?v=XRMf9QjUwlI https://itrevolution.com/forum-paper-downloads/https://www.amazon.ca/Field-Guide-Understanding-Human-Error-dp- 1472439058/dp/1472439058/ref=dp_ob_title_bk
© 2020, Xodiac Inc. All rights reserved. So let’s review • Safety is about behaviour, not tools. • Ways to help automate software delivery compliance • A way to create common understanding of a “good pipeline”
© 2020, Xodiac Inc. All rights reserved.© 2018, Xodiac Inc. All rights reserved.cab Author – Title Thank you! peter.maddison@xodiac.ca @pgmaddison https://www.linkedin.com/in/peter-maddison/ © 2019, Xodiac Inc. All rights reserved.cb vxla – Factory and Pipeline Feedback survey: https://bit.ly/2KWP1pA

Recommended

Baking compliance into your pipelines
Baking compliance into your pipelinesBaking compliance into your pipelines
Baking compliance into your pipelinesPeter Maddison
 
La loi de Little et le Throughput Accounting - La convergence de la science
La loi de Little et le Throughput Accounting - La convergence de la scienceLa loi de Little et le Throughput Accounting - La convergence de la science
La loi de Little et le Throughput Accounting - La convergence de la scienceAgile Montréal
 
Minidates otv-agile2012-final hr
Minidates otv-agile2012-final hrMinidates otv-agile2012-final hr
Minidates otv-agile2012-final hrdrewz lin
 
4 Maps of DevOps
4 Maps of DevOps4 Maps of DevOps
4 Maps of DevOpsPeter Maddison
 
Designing and Building a Winning Digital Strategy
Designing and Building a Winning Digital StrategyDesigning and Building a Winning Digital Strategy
Designing and Building a Winning Digital StrategyModyo.com
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesBecoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesAdam Pennington
 
How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%
How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%
How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%DevOps.com
 
ADV Slides: Modern Analytic Data Architecture Maturity Modeling
ADV Slides: Modern Analytic Data Architecture Maturity ModelingADV Slides: Modern Analytic Data Architecture Maturity Modeling
ADV Slides: Modern Analytic Data Architecture Maturity ModelingDATAVERSITY
 

Recommended

Baking compliance into your pipelines
Baking compliance into your pipelinesBaking compliance into your pipelines
Baking compliance into your pipelinesPeter Maddison
 
La loi de Little et le Throughput Accounting - La convergence de la science
La loi de Little et le Throughput Accounting - La convergence de la scienceLa loi de Little et le Throughput Accounting - La convergence de la science
La loi de Little et le Throughput Accounting - La convergence de la scienceAgile Montréal
 
Minidates otv-agile2012-final hr
Minidates otv-agile2012-final hrMinidates otv-agile2012-final hr
Minidates otv-agile2012-final hrdrewz lin
 
4 Maps of DevOps
4 Maps of DevOps4 Maps of DevOps
4 Maps of DevOpsPeter Maddison
 
Designing and Building a Winning Digital Strategy
Designing and Building a Winning Digital StrategyDesigning and Building a Winning Digital Strategy
Designing and Building a Winning Digital StrategyModyo.com
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesBecoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesAdam Pennington
 
How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%
How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%
How Expedia Improved Developer Productivity and Reduced MTTR by Over 90%DevOps.com
 
ADV Slides: Modern Analytic Data Architecture Maturity Modeling
ADV Slides: Modern Analytic Data Architecture Maturity ModelingADV Slides: Modern Analytic Data Architecture Maturity Modeling
ADV Slides: Modern Analytic Data Architecture Maturity ModelingDATAVERSITY
 
Cynoteck Technology Solutions - Company Profile
Cynoteck Technology Solutions - Company Profile Cynoteck Technology Solutions - Company Profile
Cynoteck Technology Solutions - Company Profile Rosa Aguiar Catraio
 
Agile v agility_v4_md
Agile v agility_v4_mdAgile v agility_v4_md
Agile v agility_v4_mdMarc Danziger
 
Automate Behavior-driven Development (DrupalCon Portland 2022)
Automate Behavior-driven Development (DrupalCon Portland 2022)Automate Behavior-driven Development (DrupalCon Portland 2022)
Automate Behavior-driven Development (DrupalCon Portland 2022)DOCOMO Innovations, Inc.
 
Applied coaching practices
Applied coaching practicesApplied coaching practices
Applied coaching practicesPeter Maddison
 
Business Success with Core Web Vitals
Business Success with Core Web VitalsBusiness Success with Core Web Vitals
Business Success with Core Web VitalsIzzi Smith
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for mspIvanti
 
P&L qualification document v1.6
P&L qualification document v1.6P&L qualification document v1.6
P&L qualification document v1.6Manish Y M
 
Automate Behavior-driven Development (Stanford WebCamp 2022)
Automate Behavior-driven Development (Stanford WebCamp 2022)Automate Behavior-driven Development (Stanford WebCamp 2022)
Automate Behavior-driven Development (Stanford WebCamp 2022)DOCOMO Innovations, Inc.
 
Modernising the Enterprise: An Evening with the AWS Enterprise User Group
Modernising the Enterprise: An Evening with the AWS Enterprise User GroupModernising the Enterprise: An Evening with the AWS Enterprise User Group
Modernising the Enterprise: An Evening with the AWS Enterprise User GroupHarley Young
 
Online training on auto cad PPT
Online training on auto cad PPTOnline training on auto cad PPT
Online training on auto cad PPTchinmay09
 
Rheomold Engineering Solutions India Capabilities Presentation
Rheomold Engineering Solutions India Capabilities PresentationRheomold Engineering Solutions India Capabilities Presentation
Rheomold Engineering Solutions India Capabilities PresentationASHUTOSH SONAWANE
 
The LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity ModelThe LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity ModelLima Consulting Group
 
Cloud Choices Quantifying the Cost and Risk Implications of Cloud
Cloud Choices Quantifying the Cost and Risk Implications of CloudCloud Choices Quantifying the Cost and Risk Implications of Cloud
Cloud Choices Quantifying the Cost and Risk Implications of CloudAmazon Web Services
 
Viviota: R&D Engineering Analysis & Data Management
Viviota: R&D Engineering Analysis & Data ManagementViviota: R&D Engineering Analysis & Data Management
Viviota: R&D Engineering Analysis & Data ManagementDoug Norton
 
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Flink Forward
 
DevOps is the Key to Differentiation
DevOps is the Key to DifferentiationDevOps is the Key to Differentiation
DevOps is the Key to DifferentiationDevOps.com
 
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...Ajjay Kumar Gupta
 
AI Based Test Automation Without AI
AI Based Test Automation Without AIAI Based Test Automation Without AI
AI Based Test Automation Without AIXBOSoft
 
Containers for Startups
Containers for StartupsContainers for Startups
Containers for StartupsAmazon Web Services
 
About vector consulting group
About vector consulting groupAbout vector consulting group
About vector consulting groupVector Consulting Group
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

More Related Content

Similar to Securing Pipelines with TACO

Cynoteck Technology Solutions - Company Profile
Cynoteck Technology Solutions - Company Profile Cynoteck Technology Solutions - Company Profile
Cynoteck Technology Solutions - Company Profile Rosa Aguiar Catraio
 
Agile v agility_v4_md
Agile v agility_v4_mdAgile v agility_v4_md
Agile v agility_v4_mdMarc Danziger
 
Automate Behavior-driven Development (DrupalCon Portland 2022)
Automate Behavior-driven Development (DrupalCon Portland 2022)Automate Behavior-driven Development (DrupalCon Portland 2022)
Automate Behavior-driven Development (DrupalCon Portland 2022)DOCOMO Innovations, Inc.
 
Applied coaching practices
Applied coaching practicesApplied coaching practices
Applied coaching practicesPeter Maddison
 
Business Success with Core Web Vitals
Business Success with Core Web VitalsBusiness Success with Core Web Vitals
Business Success with Core Web VitalsIzzi Smith
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for mspIvanti
 
P&L qualification document v1.6
P&L qualification document v1.6P&L qualification document v1.6
P&L qualification document v1.6Manish Y M
 
Automate Behavior-driven Development (Stanford WebCamp 2022)
Automate Behavior-driven Development (Stanford WebCamp 2022)Automate Behavior-driven Development (Stanford WebCamp 2022)
Automate Behavior-driven Development (Stanford WebCamp 2022)DOCOMO Innovations, Inc.
 
Modernising the Enterprise: An Evening with the AWS Enterprise User Group
Modernising the Enterprise: An Evening with the AWS Enterprise User GroupModernising the Enterprise: An Evening with the AWS Enterprise User Group
Modernising the Enterprise: An Evening with the AWS Enterprise User GroupHarley Young
 
Online training on auto cad PPT
Online training on auto cad PPTOnline training on auto cad PPT
Online training on auto cad PPTchinmay09
 
Rheomold Engineering Solutions India Capabilities Presentation
Rheomold Engineering Solutions India Capabilities PresentationRheomold Engineering Solutions India Capabilities Presentation
Rheomold Engineering Solutions India Capabilities PresentationASHUTOSH SONAWANE
 
The LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity ModelThe LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity ModelLima Consulting Group
 
Cloud Choices Quantifying the Cost and Risk Implications of Cloud
Cloud Choices Quantifying the Cost and Risk Implications of CloudCloud Choices Quantifying the Cost and Risk Implications of Cloud
Cloud Choices Quantifying the Cost and Risk Implications of CloudAmazon Web Services
 
Viviota: R&D Engineering Analysis & Data Management
Viviota: R&D Engineering Analysis & Data ManagementViviota: R&D Engineering Analysis & Data Management
Viviota: R&D Engineering Analysis & Data ManagementDoug Norton
 
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Flink Forward
 
DevOps is the Key to Differentiation
DevOps is the Key to DifferentiationDevOps is the Key to Differentiation
DevOps is the Key to DifferentiationDevOps.com
 
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...Ajjay Kumar Gupta
 
AI Based Test Automation Without AI
AI Based Test Automation Without AIAI Based Test Automation Without AI
AI Based Test Automation Without AIXBOSoft
 

Similar to Securing Pipelines with TACO (20)

Cynoteck Technology Solutions - Company Profile
Cynoteck Technology Solutions - Company Profile Cynoteck Technology Solutions - Company Profile
Cynoteck Technology Solutions - Company Profile
 
Agile v agility_v4_md
Agile v agility_v4_mdAgile v agility_v4_md
Agile v agility_v4_md
 
Automate Behavior-driven Development (DrupalCon Portland 2022)
Automate Behavior-driven Development (DrupalCon Portland 2022)Automate Behavior-driven Development (DrupalCon Portland 2022)
Automate Behavior-driven Development (DrupalCon Portland 2022)
 
Applied coaching practices
Applied coaching practicesApplied coaching practices
Applied coaching practices
 
Business Success with Core Web Vitals
Business Success with Core Web VitalsBusiness Success with Core Web Vitals
Business Success with Core Web Vitals
 
Ivanti for msp
Ivanti for mspIvanti for msp
Ivanti for msp
 
P&L qualification document v1.6
P&L qualification document v1.6P&L qualification document v1.6
P&L qualification document v1.6
 
Automate Behavior-driven Development (Stanford WebCamp 2022)
Automate Behavior-driven Development (Stanford WebCamp 2022)Automate Behavior-driven Development (Stanford WebCamp 2022)
Automate Behavior-driven Development (Stanford WebCamp 2022)
 
Modernising the Enterprise: An Evening with the AWS Enterprise User Group
Modernising the Enterprise: An Evening with the AWS Enterprise User GroupModernising the Enterprise: An Evening with the AWS Enterprise User Group
Modernising the Enterprise: An Evening with the AWS Enterprise User Group
 
Online training on auto cad PPT
Online training on auto cad PPTOnline training on auto cad PPT
Online training on auto cad PPT
 
Rheomold Engineering Solutions India Capabilities Presentation
Rheomold Engineering Solutions India Capabilities PresentationRheomold Engineering Solutions India Capabilities Presentation
Rheomold Engineering Solutions India Capabilities Presentation
 
The LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity ModelThe LCG Digital Transformation Maturity Model
The LCG Digital Transformation Maturity Model
 
Cloud Choices Quantifying the Cost and Risk Implications of Cloud
Cloud Choices Quantifying the Cost and Risk Implications of CloudCloud Choices Quantifying the Cost and Risk Implications of Cloud
Cloud Choices Quantifying the Cost and Risk Implications of Cloud
 
Viviota: R&D Engineering Analysis & Data Management
Viviota: R&D Engineering Analysis & Data ManagementViviota: R&D Engineering Analysis & Data Management
Viviota: R&D Engineering Analysis & Data Management
 
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
 
DevOps is the Key to Differentiation
DevOps is the Key to DifferentiationDevOps is the Key to Differentiation
DevOps is the Key to Differentiation
 
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...
Cement Manufacturing Plant, Detailed Project Report, Profile, Business Plan, ...
 
AI Based Test Automation Without AI
AI Based Test Automation Without AIAI Based Test Automation Without AI
AI Based Test Automation Without AI
 
Containers for Startups
Containers for StartupsContainers for Startups
Containers for Startups
 
About vector consulting group
About vector consulting groupAbout vector consulting group
About vector consulting group
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

Securing Pipelines with TACO

  • 1. © 2020, Xodiac Inc. All rights reserved.© 2018, Xodiac Inc. All rights reserved.cab Author – Title Securing your pipes with a TACO Peter Maddison © 2019, Xodiac Inc. All rights reserved.cb vxla – Factory and Pipeline
  • 2. © 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
  • 3. © 2020, Xodiac Inc. All rights reserved. Who am I? Peter Maddison Coach, consultant, founder… peter.maddison@xodiac.ca @pgmaddison https://www.linkedin.com/in/peter-maddison/
  • 4. © 2020, Xodiac Inc. All rights reserved. “ ” I cannot teach anybody anything. I can only make them think - Socrates
  • 5. © 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
  • 6. © 2020, Xodiac Inc. All rights reserved. What problem are we solving?
  • 7. © 2020, Xodiac Inc. All rights reserved. Where to begin? Photo by Jukan Tateisi on Unsplash
  • 8. © 2020, Xodiac Inc. All rights reserved. Introducing change cbnd Kevin Spear – http://kevinspear.com/growth/resolving-avoid “This year, I resolve to stay away from unnecessary risks.”
  • 9. © 2020, Xodiac Inc. All rights reserved. “ ” People, processes and tools working together to enable rapid and continuous delivery of value to customers. - A bunch of people
  • 10. © 2020, Xodiac Inc. All rights reserved. Time to deliverTime to ideation Pipeline overview Customers Channels (forums, focus groups, social media) Product Owner Team members Delivery Team A B C SCM App Test Infra A 1. 2. 3. Automated Pipeline Build Test Deploy Feedback (monitoring, logging, test results) auto triggered manually triggered 1.
  • 11. © 2020, Xodiac Inc. All rights reserved. ? © 2019, Xodiac Inc. All rights reserved.
  • 12. © 2020, Xodiac Inc. All rights reserved. Bunch of pictures
  • 13. © 2020, Xodiac Inc. All rights reserved.cab Author – TitlePhoto by Michael Longmire on Unsplash Hitting a wall
  • 14. © 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
  • 15. © 2020, Xodiac Inc. All rights reserved. Conversation
  • 16. © 2020, Xodiac Inc. All rights reserved.cab Author – Title GRC Governance: Cost effectively govern the organizations risk landscape Compliance: Documenting and reporting on how we address risk Risk: Identifying and mitigating risks
  • 17. © 2020, Xodiac Inc. All rights reserved.cab Author – Title IRM (Satisfying the industry need for acronyms)
  • 18. © 2020, Xodiac Inc. All rights reserved. Lost in translation Developers Security Compliance Testing Operations Architecture
  • 19. © 2020, Xodiac Inc. All rights reserved. Is there a risk? Photo by NordWood Themes on Unsplash
  • 20. © 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
  • 21. © 2020, Xodiac Inc. All rights reserved. Collaboration Photo by John Schnobrich on Unsplash
  • 22. © 2020, Xodiac Inc. All rights reserved. Modeling Traceability Access Compliance Operations Identify what happens in the pipe Secure the delivery process Validate the payload in the pipe Record execution and monitor © 2019, Xodiac Inc. All rights reserved. • Source code managed • Creator tracked • Build once, deploy many • Pipelines only 2 • Peer review • Scan the code • Scan the artifact • Manage the data 3 • Validate the target • Validate quality • Check it works • Watch it live 4 1 • Chain of custody • Test results for all • Deployed version is tracked • Change is recorded Ensure issues are addressed Strengthen team behaviour Ensure traceability exists Validate access
  • 23. © 2020, Xodiac Inc. All rights reserved. TACO!
  • 24. © 2020, Xodiac Inc. All rights reserved. Example Then link this to the tasks to create and the impediments to success
  • 25. © 2020, Xodiac Inc. All rights reserved. Visualize how much TACO 0 5 10 15 20 25 30 Access Compliance Operations Traceability
  • 26. © 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
  • 27. © 2020, Xodiac Inc. All rights reserved. How can you apply TACO and make it work for you?
  • 28. © 2020, Xodiac Inc. All rights reserved. CapitalOne example • Source code version control • Optimum branching strategy • Static analysis • >80% code coverage • Vulnerability scan • Open source scan • Artifact version control • Auto provisioning • Immutable servers • Integration testing • Performance testing • Build deploy testing automated for every commit • Automated rollback • Automated change order • Zero downtime release • Feature toggle
  • 29. © 2020, Xodiac Inc. All rights reserved.
  • 30. © 2020, Xodiac Inc. All rights reserved. Mapping the controls Build Validate Test Deploy If controls fail, break the build and radiate back to team for resolution
  • 31. © 2020, Xodiac Inc. All rights reserved. Pipeline Source Code Repository Build Dependency Management Package Artifact Repository Non- production deploy Production deploy
  • 32. © 2020, Xodiac Inc. All rights reserved. Mapping the controls Build Validate Test Deploy If controls fail, break the build and radiate back to team for resolution Source Code Repository Build Dependency Management Package Artifact Repository Non- production deploy Production deploy
  • 33. © 2020, Xodiac Inc. All rights reserved. Initial controls design
  • 34. © 2020, Xodiac Inc. All rights reserved. Mapping the controls
  • 35. © 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
  • 36. © 2020, Xodiac Inc. All rights reserved. Automating Governance • Not about keeping audit off your back • Start small, get one team working and grow from there • Engage leaders, focus on conversation, not tooling
  • 37. © 2020, Xodiac Inc. All rights reserved. Running the pipe Define work here SCM Service state Artifacts CI build 1 2 Build Results CI run 2 Quality tests 3 4 Organisational tests 5 6 7 8 Cycle time X X
  • 38. © 2020, Xodiac Inc. All rights reserved. Auditing the pipe Work item Work item log CI build Build Results Unit test results QA test results URL to stages of pipeline as they execute Code review System design record Logs Tools Work item number
  • 39. © 2020, Xodiac Inc. All rights reserved. Paved road Photo by Jon Flobrant on Unsplash
  • 40. © 2020, Xodiac Inc. All rights reserved. Beyond roadmaps
  • 41. © 2020, Xodiac Inc. All rights reserved. Talk map Intro Setting the stage Addressing concerns and causes TACO time! How to make a TACO Wrap Up and Q&A Automating Governance
  • 42. © 2020, Xodiac Inc. All rights reserved. What have we learned?
  • 43. © 2020, Xodiac Inc. All rights reserved. “ ” We cannot solve our problems with the same thinking we used when we created them - Albert Einstein
  • 44. © 2020, Xodiac Inc. All rights reserved. References CapitalOne Focusing on the DevOps Pipeline: https://medium.com/capital-one-tech/focusing-on-the-devops-pipeline-topo-pal-833d15edf0bd Automated Governance – John Willis https://www.youtube.com/watch?v=_j9eB0flTtY Risk & Control is Dead, Long Live Risk & Control — Jon Smart https://www.youtube.com/watch?v=XRMf9QjUwlI https://itrevolution.com/forum-paper-downloads/https://www.amazon.ca/Field-Guide-Understanding-Human-Error-dp- 1472439058/dp/1472439058/ref=dp_ob_title_bk
  • 45. © 2020, Xodiac Inc. All rights reserved. So let’s review • Safety is about behaviour, not tools. • Ways to help automate software delivery compliance • A way to create common understanding of a “good pipeline”
  • 46. © 2020, Xodiac Inc. All rights reserved.© 2018, Xodiac Inc. All rights reserved.cab Author – Title Thank you! peter.maddison@xodiac.ca @pgmaddison https://www.linkedin.com/in/peter-maddison/ © 2019, Xodiac Inc. All rights reserved.cb vxla – Factory and Pipeline Feedback survey: https://bit.ly/2KWP1pA