🛠️ Exercícios Práticos - Aula 05
Controle de Usuários no Desenvolvimento Colaborativo
Disciplina: Desenvolvimento de Sistemas II
Professor: Ricardo Pires
Data: 06/04/2026
🎯 Competências a Desenvolver
Técnicas
- Configurar controle de acesso baseado em papéis (RBAC)
- Implementar políticas de segurança em repositórios Git
- Aplicar workflows de code review e branch protection
- Estabelecer governança técnica para desenvolvimento colaborativo
Comportamentais
- Responsabilidade compartilhada na segurança de código
- Comunicação eficaz em processos de review técnico
- Consciência de riscos de segurança em desenvolvimento
- Liderança na implementação de boas práticas
🔍 Exercício 1: Audit de Segurança de Repositório
Duração: 20 minutos | Formato: Grupos de 3-4 estudantes
📋 Contexto do Exercício
Você trabalha como Security Analyst Jr. na empresa TechSolutions e foi solicitado para fazer um audit completo do repositório crítico sistema-vendas que processa milhares de transações diariamente.
🎭 Cenário do Repositório
Repository: sistema-vendas (Private)
Team: 8 developers (2 seniors, 4 plenos, 2 juniors)
Environment: Java Spring Boot + PostgreSQL + AWS
Traffic: 10,000 transactions/day, R$ 2M revenue/month
📊 Current State Analysis:
Repository Configuration:
Branch Protection:
- main: ❌ No protection configured
- develop: ❌ No protection configured
- feature branches: ❌ Anyone can merge
User Access:
- All 8 developers: 🔴 Admin rights
- CI/CD service account: 🔴 Admin rights
- External consultant: 🔴 Access granted 6 months ago (project ended)
- Intern (completed program): 🟡 Still has write access
Security Settings:
- Two-factor authentication: 🔴 Optional
- Secret scanning: 🟡 Enabled but ignoring alerts
- Dependency scanning: 🔴 Disabled
- Code scanning: 🔴 Not configured
Code Quality:
- CI/CD pipeline: 🟡 Exists but tests are optional
- Code review: 🔴 Not required for main branch
- Automated testing: 🟡 Unit tests exist but coverage < 40%
Audit Trail:
- Access logging: 🟡 Basic GitHub logs only
- Change monitoring: 🔴 No alerts configured
- Compliance reporting: 🔴 Never performed
Secrets Management:
- Database passwords: 🔴 Hardcoded in configuration files
- API keys: 🔴 Committed to repository history
- SSL certificates: 🔴 Stored as plain text files
- Third-party tokens: 🟡 Some in environment variables, some hardcoded📝 Tarefas do Grupo
Task 1: Risk Assessment (15 minutos)
1.1 Identificação de Vulnerabilidades Complete the security risk matrix below:
| Risk Category | Specific Issue | Impact Level | Probability | Risk Score | Evidence |
|---|---|---|---|---|---|
| Access Control | All developers have admin rights | High/Med/Low | High/Med/Low | 1-25 | |
| Authentication | MFA not enforced | ||||
| Authorization | No branch protection | ||||
| Secrets Exposure | Hardcoded credentials | ||||
| Audit & Compliance | No access reviews | ||||
| Code Quality | Optional CI/CD checks |
Risk Score = Impact × Probability (1=Low, 3=Medium, 5=High)
1.2 Critical Path Analysis Identify the 3 most critical risks that could lead to:
- Production downtime
- Data breach
- Financial loss
- Regulatory compliance violation
1.3 Attack Vector Mapping For each critical risk, describe a realistic attack scenario:
EXAMPLE:
Risk: Hardcoded database passwords
Attack Vector:
1. Malicious developer copies repository
2. Extracts database credentials from config files
3. Accesses production database directly
4. Steals customer payment information
Task 2: Solution Design (Remaining time)
2.1 Immediate Actions (Can be implemented today)
- List actions that require zero development effort
- Focus on configuration changes and access control
- Include specific GitHub settings to modify
2.2 Short-term Plan (1-2 weeks implementation)
- Changes requiring moderate development work
- Include effort estimates and resource requirements
- Consider developer training needs
2.3 Long-term Security Strategy (1-3 months)
- Comprehensive security improvements
- Include process changes and cultural shifts
- Consider cost-benefit analysis
🎯 Deliverables
Each group must prepare:
-
Executive Summary (2 slides)
- Top 3 critical risks with business impact
- Required immediate actions
- Investment recommendation
-
Technical Implementation Plan (3 slides)
- Specific configuration steps
- Timeline with dependencies
- Success metrics definition
-
Cost-Benefit Analysis (1 slide)
- Estimated implementation effort
- Risk reduction quantification
- ROI calculation
📊 Presentation Format (5 minutos total)
- 2 min: Present findings and critical risks
- 2 min: Explain proposed solution approach
- 1 min: Class Q&A about your analysis
🏆 Success Criteria
- Completeness: All matrix fields filled with justification
- Realism: Solutions are technically feasible
- Prioritization: Clear rationale for critical risk selection
- Professional Quality: Presentation ready for stakeholders
⚙️ Exercício 2: Implementação Prática de RBAC
Duração: 25 minutos | Formato: Groups de 4 estudantes
🎯 Objetivo do Exercício
Configurar um repositório completo com controles de segurança adequados, implementando RBAC (Role-Based Access Control) e validando as configurações através de testing real.
👥 Role Assignment Strategy
🏗️ Team Structure (4 students per group)
Student A - Repository Owner & Security Lead
Responsibilities:
- Create and own repository
- Configure organization-level settings
- Manage user access and permissions
- Monitor security alerts and audit logs
GitHub Permissions:
- Admin access to repository
- Manage repository settings
- Invite/remove collaborators
- Configure branch protection rules
Real-World Equivalent:
- Tech Lead / Engineering Manager
- DevOps Security EngineerStudent B - Senior Maintainer & Release Manager
Responsibilities:
- Review and merge pull requests
- Manage release branches and tags
- Coordinate deployments
- Approve breaking changes
GitHub Permissions:
- Write access to repository
- Merge pull requests to main
- Create releases and tags
- Cannot modify admin settings
Real-World Equivalent:
- Senior Software Engineer
- Release Manager
- Technical ReviewerStudent C - Developer & Feature Owner
Responsibilities:
- Develop features in topic branches
- Create pull requests
- Participate in code review
- Write and maintain tests
GitHub Permissions:
- Push to feature branches only
- Create pull requests
- Comment on reviews
- Cannot merge to main directly
Real-World Equivalent:
- Software Engineer
- Full-stack Developer
- Application DeveloperStudent D - Code Reviewer & Quality Assurance
Responsibilities:
- Review code quality and security
- Approve/request changes on PRs
- Validate testing requirements
- Monitor code coverage metrics
GitHub Permissions:
- Read access to repository
- Review pull requests
- Approve/reject changes
- Cannot push code directly
Real-World Equivalent:
- Senior Developer (review focus)
- Quality Assurance Engineer
- Security Reviewer📋 Step-by-Step Implementation Guide
Phase 1: Repository Setup (5 minutos)
Student A (Owner): Repository Creation
-
Create New Repository
Repository name: security-demo-[group-number] Description: "RBAC implementation exercise - Aula 05" Visibility: Private Initialize: ✅ README.md, ✅ .gitignore (Java), ✅ MIT License -
Initial Security Configuration
Settings → Security & analysis: ✅ Enable Dependency graph ✅ Enable Dependabot alerts ✅ Enable Dependabot security updates ✅ Enable Secret scanning ✅ Enable Code scanning (CodeQL analysis) -
Basic Project Structure Create initial commit with:
/src /main/java/com/etec/security └── SecurityDemo.java /test/java/com/etec/security └── SecurityDemoTest.java /docs └── README.md pom.xml (or build.gradle)
Phase 2: Team Invitation and RBAC (8 minutos)
Student A (Owner): Configure Team Access
-
Invite Collaborators (Settings → Manage access)
Student B: Role = Maintainer - Permissions: Write + Admin on branches - Can merge PRs, create releases Student C: Role = Developer - Permissions: Write to feature branches - Can create PRs, cannot merge to main Student D: Role = Triage - Permissions: Read + review PRs - Can approve/comment, cannot push code -
Verify Team Setup
- Check each student receives invitation email
- Confirm everyone can access repository
- Test basic permissions before proceeding
All Students: Accept Invitations
- Accept GitHub invitation emails
- Clone repository locally:
git clone [repo-url] - Verify access level in GitHub interface
Phase 3: Branch Protection Implementation (7 minutos)
Student A (Owner): Configure Branch Protection
-
Main Branch Protection Rules
Settings → Branches → Add rule: Branch name pattern: main Protection Rules: ✅ Require pull request reviews before merging └── Required approving reviews: 1 └── Dismiss stale PR reviews when new commits are pushed └── Require review from code owners (if CODEOWNERS file exists) ✅ Require status checks to pass before merging └── Require branches to be up to date before merging └── Status checks (add when CI is configured): - continuous-integration/github-actions ✅ Require signed commits (optional) ✅ Require linear history ✅ Include administrators └── Apply rules to repository administrators ✅ Restrict pushes that create files larger than 100MB ✅ Allow force pushes: ❌ Never ✅ Allow deletions: ❌ Never -
Secondary Branch protection (if applicable)
Branch name pattern: develop Simplified Rules: ✅ Require pull request reviews: 1 ✅ Require status checks to pass ✅ Include administrators
Student B (Maintainer): Verify Merge Permissions
- Navigate to Settings → Branches
- Confirm ability to see protection rules
- Attempt to modify rules (should be blocked if not admin)
Phase 4: Testing and Validation (5 minutos)
All Students: Collaborative Testing Protocol
Test 1: Feature Branch Workflow
# Student C (Developer): Create feature branch
git checkout -b feature/login-security
echo "public class LoginSecurity { }" > src/main/java/LoginSecurity.java
git add . && git commit -m "Add basic login security class"
git push origin feature/login-security
# Create PR through GitHub interface
# Add Student D (Reviewer) as reviewerTest 2: Review and Approval Process
# Student D (Reviewer): Review the PR
# 1. Navigate to Pull Request
# 2. Review code changes
# 3. Add comments if needed
# 4. Approve the PR
# 5. CANNOT merge (test permission limit)
# Student B (Maintainer): Merge the PR
# 1. See approved PR
# 2. Click "Merge pull request"
# 3. Confirm merge to main
# 4. Delete feature branchTest 3: Direct Push Prevention
# Student C (Developer): Try direct push to main (should fail)
git checkout main
echo "// Direct change" >> README.md
git commit -am "Attempt direct commit to main"
git push origin main
# Expected: remote rejected (branch protection)Test 4: Admin Override
# Student A (Owner): Verify admin rules apply
git checkout main
echo "// Admin change" >> README.md
git commit -am "Admin direct commit attempt"
git push origin main
# Expected: remote rejected (Include administrators = true)📊 Validation Checklist
Each Group Must Verify:
✅ Repository Access:
- All 4 students can clone repository
- Appropriate permissions assigned per role
- GitHub interface shows correct access levels
✅ Branch Protection Working:
- Direct pushes to main branch blocked
- PR required for main branch changes
- Admin rules apply to repository owner
✅ Review Workflow:
- PRs require minimum 1 approval
- Reviewers can approve but not merge (Student D)
- Maintainers can merge approved PRs (Student B)
✅ Security Features:
- Secret scanning enabled and functional
- Dependency scanning running
- Audit log captures all activities🎯 Assessment Criteria
Technical Implementation (60%)
- RBAC Configuration: Roles properly assigned and functional
- Branch Protection: Main branch secured with appropriate rules
- Security Settings: All recommended security features enabled
- Workflow Testing: End-to-end PR process working correctly
Team Collaboration (25%)
- Communication: Clear coordination between role assignments
- Problem Solving: Effective troubleshooting when issues arise
- Process Adherence: Following security protocols during testing
- Peer Support: Helping team members understand their roles
Documentation & Reflection (15%)
- Process Recording: Documenting configuration steps taken
- Issue Tracking: Recording any problems encountered + solutions
- Learning Reflection: Understanding WHY each security measure matters
- Real-World Connection: Relating exercise to professional scenarios
💡 Troubleshooting Guide
Common Issues & Solutions:
Problem: Student invitations not received
Solution:
1. Check spam/junk email folders
2. Verify email address in GitHub account
3. Re-send invitation from repository settings
4. Use direct repository link + manual role assignment
Problem: Branch protection rules not working
Solution:
1. Verify rule applies to correct branch name (case-sensitive)
2. Check "Include administrators" setting if owner can still push
3. Wait 1-2 minutes for changes to propagate
4. Refresh browser and retry test
Problem: PR cannot be created
Solution:
1. Ensure feature branch is pushed to remote repository
2. Check that repository is accessible to all team members
3. Verify no conflicts exist with target branch
4. Try creating PR from different team member account
🚀 Extension Challenges
For Advanced Groups:
-
CI/CD Integration
- Add GitHub Actions workflow for automated testing
- Configure status checks integration with branch protection
- Implement automated security scanning in pipeline
-
Code Owners Implementation
- Create CODEOWNERS file with path-based reviewers
- Test automatic reviewer assignment based on file changes
- Implement mandatory review requirements for critical paths
-
Advanced Security Configuration
- Enable signed commits requirement and test GPG setup
- Configure custom security policies using GitHub Apps
- Implement dependency license checking and compliance reporting
🚨 Exercício 3: Incident Response Simulation
Duração: 20 minutos | Formato: Role-playing com cenário real
📋 Simulação de Incident Real
Você trabalha na FinTech SecurePay que processa pagamentos online. É terça-feira, 03:15 AM e o sistema de monitoramento detectou atividade suspeita no repositório crítico payment-gateway.
🚨 Alert Details
SECURITY ALERT: Suspicious Repository Activity
Repository: payment-gateway (CRITICAL SYSTEM)
Time: 2024-04-06 0323 UTC
Alert ID: SEC-2024-0406-001
Suspicious Activities Detected:
├── Commit Author: junior-dev-lucas@securepay.com
├── Unusual Time: 03:15 AM (normal hours: 0900)
├── Large Files Added: 47.3 MB in configuration directory
├── Modified Files:
│ ├── /config/database/production.yml (DB settings)
│ ├── /config/security/jwt-keys.json (Authentication keys)
│ ├── /config/payment/provider-config.xml (Payment APIs)
│ ├── /logs/system-backup.sql.gz (Database dump - NEW FILE)
│ └── /docs/internal/customer-data-sample.xlsx (Customer data - NEW FILE)
├── Commit Message: "Fixing urgent production issue - server down"
├── Branch: main (direct push, no PR)
└── Files Size: Exceeds normal commit size by 4700%
Additional Context:
- Lucas normally works 0900 (São Paulo timezone)
- This is his first time pushing to main branch directly
- No production issues reported by operations team
- Lucas was granted temporary admin access yesterday for emergency
- Company policy requires all production changes via PR + approval👥 Incident Response Team Roles
Student A - Incident Commander
Responsibilities:
- Coordinate overall incident response
- Make executive decisions on containment actions
- Communicate with stakeholders and management
- Ensure proper documentation and timeline tracking
Key Actions:
- Declare incident severity level
- Coordinate team activities and priorities
- Decide on immediate containment measures
- Authorize emergency procedures if needed
Tools Available:
- GitHub admin access
- Team communication channels
- Escalation contacts for CTO/CEO
- Incident management systemStudent B - Security Analyst
Responsibilities:
- Technical investigation of the security incident
- Assess data exposure and potential compromise
- Analyze commit contents and access patterns
- Provide technical recommendations to incident commander
Key Actions:
- Review suspicious commit in detail
- Check for exposed secrets or sensitive data
- Analyze user access history and patterns
- Assess potential timeline and methods of compromise
Tools Available:
- Repository access and audit logs
- Security scanning tools
- Threat intelligence databases
- Forensic analysis capabilitiesStudent C - DevOps Engineer
Responsibilities:
- Implement immediate technical containment
- Perform rollback operations if needed
- Secure affected systems and access points
- Restore secure state of infrastructure
Key Actions:
- Revoke suspicious user access immediately
- Investigate potential system compromise
- Implement emergency credential rotation
- Secure backup and recovery procedures
Tools Available:
- Production system access
- CI/CD pipeline controls
- Infrastructure management tools
- Backup and recovery systemsStudent D - Communications Manager
Responsibilities:
- Manage internal and external communications
- Document incident timeline and decisions
- Coordinate with legal, compliance, and PR teams
- Ensure regulatory reporting requirements are met
Key Actions:
- Create incident status reports for stakeholders
- Draft customer communication if data exposed
- Coordinate with legal team on breach notifications
- Document lessons learned and improvement recommendations
Tools Available:
- Internal communication systems
- Customer notification templates
- Legal and compliance contacts
- Public relations guidance📋 Incident Investigation Workflow
Phase 1: Initial Response (5 minutos)
All Roles: Immediate Assessment
-
Incident Commander declares incident severity:
Severity Assessment: - Critical: Customer data potentially exposed - High: Production system affected - Medium: Configuration changes made - Low: Minimal system impact -
Security Analyst performs rapid triage:
git log --oneline --since="24 hours ago" --author="lucas" git show [commit-hash] --name-only git diff HEAD~1 HEAD -- config/ -
DevOps Engineer implements immediate containment:
Immediate Actions: - Revoke lucas@securepay.com access tokens - Lock repository to prevent additional changes - Snapshot current system state - Activate incident response procedures -
Communications Manager begins documentation:
Incident Timeline: 03:15 AM: Suspicious commit detected 03:18 AM: Alert triggered and team notified 03:20 AM: Incident response team activated 03:22 AM: [Current time] - Investigation begins
Phase 2: Technical Investigation (8 minutos)
Security Analyst: Deep Dive Analysis
Examine the suspicious commit contents:
# Review added files for sensitive data
git show [commit] -- logs/system-backup.sql.gz
git show [commit] -- docs/internal/customer-data-sample.xlsx
# Check configuration changes
git diff HEAD~1 HEAD -- config/database/production.yml
git diff HEAD~1 HEAD -- config/security/jwt-keys.json
# Analyze file sizes and types
git ls-files --stage HEAD | grep -E "(backup|sample|customer)"Key Investigation Questions:
- Data Exposure: What sensitive data is included in new files?
- Configuration Changes: Are production secrets exposed?
- Access Pattern: Does this match Lucas’s normal behavior?
- System Impact: Are production systems potentially compromised?
DevOps Engineer: System Security Assessment
Infrastructure Checks:
Database Access:
- Review recent database connections
- Check for unusual query patterns
- Verify backup file authenticity
API Security:
- Rotate payment provider API keys
- Monitor recent API calls for anomalies
- Review authentication logs
System Monitoring:
- Check server access logs around incident time
- Monitor network traffic for data exfiltration
- Review user login patterns and sourcesPhase 3: Impact Assessment and Response (7 minutos)
All Team: Collaborative Decision Making
Impact Assessment Questions:
- Customer Data: How many customer records potentially exposed?
- Financial Systems: Are payment processing credentials compromised?
- Operational Impact: How long will containment affect normal operations?
- Regulatory Requirements: What compliance notifications are required?
- Reputational Risk: How should we communicate with customers and partners?
Response Strategy Development:
Immediate Actions (next 30 minutes):
Technical:
- [ ] Complete access revocation for affected accounts
- [ ] Rotate all potentially exposed credentials
- [ ] Revert commit with sensitive data
- [ ] Implement enhanced monitoring
Communication:
- [ ] Notify executive team of incident
- [ ] Prepare customer communication draft
- [ ] Alert legal team for breach protocol
- [ ] Document incident details for reporting
Short-term Actions (next 4 hours):
- [ ] Complete forensic analysis of compromised account
- [ ] Implement additional security controls
- [ ] Conduct team training on proper procedures
- [ ] Review and update incident response procedures🎯 Scenario-Specific Challenges
Plot Twist 1: Additional Discovery
After 10 minutes, team discovers:
New Evidence:
- Lucas's laptop was reported stolen yesterday evening
- VPN access logs show connection from unusual geographic location
- Multiple failed login attempts before successful access
- Similar incidents reported at other companies this weekQuestions:
- How does this change your assessment of the incident?
- What additional containment measures are needed?
- How should this affect customer communications?
Plot Twist 2: Executive Pressure
Communications Manager receives urgent call:
"CEO wants to know: Can we avoid notifying customers?
This could seriously damage our reputation and ongoing partnership deals.
Is there any way to handle this quietly?"
Ethical Considerations:
- What are the legal requirements for breach notification?
- How do you balance business concerns with customer trust?
- What’s the risk of NOT disclosing if later discovered?
📊 Incident Response Assessment
Team Performance Evaluation:
Coordination & Leadership (25%)
- Incident Commander: Clear decision-making and team coordination
- Role Clarity: Each team member understands and executes their role
- Communication: Effective information sharing between team members
- Time Management: Appropriate prioritization given limited time
Technical Investigation (25%)
- Evidence Gathering: Thorough analysis of commit contents and logs
- Impact Assessment: Accurate evaluation of potential data exposure
- Containment Actions: Appropriate immediate security measures
- System Knowledge: Understanding of security implications
Process Adherence (25%)
- Documentation: Proper incident timeline and decision recording
- Escalation: Appropriate involvement of stakeholders and management
- Communication: Clear status updates and stakeholder notification
- Compliance: Awareness of regulatory and legal requirements
Problem Solving (25%)
- Creative Investigation: Innovative approaches to evidence analysis
- Risk Assessment: Balanced evaluation of business vs security concerns
- Solution Development: Practical remediation and prevention strategies
- Learning Orientation: Identification of process improvements
📝 Deliverables
Each Team Must Produce:
-
Incident Summary Report (2-3 minutes presentation)
- Timeline of events and key discoveries
- Assessment of data exposure and system impact
- Immediate containment actions taken
- Recommendations for prevention
-
Technical Analysis Document
- Evidence collected from repository investigation
- Assessment of compromised credentials and access
- System security recommendations
- Forensic analysis summary
-
Communication Plan
- Stakeholder notification strategy
- Customer communication draft (if applicable)
- Regulatory reporting requirements
- Media/public response strategy
🎯 Success Criteria
Professional Quality Response:
- Systematic Investigation: Methodical evidence gathering and analysis
- Clear Communication: Professional documentation and reporting
- Ethical Decision Making: Balancing business needs with security obligations
- Learning Focus: Identifying improvements for future incident prevention
Technical Competency:
- Git Forensics: Effective use of version control investigation tools
- Security Assessment: Accurate evaluation of exposure and risk
- Containment Actions: Appropriate immediate response measures
- System Understanding: Clear comprehension of security implications
🔄 Exercício de Síntese: Integration Challenge
Duração: Tempo restante | Formato: Individual reflection + Group consolidation
🎯 Individual Reflection (5 minutos)
Professional Readiness Assessment:
Self-Assessment Questions:
Technical Skills:
- Can you configure RBAC for a real development team?
- Do you understand branch protection implementation?
- Are you comfortable investigating security incidents?
- Can you design security policies for collaborative development?
Professional Judgment:
- How would you advocate for security improvements in a resistant team?
- What's your approach to balancing productivity vs security requirements?
- How do you communicate security risks to non-technical stakeholders?
- When should you escalate security concerns to management?🌟 Real-World Application Planning
Career Preparation Questions:
-
Internship/Job Preparedness: What security practices would you implement in your first developer role?
-
Team Leadership: How would you introduce security governance to a team that’s never used it?
-
Professional Growth: What additional security skills should you develop for career advancement?
-
Industry Awareness: Which security certifications or training programs would complement this knowledge?
📚 Knowledge Consolidation
Core Concepts Mastered Today:
✅ RBAC Implementation:
- Role definition and assignment
- Permission boundaries and enforcement
- Access review and governance processes
✅ Repository Security:
- Branch protection configuration
- Code review workflows
- Audit trail management
✅ Incident Response:
- Investigation methodology
- Containment procedures
- Communication protocols
✅ Security Governance:
- Policy development
- Process enforcement
- Continuous improvement🚀 Next Steps and Connections
Preparation for Aula 06 - Testing Strategies:
- How do security practices integrate with automated testing?
- What security tests should be included in CI/CD pipelines?
- How do we ensure test environments maintain production security standards?
- What role does testing play in security incident prevention?
📊 Assessment Rubric - Summary
🎯 Overall Learning Outcomes Assessment
| Competency | Exemplar (4) | Proficient (3) | Developing (2) | Beginning (1) |
|---|---|---|---|---|
| RBAC Configuration | Implements complex role hierarchies with business justification | Correctly configures basic RBAC with appropriate permissions | Sets up roles with minor gaps, may need guidance | Struggles with role concept, requires significant support |
| Security Risk Assessment | Identifies all critical risks and provides innovative solutions | Recognizes most security vulnerabilities with practical fixes | Detects obvious security issues, basic solution awareness | Limited security risk understanding, reactive approach |
| Incident Response | Leads incident resolution with professional methodology | Contributes effectively to incident resolution process | Follows incident procedures adequately with guidance | Requires substantial direction for incident participation |
| Professional Communication | Presents technical security concepts clearly to all audiences | Communicates security findings effectively to technical peers | Basic communication skills, some clarity issues | Difficulty explaining security concepts professionally |
| Process Implementation | Designs comprehensive security workflows for team adoption | Creates functional security processes with clear procedures | Proposes simple process improvements with basic structure | Limited understanding of process design principles |
📈 Success Indicators
- 90%+ students demonstrate competency in RBAC configuration
- 100% groups successfully identify critical security vulnerabilities
- All students successfully complete hands-on repository security setup
- Professional confidence in security practices evidenced through role-playing
🛠️ Resources and Materials
🔗 Technical Resources
- GitHub Security Features Guide: docs.github.com/en/code-security
- Git Security Best Practices: git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
- OWASP Secure Coding Practices: owasp.org/www-project-secure-coding-practices-quick-reference-guide
📋 Templates and Checklists
- Security Audit Checklist Template
- Incident Response Playbook Template
- RBAC Configuration Step-by-Step Guide
- Branch Protection Rules Quick Reference
🎯 Assessment Tools
- Peer Evaluation Forms for collaborative exercises
- Self-Assessment Questionnaires for competency tracking
- Professional Portfolio Templates for career preparation
📞 Support and Next Steps
🆘 Getting Help
Professor Office Hours: Terças e quintas, 19h00-19h30
Email: ricardo.pires@etec.sp.gov.br
Google Classroom: Async discussion and resource sharing
🔮 Coming Up
Aula 06 - Testing Strategies & Quality Assurance
Focus: Automated security testing, CI/CD integration, quality gates
Connection: Security governance + Testing automation
🌟 Professional Development
- Consider GitHub Security Certification
- Explore DevSecOps practices and tools
- Research industry security compliance requirements
- Build portfolio projects demonstrating security implementations