TACO is an acronym I use with clients to help them map controls from their software delivery pipelines to the organizational controls. TACO stands for Traceability, Access, Compliance, and Operations. The approach consists of a base list of 25 automatable controls that are documented and the control activity, artifacts and SOR identified. After mapping how these controls are handed we map them to the organizational controls and identify any gaps.
This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure.
Taking a TACO approach can be considered a part of implementing a DevSecOps program and I've used this approach at multiple banks. I've given the base talk at three conferences and multiple times to internal teams. It helps build organizational confidence in the automation of software delivery. During the talk, I'll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls such as SAST and how to handle long-running processes such as DAST.
Content is fairly high level but I can dig into specifics of each given area as questions arise.
More details: https://confengine.com/agile-india-2020/proposal/11103
Conference Link: https://2020.agileindia.org