01-plano-de-aula

📋 Plano de Aula 05 - Controle de Usuários no Desenvolvimento Colaborativo

Disciplina: Desenvolvimento de Sistemas II
Professor: Ricardo Pires
Turma: 3º Técnico em Desenvolvimento de Sistemas
Data: 06/04/2026
Duração: 105 minutos (3 tempos de 35 minutos)
Local: Laboratório de Informática 2

---

🎯 Objetivos de Aprendizagem

Competências Técnicas

• ✅ Implementar controle de acesso baseado em papéis (RBAC) para projetos colaborativos
• ✅ Configurar políticas de segurança em repositórios Git e workflows de desenvolvimento
• ✅ Aplicar práticas de code review com approval workflows e branch protection
• ✅ Estabelecer governança técnica para equipes de desenvolvimento

Competências Comportamentais

• Responsabilidade coletiva na manutenção da qualidade e segurança do código
• Comunicação eficaz em processos de review e aprovação técnica
• Consciência de segurança em práticas de desenvolvimento colaborativo
• Liderança técnica na implementação e enforcement de policies

Competências Transversais

• Gestão de riscos relacionados à segurança de código e acesso
• Conformidade com práticas de auditoria e rastreabilidade
• Organização processos para onboarding e offboarding de desenvolvedores

---

🏗️ Fundamentação Pedagógica

📚 Base Teórica

Esta aula fundamenta-se nos princípios de DevSecOps e Collaborative Software Engineering, integrando práticas de segurança desde o início do desenvolvimento. Utiliza conceitos de Role-Based Access Control (RBAC) para estruturar responsabilidades em equipes técnicas.

🔗 Continuidade Curricular

• Aula 04 (Pair Programming): Expande colaboração técnica de duplas para equipes
• Conceitos base: Code review, Git workflows, continuous integration
• Preparação futura: Deployment, DevOps principles, enterprise architecture

⚙️ Metodologia de Ensino

Abordagem: Learning by doing com simulação de ambiente empresarial real

• Demonstração prática de configurações de repositório
• Role-playing com diferentes níveis de acesso (junior, senior, maintainer)
• Incident simulation para exercitar procedures de segurança
• Hands-on configuration de GitHub/GitLab policies

---

⏱️ Cronograma Detalhado (105 minutos)

🎬 Abertura e Contextualização (15 minutos)

09:00 - 09:15

Situação-Problema (10 min)

CENÁRIO REAL: Bug de Produção
 
- Ex-funcionário com token ativo modifica configuração crítica
- Sistema e-commerce indisponível por 2 horas
- Perda financeira: R$ 50.000 em vendas
- Investigação revela: processo inadequado de revogação de acesso
 
PERGUNTA NORTEADORA:
"Como estruturar governance técnica para prevenir incidents comme esse em equipes colaborativas?"

Objetivos e Roadmap (5 min)

• Apresentar learning objectives e success criteria
• Contextualize importance para carreira professional
• Preview dos exercícios práticos com role simulation

📚 Fundamentação Conceitual (25 minutos)

09:15 - 09:40

Bloco 1: RBAC em Desenvolvimento (10 min)

Conceitos Core:

DEVELOPER ROLES HIERARCHY:
├── Contributor (Read + Fork)
├── Developer (Write to feature branches)
├── Reviewer (Approve pull requests)
├── Maintainer (Merge to main, manage releases)
└── Owner (Admin settings, user management)

Demo interativa: Configuração de roles no GitHub/GitLab interface Discussion prompt: “Que riscos existem quando todos têm admin access?”

Bloco 2: Branch Protection e Workflows (10 min)

PR Workflow Demonstration:

feature/login-security ──PR──> reviewer ──approve──> main
                         │                           │
                         └──CI checks────────────────┘
                         └──Required reviews─────────┘
                         └──Status checks────────────┘

Live Demo: Setting up branch protection rules Example scenarios: What happens cuando CI fails? When reviewer rejects?

Bloco 3: Security Best Practices (5 min)

Essential Security Controls:

• Multi-Factor Authentication enforcement
• Secrets management (environment variables, vaults)
• Audit trails and access logging
• Regular access reviews and cleanup

Real Examples: Show actual security incidents and their prevention

💼 Exercício 1: Audit de Segurança (20 minutos)

09:40 - 10:00

Scenario Analysis (15 min em grupos)

Análise do Repositório “sistema-vendas”:

Current State:
  - Branch main: sem proteção
  - All devs: admin rights
  - CI: opcional
  - Secrets: hardcoded no source
  - MFA: não obrigatório
  - Access reviews: never performed

Tarefas por Grupo (3-4 students):

1. Identificar todos os riscos de segurança (prioritize Alta/Média/Baixa)
2. Propor solutions para top 3 críticos
3. Estimar esforço de implementação (horas/dias)
4. Criar action plan com timeline realistic

Apresentação e Discussion (5 min)

• Each group apresenta top findings (2 min cada)
• Class discussion sobre solutions mais innovative
• Professor highlights industry best practices

⚡ Intervalo (10 minutos)

10:00 - 10:10

🛠️ Exercício 2: Configuração Prática de RBAC (25 minutos)

10:10 - 10:35

Setup de Repositório Seguro (20 min hands-on)

Cada aluno configura:

Step 1: Repository Creation (5 min)

• Fork template repository com security vulnerabilities
• Enable basic security features
• Invite classmate as collaborator

Step 2: RBAC Implementation (8 min)

Role Assignment:
  - Student A: Repository owner (admin access)
  - Student B: Maintainer (merge rights)
  - Student C: Developer (branch creation)
  - Student D: Reviewer (PR approval only)

Step 3: Branch Protection Setup (7 min)

• Configure main branch protection rules
• Require PR reviews (minimum 1 approval)
• Enable status checks requirement
• Restrict direct pushes to main

Validation Testing (5 min)

• Test access levels with different user roles
• Attempt unauthorized operations (should fail)
• Verify audit trail captures all activities

🚨 Exercício 3: Incident Response Simulation (20 minutos)

10:35 - 10:55

Security Incident Scenario (15 min role-play)

INCIDENT: Suspicious commit detected

Incident Details:
- Unusual commit time: 3:00 AM
- Large file additions: potential secrets leak
- Author: junior developer (normally doesn't work nights)
- Changes: database configuration files modified

Roles Assignment:

• Incident Commander: Coordinates response
• Security Analyst: Investigates technical details
• DevOps Engineer: Implements fixes/rollback
• Manager: Communications and escalation

Tasks:

1. Investigate incident using audit trails
2. Assess impact and potential data exposure
3. Implement containment measures immediately
4. Plan remediation and prevention steps
5. Document lessons learned para future incidents

Debrief e Best Practices (5 min)

• What worked well in incident response?
• What could be improved in process?
• How proper access control could have prevented incident?

📊 Synthesis e Assessment (10 minutos)

10:55 - 11:05

Learning Consolidation (7 min)

Quick Assessment Questions:

1. “Qual o nível mínimo de approval required para merge crítico?”
2. “Como detectar compromise de developer account?”
3. “Que evidences provide adequate audit trail?”
4. “When should access permissions be reviewed?”

Professional Application (3 min)

Real-World Transition:

• “Como aplicar essas practices em estágio/trabalho?”
• “Que tools professionals implement same concepts?”
• “How to advocate for security improvements em existing teams?”

---

🎯 Critérios de Avaliação

📊 Assessment Rubric

Competência	Exemplar (4)	Proficiente (3)	Em Desenvolvimento (2)	Iniciante (1)
RBAC Implementation	Configura roles com justification técnica clara	Implementa roles básicos corretamente	Configura roles com minor gaps	Necessita support para configuration
Security Awareness	Identifica all major risks proactively	Reconhece most security vulnerabilities	Detecta some security issues	Limited security concern awareness
Process Design	Cria workflows comprehensive para team	Desenvolve basic functional processes	Propõe simple process improvements	Struggle para design effective processes
Incident Response	Leads incident resolution effectively	Contribui meaningfully para resolution	Follows instructions adequately	Required significant guidance

🎯 Success Indicators

• 90%+ students demonstrate competency em RBAC configuration
• All groups successfully identify critical security vulnerabilities
• Working repository set up com proper access controls per student
• Professional confidence em security best practices evidenced

📈 Continuous Assessment Checkpoints

• Minute 25: Concept understanding check via questioning
• Minute 45: Group audit completion and capability demonstration
• Minute 70: Hands-on configuration success validation
• Minute 90: Incident response effectiveness observation
• End of class: Self-assessment sobre confidence levels

---

🛠️ Recursos e Materiais

💻 Tecnológicos

• GitHub accounts para all students (free tier sufficient)
• Git installed em all lab machines
• Web browsers with access to GitHub/GitLab
• Projector setup para demonstrations
• Timer/stopwatch para exercise management

📋 Didáticos

• Repository templates prepared com security vulnerabilities
• Role cards printed para role-playing exercises
• Incident scenarios detailed em handouts
• Audit checklists para security reviews
• Quick reference guides for Git commands e GitHub settings

🎯 Assessment Materials

• Self-assessment questionnaires para confidence tracking
• Peer evaluation forms para group work assessment
• Practical competency checklists para hands-on skills
• Real-world application reflection prompts

---

🚨 Contingências e Adaptações

🌐 Modalidade Remota

Se online delivery required:

• Breakout rooms para group exercises (3-4 students each)
• Screen sharing mandatory para demonstrations
• Collaborative documents (Google Docs) para group capturing findings
• Extended time (add 15 min) para technical coordination
• Pre-setup validation workshop day before para troubleshooting

⚡ Problemas Técnicos

GitHub/GitLab Indisponível:

• Local Git setup com bare repositories para basic workflow simulation
• Conceptual exercises concentrating on process design rather than implementation
• Security audit using printed repository examples
• Role-playing expanded to fill technical demonstration time

Network/Computer Issues:

• Pair programming adaptation: one computer per pair
• Printed materials enhanced para reduce technology dependency
• Manual audit exercises using paper-based examples
• Increased discussion time para knowledge reinforcement

👥 Different Experience Levels

Beginning Students:

• Simplified RBAC roles (just Developer/Reviewer/Maintainer)
• Guided step-by-step configuration walkthroughs
• Buddy system com more experienced peers
• Extended practice time allocated

Advanced Students:

• Complex security scenarios como enterprise compliance requirements
• Leadership roles em group exercises and incident response
• Research assignments regarding advanced security tools
• Mentoring responsibilities para struggling classmates

---

🔮 Extensões e Aplicações Futuras

🚀 Próxima Aula (06 - Testing Strategies)

Integration Points:

• Automated security testing dentro de CI/CD pipelines
• Test governance com required coverage para approval
• Quality gates para security e test requirements
• Compliance testing automated validation

💼 Professional Preparation

Industry Skills Development:

• Enterprise identity management (Active Directory, LDAP integration)
• Compliance frameworks (SOX, GDPR, LGPD requirements)
• DevSecOps tooling (Vault, SIEM, vulnerability scanners)
• Security incident management professional protocols

🎓 Assessment Integration

Portfolio Development:

• Security audit reports written by students
• Incident response playbooks designed collaboratively
• RBAC policies documented para real projects
• Process improvement proposals based on experience

🌟 Advanced Projects

Optional Challenges:

• Multi-repository governance setup com organization-level policies
• Automated compliance checking using GitHub Actions/GitLab CI
• Security monitoring dashboard creation
• Cross-enterprise collaboration simulation com external partners

---

✅ Checklist de Preparação do Professor

📋 Pré-aula (1 dia antes)

• Repository templates created and tested com intentional vulnerabilities
• GitHub organization setup para class exercises
• Role cards and handouts printed and prepared
• Incident scenarios validated para realism
• Assessment materials ready and accessible
• Backup plans documented para technical contingencies

🕐 30 Minutos Antes

• Lab machines tested: Git installed, browsers functional
• Network connectivity verified to GitHub/GitLab
• Projector setup tested com live demonstration
• Student accounts validated (can access, create repositories)
• Materials distribution organized para efficient pickup
• Timer/stopwatch ready para time management

🎯 Durante a Aula

• Energy level maintained: vary activities, encourage participation
• Time management active: monitor progress, adjust pace as needed
• Student engagement monitored: ensure all participate actively
• Technical issues resolved quickly: have backup plans ready
• Learning assessment ongoing: check understanding regularly
• Safety environment maintained: encourage questions, mistake learning

📝 Pós-aula

• Assessment data collected and organized para analysis
• Student feedback gathered sobre experience and challenges
• Technical issues documented com solutions para future improvement
• Content adjustments noted based on student performance
• Materials cleanup and organization para next session
• Reflection notes captured para continuous pedagogical improvement

---

📞 Contato e Suporte

Professor Ricardo Pires
📧 Email: ricardo.pires@etec.sp.gov.br
🕒 Atendimento: Segunda a Sexta, 18h30 às 21h30
📍 Sala: Coordenação de Informática

Recursos Adicionais:
💻 Google Classroom: Materiais e discussões assíncronas
📖 Bibliografia: Links e referências em material de apoio
🎯 Office Hours: Terças e quintas, 19h00-19h30 (horário livre para dúvidas)

---

🎯 Próxima Aula: Testing Strategies & Quality Assurance
📅 Data: 13/04/2026
🔀 Conexão: Security practices + Automated testing governance