📚 Guia do Professor - Aula 05
Controle de Usuários no Desenvolvimento Colaborativo
Disciplina: Desenvolvimento de Sistemas II
Professor: Ricardo Pires
Data: 06/04/2026
Duração: 105 minutos
🎯 Visão Geral Pedagógica
📋 Objetivos de Ensino
Competências Técnicas Primárias
- RBAC (Role-Based Access Control): Configuração e gestão de papéis/permissions
- Governança de Repositório: Branch protection, policies de segurança
- Código Review Workflows: Approval processes, automated quality gates
- Security Incident Response: Investigação técnica de vulnerabilidades
Competências Comportamentais
- Responsabilidade Coletiva: Ownership compartilhado da qualidade/segurança
- Comunicação Técnica: Articulação clara de riscos e soluções
- Liderança Técnica: Implementação e enforcement de boas práticas
- Pensamento Crítico: Assessment de riscos e trade-offs técnico-business
Preparação Profissional
- Industry Readiness: Práticas universais de DevSecOps
- Compliance Awareness: Implicações regulatórias de security practices
- Career Development: Portfolio building com demonstrações de security implementation
🔗 Continuidade Curricular
Conexão com Aula 04 (Pair Programming)
- Ampliação de Escopo: Colaboração duplas → equipas enterprise
- Processos Sociotécnicos: Pair programming practices → Team governance
- Quality Assurance: Review entre pares → Systematic code review processes
Preparação para Aula 06 (Testing Strategies)
- Security Testing: Automated vulnerability scanning em CI/CD
- Quality Gates: Security requirements como part de testing strategy
- Compliance Testing: Validation de security policies através de automation
📚 Fundamentação Teórica
DevSecOps Philosophy
“Shift-left security” - Integração de security practices desde o início do development lifecycle, instead de treating security como afterthought.
Collaborative Software Engineering
Conway’s Law applied: “Organizations produce systems whose design mirrors their communication structure” - Logo, proper governance structure produces better software architecture.
Risk Management Framework
CIA Triad: Confidentiality, Integrity, Availability como foundation para todas security decisions em development teams.
⏱️ Cronograma Detalhado com Guidance
🎬 Abertura e Problema real (15 minutos) - 0915
📊 Situação-problema: O Bug que Parou um E-commerce
⚙️ Teaching Strategy:
- Emotional Hook: Começar com story real de financial impact
- Perspective Taking: “E se fosse vocês trabalhando lá?”
- Problem Framing: Fazer students identify root cause antes de revelar
🎯 Execution Guide:
Minute 0-3: Story Setup
- "Sexta-feira, 23:45h. Vocês estão dormindo..."
- "Sistema BlueShop com 50 mil users simultâneos..."
- "E-mail urgente no celular do CTO..."
Minute 3-7: Interactive Investigation
- "O que pode ter happened aqui?"
- Let students hypothesize antes reveal
- Guide toward access management issues
Minute 7-10: Root Cause Analysis
- Reveal full timeline of ex-funcionário access
- Show financial impact: R$ 50k loss
- "Como prevenir situation similar?"
Minute 10-15: Learning Context Setting
- Connect to professional scenarios they'll face
- Preview today's practical solutions
- Set expectation for hands-on learning
🔧 Materials Needed:
- Real incident news article или case study reference
- Financial impact slide (visual impact)
- Timeline visualization of incident progression
⚡ Common Student Reactions & Responses:
“This seems extreme/unrealistic”
Response: "93% of organizations experienced security breach in last 24 months.
Average cost: $4.45M USD. This is statistical reality, not edge case."
“Small companies don’t need this”
Response: "Startup com 5 developers needs RBAC more than enterprise -
smaller team means each person has higher privilege level and blast radius."
“We’re just students, this isn’t relevant yet”
Response: "GitHub portfolio será first thing employers examine.
Professional security practices differentiate you from other candidates."
📚 Fundamentação Conceitual (25 minutos) - 0940
Bloco 1: RBAC em Desenvolvimento (10 minutos)
🎯 Learning Objectives:
- Understand role hierarchy em development teams
- Connect permission levels to business risks
- Visualize permission escalation attack vectors
📋 Teaching Sequence:
Minutes 0-3: Interactive Role Definition
Ask students: "Em uma equipe de 8 developers, quem deveria ter admin access?"
Common answers:
- "Everyone" → Guide toward problems
- "Only seniors" → Good start, but incomplete
- "The lead" → Better, but what about emergencies?
Introduce systematic approach:
├── Contributor (external, open source)
├── Developer (internal, feature work)
├── Reviewer (senior, code quality focus)
├── Maintainer (release management)
└── Owner (admin, people management)
Minutes 3-7: Live GitHub Demo
- Real Repository: Show actual GitHub enterprise organization
- Permission Levels: Navigate through Settings → Manage access
- Visual Learning: Let students see interface antes theory
- Example Scenarios: “What happens se developer tries to…”
Minutes 7-10: Risk Assessment Discussion
Guided Questions:
1. "What's the blast radius se everyone has admin?"
2. "How quickly can você revoke access em emergency?"
3. "Who can see audit trails of admin actions?"
4. "What happens during developer turnover?"
Real Examples:
- Show news articles of insider threats
- Discuss contractor vs employee access patterns
- Review typical enterprise org charts
Bloco 2: Branch Protection e Workflows (10 minutos)
🎯 Learning Objectives:
- Visualize secure development workflow
- Understand integration between tools and process
- Connect technical controls to business outcomes
📋 Teaching Sequence:
Minutes 0-4: Workflow Visualization
Live Drawing (build progressively): feature/login-security ──PR──> CI Checks ──> Code Review ──> main │ │ │ │ │ ▼ ▼ ▼ [branch] [tests] [approval] [deploy] protected required mandatory automated
Narration while drawing:
- “Developer creates feature branch…” (draw 1st arrow)
- “Automated tests must pass…” (add CI box)
- “Human reviewer validates code…” (add review step)
- “Only then merge to main…” (complete flow)
Minutes 4-8: GitHub Live Configuration Demo
Screen Share: settings → branches → add rule
Walk through cada setting:
✅ "Require pull request reviews"
→ Explain: Why não direct commits?
✅ "Require status checks"
→ Show: Integration com CI systems
✅ "Include administrators"
→ Emphasize: Process applies to everyone
Minutes 8-10: Real Scenario Discussion
"Company XYZ implements branch protection sexta afternoon.
Segunda morning, urgent production bug needs immediate fix.
CEO pressures: 'Just push the fix directly!'"
Discussion Questions:
- How do you handle this pressure?
- What's emergency override process?
- How to maintain credibility of policies?
Bloco 3: Security Best Practices (5 minutos)
🎯 Learning Objectives:
- Internalize security fundamentals que apply universally
- Understand compliance implications
- Recognize automation opportunities
📋 Teaching Sequence:
Minutes 0-2: MFA & Access Management
Quick Poll: "Who uses 2FA em personal accounts?"
- GitHub accounts
- Instagram/social media
- Banking apps
"Professional development = professional security standards"
Minutes 2-4: Secrets Management Reality
Show Common Mistakes (use sanitized examples):
❌ AWS keys committed to public repository
❌ Database passwords in config files
❌ API tokens in JavaScript frontend files
Cost of each mistake:
- AWS: Potential $thousands in bill
- Database: Customer data exposure
- API: Service compromise & reputation damage
Minutes 4-5: Audit Trail Importance
Real Question: "If incident happens Tuesday, how quickly can team determine:
- Who made what changes?
- When each action occurred?
- What was changed em each commit?
- Who approved each change?"
Professional Standard: Answer should be "immediately accessible"
🔧 Materials Needed:
- Live GitHub organization access para demos
- Sanitized examples of security incidents
- Permission matrix template para visual explanation
💼 Exercício 1: Audit de Segurança (20 minutos) - 0900
🎯 Pedagogical Objectives
Primary Goals:
- Risk Assessment Skills: Systematic vulnerability identification
- Business Context Understanding: Connect technical risks to financial/operational impact
- Solution Design: Practical remediation planning within resource constraints
- Professional Communication: Present findings em stakeholder-appropriate language
Hidden Learning Objectives:
- Reality Check: Demonstrate how common these vulnerabilities are
- Confidence Building: Show students can identify real problems
- Team Dynamics: Practice collaborative problem solving
- Time Management: Professional deadline pressure simulation
🔧 Facilitation Guide
Pre-Exercise Setup (Before class):
Repository Template Preparation:
- Create "sistema-vendas" template repository
- Intentionally configure with vulnerabilities listed
- Add realistic business context (e-commerce platform)
- Include fake but realistic commit history
- Ensure all security issues are visible through GitHub interfaceMinutes 0-2: Exercise Introduction
Context Setting:
"You are security consultants hired by TechSolutions.
CLIENT PAYS $5,000 para this audit.
COMPETITION: 3 consulting firms bidding for ongoing security contract.
YOUR TEAM: Reputation depends on thoroughness and professionalism."
Group Formation:
- 3-4 students per group
- Mixed skill levels por group
- Designate group roles (timekeeper, presenter, note-taker, analyst)
Minutes 2-15: Active Facilitation
Instructor Behavior:
- Walk between groups every 2-3 minutos
- Listen for understanding gaps, provide targeted hints
- Ask probing questions: "What's the business impact disso?"
- Encourage deeper analysis: "What's the likelihood of exploitation?"
- Zeit management: "5 minutos remaining, focus em top 3 critical"
Common Student Struggles & Interventions:
Bug: Students focus only on technical details
Fix: "Como você communica isso to non-technical CEO?"
Bug: Groups overwhelmed by zu many details
Fix: "Start com highest probability × impact. Ignore minor issues."
Bug: Solutions too abstract ou expensive
Fix: "What can be implemented hoje com existing team?"Minutes 15-17: Group Presentations
Presentation Structure (enforce timing):
- 2 minutes maximum por group
- 1 minute: Top 3 critical risks WITH business impact
- 1 minute: Most important recommended action
Instructor Role During Presentations:
- Ask clarifying questions: "How did you prioritize these?"
- Connect to real examples: "Company Y experienced exactly this..."
- Build on good answers: "Excellent observation about access reviews..."
Minutes 17-20: Synthesis & Professional Connection
Key Teaching Moments:
- Highlight commonalities across group findings
- Share industry statistics about identified vulnerabilities
- Connect exercise to career preparation: "These skills differentiate you..."
- Preview next exercise: "Now we'll implement solutions você identified"
🎯 Assessment During Exercise
What to Look For:
Exceeding Expectations:
- Groups identify all major vulnerabilities plus additional concerns
- Solutions include cost-benefit analysis
- Business impact quantified realistically
- Presentation professional quality
Meeting Expectations:
- Major risks identified correctly
- Solutions practical and feasible
- Clear understanding of priorities
- Effective group collaboration
Below Expectations:
- Missing obvious vulnerabilities
- Solutions unrealistic ou too vague
- Little consideration of business context
- Poor group coordinationReal-Time Feedback Opportunities:
During Group Work:
"Great observation sobre MFA. How would você enforce that?"
"Good start. What's the financial risk if isso happens?"
"Interesting solution. What's the implementation timeline?"
During Presentations:
"Excellent prioritization. Real consultants use same approach."
"Good technical analysis. Executive summary would strengthen isso."
"Creative solution. Has anyone seen isso implemented?"⚡ Intervalo (10 minutos) - 1010
🎯 Strategic Break Management
Learning Consolidation During Break:
Passive Learning Opportunities:
- Display GitHub security statistics on projector
- Background music: subtle, professional
- Leave previous exercise results visible
- Resource links available em shared document
Professor Availability:
- Answer individual questions about concepts
- Help troubleshoot GitHub account access issues
- Preview next exercise for early returners
- Address confidence concerns privately🛠️ Exercício 2: Configuração RBAC (25 minutos) - 1035
🎯 Pedagogical Design Philosophy
Core Learning Theory Applied:
- Constructivist Learning: Students build understanding through direct configuration experience
- Social Learning: Peer collaboration em realistic role demonstrations
- Authentic Assessment: Real-world tools com professional consequences
- Transfer Learning: Skills readily applicable to any Git platform
Differentiated Instruction Approach:
- Beginner Support: Step-by-step guides available
- Advanced Challenges: Optional complex scenarios
- Learning Styles: Visual (GitHub UI), kinesthetic (hands-on config), auditory (peer explanation)
🔧 Detailed Facilitation Protocol
Pre-Exercise Preparation (Day before class):
Technical Requirements Validation:
- Test all lab computers have GitHub access
- Verify student GitHub accounts functional
- Prepare backup accounts for students sem access
- Create shared Google Doc com group assignments
- Test repository template accessibility
Backup Plans Ready:
- Offline Git demo if GitHub inaccessible
- Printed screenshots se projection fails
- Alternative group formation strategy
- Extended time allocation se technical delays occurMinutes 0-3: Role Assignment & Context Setting
Instructor Script:
"You're now employees at different levels em TechStartup Company.
Each role has different responsibilities and risks.
OWNER: You're accountable to investors para security
MAINTAINER: You manage releases que affect customers
DEVELOPER: You write features que generate revenue
REVIEWER: You protect company from code defects
This isn't just exercise - this mirrors real job responsibilities."
Group Formation Strategy:
- Pre-assign roles to ensure skill diversity
- Mix experience levels within each group
- Rotate leadership responsibilities
- Ensure cada group has confident GitHub user
Minutes 3-8: Repository Creation & Initial Setup
Instructor Role:
- Circulate constantly during this phase
- Repository creation is blocking step - ensure no one stuck
- Verify each OWNER successfully creates repository
- Help troubleshoot invitation/permission issues immediately
- Monitor progress via shared tracking document
Common Issues & Quick Solutions:
Issue: Student can't create repository
Fix: Check account verification, repository limit, organization membership
Issue: Invitations não received
Fix: Check spam folder, verify email address, re-send invitation
Issue: Permission settings confusing
Fix: Walk through Settings → Manage Access screen-by-screenMinutes 8-15: RBAC Configuration Deep Dive
Teaching Approach:
- OWNER students lead configuration while others observe
- Pause every 2-3 minutes para explanation to whole class
- "What does isso setting accomplish?"
- "Why is this important em real empresa?"
- "What could happen se we skip this?"
Critical Learning Checkpoints:
Minute 10: Verify all groups have basic RBAC configured
Minute 12: Check branch protection rules properly set
Minute 14: Ensure testing workflow ready para next phase
Instructor Interventions:
- Help struggling groups catch up
- Provide advanced challenges para fast groups
- Connect configuration choices to previous audit exercise
- Share real examples from industry experienceMinutes 15-20: Branch Protection Configuration
Advanced Teaching Strategy:
- Students explain each setting to their group antes enabling
- Connect each rule to specific risk from previous exercise
- Test settings immediately after configuration
- Demonstrate "what happens se..." scenarios live
Key Teaching Moments:
"Include Administrators" setting:
"Em real companies, CTOs sometimes pressure para emergency overrides.
This setting ensures even executives follow process."
"Require status checks":
"Automated testing catches bugs antes human reviewers waste time.
Also ensures quality standards regardless of reviewer expertise."
"Required approvals":
"Fresh eyes catch problems que original developer misses.
Also spreads knowledge across team members."Minutes 20-25: Testing & Validation
Structured Testing Protocol:
1. DEVELOPER attempts direct commit to main (should fail)
2. REVIEWER tries to merge without approval (should fail)
3. Complete workflow: feature branch → PR → review → merge
4. Verify audit trail captures all activities
Learning Assessment Questions:
"What happens when você try to push directly?"
"How does isso feel different from individual development?"
"What would you change about this process?"
"How might isso slow down or speed up development?"
Celebration of Success:
- Acknowledge groups que complete configuration
- Highlight creative solutions or good questions
- Connect successful implementation to professional readiness
- Preview how esse foundation enables advanced DevOps practices🎯 Real-Time Assessment Indicators
Green Flags (Learning progressing well):
Technical Indicators:
- Groups completing setup within time allocated
- Students explaining settings in their own words
- Successful testing of permission boundaries
- Questions about advanced configurations
Collaborative Indicators:
- Effective role differentiation within groups
- Peer teaching and problem-solving
- Constructive discussion about trade-offs
- Helping other groups sem being askedYellow Flags (Need instructor intervention):
Technical Issues:
- Multiple groups stuck em same setup step
- GitHub access or permission problems
- Confusion about interface navigation
- Testing não producing expected results
Learning Issues:
- Students skipping explanation for speed
- Focus em task completion rather than understanding
- Limited discussion about WHY each setting matters
- Incorrect assumptions about security implicationsRed Flags (Major course correction needed):
Systemic Problems:
- > 50% of groups unable to complete basic setup
- Fundamental misunderstanding of RBAC concepts
- Students disengaged or frustrated com technology
- Time management significantly off schedule
Recovery Strategies:
- Pause for whole-group clarification
- Shift to demonstration mode temporariamente
- Pair struggling groups com successful ones
- Extended guided practice instead of independent work🚨 Exercício 3: Incident Response Simulation (20 minutos) - 1055
🎯 Advanced Pedagogical Objectives
Primary Skills Development:
- Crisis Management: Decision-making under pressure and uncertainty
- Collaborative Problem Solving: Coordinated team response to complex scenarios
- Professional Communication: Stakeholder management durante high-stress situations
- Systems Thinking: Understanding interconnections between technical, business, and human factors
Meta-Learning Objectives:
- Perspective Taking: Understanding different organizational roles e responsibilities
- Ethical Reasoning: Balancing competing concerns (business, customer, legal, technical)
- Professional Identity: Experiencing decision-making authority and accountability
- Resilience Building: Managing ambiguity e incomplete information
🔧 Sophisticated Facilitation Approach
Pre-Exercise Atmosphere Creation:
Environmental Design:
- Dim lighting slightly para create urgency atmosphere
- Display incident timeline em projected countdown timer
- Background stress: low-level productivity music
- Remove distractions: close unnecessary browser tabs
Psychological Preparation:
"Real incidents create stress, uncertainty, blame pressure.
Professional responders stay calm, systematic, communicative.
Today você'll practice those skills em safe environment."Minutes 0-3: Immersive Scenario Introduction
Narrative Technique: "3:15 AM. Your phone buzzes. Work critical alert.
Heart rate increases. Mind starts racing.
Roll out of bed, grab laptop, log into systems.
Worse than you thought..."
Role Immersion:
- Call each student by their role title durante exercise
- "Incident Commander, what's your first decision?"
- "Security Analyst, walk us through your findings"
- Create urgency through time pressure and realistic consequences
Stakes Establishment: "Real company, real money, real customers affected.
Your decisions hoje impact thousands of people.
Performance during crisis defines professional reputation."Minutes 3-10: Structured Crisis Response
Facilitation Protocol:
- Enforce role boundaries: "Developers implement, analysts investigate"
- Time pressure realistic: "You have 2 minutes to decide"
- Information control: Reveal details progressively, simulate uncertainty
- Decision forcing: "Commander, we need your call now"
Teaching Through Character:
As Students Work, Instructor Plays:
- Stressed CEO asking for status updates
- Customer calling about payment failures
- Legal counsel asking about breach notification requirements
- Board member questioning why incident occurred
Socratic Questioning During Crisis:
"How confident are you em that assessment?"
"What information would change your decision?"
"Who else should be involved in this call?"
"What's our communication to customers?"Minutes 10-17: Plot Twist & Escalation
Scenario Evolution: "New development: This isn't isolated incident.
Similar attacks reported at 3 other fintech companies.
Coordinated attack campaign."
Advanced Challenge Questions:
- Does this change your incident classification?
- Should you coordinate com other affected companies?
- What additional resources should be activated?
- How does isso affect customer communication strategy?
Learning Assessment Insert: "Pause scenario. In real company, what happens next?
Who makes decisions about external coordination?
What legal constraints apply to information sharing?"Minutes 17-20: Resolution & Professional Debrief
Incident Conclusion:
"All groups handled exercise professionally.
No real incident resolution is ever perfect.
Success measured by learning and improvement."
Meta-Learning Reflection:
"How did stress affect your decision quality?"
"What information did você wish you had?"
"When would você escalate vs. handle independently?"
"What backup person/process would você want available?"
Professional Development Connection:
"Incident response skills transfer across all technical roles.
Database failures, network outages, security breaches...
Systematic thinking and communication under pressure = career differentiator."🎯 Assessment Through Observation
Leadership Indicators:
Incident Commander Assessment:
- Clear decision-making despite uncertainty
- Effective coordination of team resources
- Appropriate stakeholder communication
- Time management under pressure
Security Analyst Assessment:
- Systematic investigation methodology
- Appropriate risk assessment and prioritization
- Clear technical communication to non-technical roles
- Evidence-based recommendations
DevOps Engineer Assessment:
- Practical containment actions
- Understanding of technical trade-offs
- Coordination entre security e operational requirements
- Focus em restoration com learning
Communications Manager Assessment:
- Stakeholder awareness e empathy
- Clear written and verbal communication
- Understanding of legal/business implications
- Crisis messaging that builds confidenceProfessional Qualities Observed:
Technical Competence:
- Systematic approach to problem-solving
- Appropriate use of available tools e information
- Recognition of knowledge limits
- Willingness to seek expert input when needed
Professional Judgment:
- Balance of speed vs. thoroughness
- Consideration of multiple stakeholder perspectives
- Ethical decision-making under pressure
- Learning orientation during crisis
Communication Skills:
- Clear articulation of complex technical issues
- Adaptation of message for different audiences
- Active listening and collaboration
- Documentation durante high-stress situations📊 Synthesis e Assessment (10 minutos) - 1005
🎯 Learning Consolidation Strategy
Cognitive Science Application:
- Spaced Retrieval: Review concepts from different angles
- Elaboration: Connect new learning to existing professional knowledge
- Interleaves Practice: Mix review of different skill areas
- Metacognition: Explicit reflection about learning process
🔧 Systematic Synthesis Approach
Minutes 0-4: Rapid Knowledge Validation
Interactive Quiz Format:
Question 1: "Qual o nível mínimo de approval needed for critical merge?"
Teaching Method: Ask individuals rather than whole group
Assessment Goal: Verify understanding of branch protection implementation
Question 2: "Como detectar compromise de developer account?"
Teaching Method: Build comprehensive answer collaboratively
Assessment Goal: Integration of audit trail concepts
Question 3: "What evidence creates adequate audit trail?"
Teaching Method: Connect to previous exercises
Assessment Goal: Professional application readiness
Question 4: "When should access permissions be reviewed?"
Teaching Method: Scenario-based application
Assessment Goal: Ongoing governance understandingMinutes 4-7: Professional Application Bridge
Career Readiness Discussion:
"In 6 months, você start internship/job. Day 1, existing code repository.
How do você assess current security practices?"
Learning Transfer Questions:
- Which tools você seen hoje apply universally? (Git, any platform)
- What conversation would você have com your manager about security improvements?
- How do you advocate for better practices without criticizing existing team?
- What personal habits will você maintain porque of today's learning?
Professional Portfolio Development:
"Potential employers will examine your GitHub.
Which practices você implement em personal projects demonstrate professional readiness?"Minutes 7-10: Forward-Looking Integration
Aula 06 Connection Preview:
"Next week: Testing strategies. How does security governance integrate?
- Security tests em CI/CD pipelines
- Automated compliance verification
- Quality gates that include security requirements
- Test environment security standards"
Industry Preparation:
"Beyond this course: What additional learning supports your security career goals?
- Professional certifications (Security+, CISSP, GSEC)
- Advanced tooling (Vault, SIEM systems, vulnerability scanners)
- Compliance frameworks (SOX, GDPR, LGPD, ISO 27001)
- DevSecOps specialization paths"
Confidence Building:
"You've demonstrated professional-level security thinking today.
Companies hire junior developers WHO understand security governance.
This knowledge differentiates você em competitive job market."🎯 Assessment Philosophy & Implementation
📊 Multi-Dimensional Assessment Framework
Formative Assessment (During Learning)
Real-Time Learning Indicators:
Technical Skill Demonstration:
- Successfully configure RBAC roles within time constraints
- Effectively explain security settings to peers
- Troubleshoot permission issues independently
- Apply branch protection rules appropriately
Collaborative Excellence:
- Contribute meaningfully to group audit findings
- Support peers durante technical challenges
- Facilitate effective communication em incident response
- Share insights that enhance group understanding
Professional Mindset:
- Connect technical implementations to business outcomes
- Demonstrate ethical reasoning during crisis scenarios
- Communicate complex security concepts clearly
- Show awareness of stakeholder perspectivesContinuous Feedback Protocol:
Every 10-15 Minutes:
- Circulate among groups, observe specific skills
- Provide targeted praise: "Excellent risk prioritization"
- Ask probing questions: "How would isso affect customers?"
- Offer specific suggestions: "Consider também access review frequency"
Documentation Practice:
- Take brief notes about individual standout moments
- Record common misconceptions para future course improvement
- Note which students demonstrate leadership potential
- Track技能gaps that need additional attentionSummative Assessment (End of Learning)
Portfolio Evidence Collection:
Practical Artifacts:
- Screenshot documentation of security configuration
- Written audit report com business impact analysis
- Incident response timeline e decision rationale
- Reflection essay about professional application
Live Demonstration:
- Role-playing evidence of crisis management skills
- Peer teaching moments during group exercises
- Creative solutions proposed during problem-solving
- Questions asked que demonstrate deep thinkingProfessional Competency Validation:
Technical Proficiency Indicators:
✅ Configure complete RBAC sistema independently
✅ Explain security trade-offs to non-technical audience
✅ Identify critical security vulnerabilities systematically
✅ Design incident response procedures appropriately
Career Readiness Indicators:
✅ Articulate security principles em job interview language
✅ Advocate for security improvements professionally
✅ Balance business priorities com technical constraints
✅ Learn new security tools efficiently🏆 Excellence Recognition Framework
Exceeding Expectations Indicators:
Technical Innovation:
Advanced Applications:
- Propose additional security measures beyond exercise requirements
- Connect multiple security concepts em innovative integrated solutions
- Demonstrate familiarity com enterprise security tools
- Design scalable governance procedures
Teaching & Leadership:
- Mentor peers effectively durante technical challenges
- Present complex ideas clearly em roles playing exercises
- Facilitate productive group decision-making
- Ask questions que advance entire class understandingSelf-Directed Learning:
Professional Initiative:
- Research additional security resources independently
- Connect course content to current security news/events
- Propose real project applications of learned skills
- Seek additional challenges beyond core requirements
Career Development:
- Articulate clear professional development goals related to security
- Begin implementing learned practices em personal projects
- Explore security certification requirements independently
- Network com security professionals beyond class environment🛠️ Resource Management & Technical Setup
📋 Pre-Class Preparation Checklist
Technology Infrastructure (Complete 24-48 hours before class):
GitHub Environment:
✅ Test cada lab computer: GitHub access functional
✅ Verify student account status: email confirmation completed
✅ Create template repositories com intentional vulnerabilities
✅ Configure backup instructor accounts for troubleshooting
✅ Document URLs e access credentials em secure location
Repository Templates:
✅ "sistema-vendas" template: all vulnerabilities realistic e visible
✅ Basic Java Spring Boot structure para RBAC exercise
✅ README files com clear business context
✅ Realistic commit history com varied authors
✅ Sample data files (appropriately sanitized)
Backup Technology Plans:
✅ Offline Git repositories configured se internet fails
✅ Printed screenshots available para UI-dependent demonstrations
✅ Local network backup se public GitHub inaccessible
✅ Alternative group formation strategy se tech issues limit class sizePhysical Environment (Day of class setup):
Room Setup: ✅ Projector/screen tested com GitHub interface clearly visible
✅ Network connectivity verified from instructor machine
✅ Audio level appropriate para 105-minute session
✅ Room temperature comfortable for focused technical work
✅ Lighting adequate para screen reading and note-taking
Materials Distribution: ✅ Role cards printed para incident response exercise
✅ Security audit templates available (printed backup)
✅ Quick reference guides prepared for Git commands
✅ Incident scenario details printed para distributi
✅ Assessment rubrics accessible to instructor durante class⚡ Contingency Protocols
Technology Failure Scenarios:
Scenario 1: GitHub Completely Inaccessible
Immediate Adaptation (5-minute pivot):
- Switch to conceptual focus using printed screenshots
- Increase discussion time about real-world applications
- Use local Git repositories para basic workflow demonstration
- Extended incident response role-playing to comp Compensation for lost hands-on time
Preserving Learning Objectives:
- RBAC concepts demonstrated through visual role-playing
- Security audit conducted on printed repository examples
- Branch protection logic explained through diagram progression
- Professional application discussion substitutes for technical configurationScenario 2: Partial GitHub Access (Some Students Blocked)
Adaptive Grouping (2-minute adjustment):
- Pair programming approach: 2 students per account
- Advanced students mentor those with access issues
- Repository sharing: groups work em shared repositories
- Extended peer teaching opportunities
Maintain Equity:
- Ensure all students experience hands-on Configuration
- Rotate account access so each student leads configuration
- Document alternative access paths para disadvantaged students
- Schedule follow-up support para missed experiencesPedagogical Adjustment Scenarios:
Scenario 1: Class Running Behind Schedule
Priority Preservation (adjust without eliminating core learning):
- Combine audit exercise presentation com individual group feedback
- Streamline RBAC configuration: focus on essential settings only
- Truncate incident response: shorter scenario, same learning objectives
- Extend synthesis reflection as homework assignment
Non-Negotiable Learning Elements: ✅ RBAC hands-on experience for every student
✅ Security risk assessment skill development
✅ Professional application connection
✅ Confidence building through successful technical implementationScenario 2: Class Ahead of Schedule
Enrichment Opportunities (add value without overwhelming):
- Advanced GitHub enterprise features demonstration
- Guest speaker via video call: industry security professional
- Additional incident response scenarios com ethical complexity
- Extended portfolio development guidance
Depth Enhancement:
- More sophisticated branch protection rules exploration
- Integration com CI/CD systems preview
- Security compliance framework introduction
- Professional certification pathway guidance📞 Support Networks
During Class Support:
Technical Assistance Hierarchy:
1. Instructor primary support for pedagogical and complex technical issues
2. Advanced students peer mentoring for basic navigation
3. IT support contact available for infrastructure failures
4. Educational technology support emergency contact
Learning Support Network:
1. Small group peer assistance encouraged and structured
2. Instructor individual conferences during hands-on work
3. Google Classroom monitoring para questions emerging outside class time
4. Office hours availability for continued technical supportPost-Class Follow-Up:
Immediate (same day):
- Technical issue documentation sent to IT support
- Student success tracking updated based em class observations
- Resource links shared em Google Classroom
- Individual outreach to students que struggled during exercises
Short-term (within 1 week):
- Follow-up technical support workshops for students que need additional practice
- Advanced challenges shared para students eager for extension work
- Portfolio development guidance during office hours
- Connection to internship/job opportunities that value security skills🔧 Student Success Interventions
🎯 Differentiated Support Strategies
For Beginning Students:
Recognition Signs:
Technical Indicators:
- Struggle com GitHub interface navigation
- Confusion about relationship between Git e GitHub
- Overwhelming response to multiple security concepts simultaneously
- Limited familiarity com professional software development terminology
Behavioral Indicators:
- Hesitation to participate em group discussions
- Following rather than contributing during group exercises
- Asking for step-by-step confirmation antes taking actions
- Difficulty connecting security concepts to business implicationsTargeted Support Interventions:
Technical Scaffolding:
- Pair junto advanced students for hands-on exercises
- Provide simplified configuration checklist com screenshots
- Break complex tasks em smaller, sequential steps
- Additional examples e analogies to make concepts concrete
Confidence Building:
- Recognize contributions publicly: "Great observation about access reviews"
- Assign specific, achievable roles em group exercises
- Connect current learning to successful previous experiences
- Provide additional practice resources for continued learning
Social Support:
- Facilitate connections junto peers for continued collaboration
- Encourage questions through modeling: "Great question, others probably wonder isso too"
- Create safe spaces for experimentation: "Mistakes here help us all learn"
- Emphasize journey rather than destination: "You're developing professional skills"For Advanced Students:
Recognition Signs:
Technical Indicators:
- Rapid completion of configuration exercises
- Questions about enterprise-level features or edge cases
- Independent exploration of advanced GitHub settings during exercises
- Prior experience com security tools or concepts
Leadership Indicators:
- Natural mentoring behavior toward peers during technical challenges
- Bridging connections between exercise content e real-world applications
- Synthesizing complex concepts em clear, accessible explanations
- Proposing creative solutions that extend beyond exercise requirementsEnrichment Opportunities:
Technical Challenges:
- Advanced GitHub enterprise features exploration
- Integration experiments entre security tools e CI/CD
- Research assignments about emerging security threats
- Prototype development for enhanced security configurations
Leadership Development:
- Peer mentoring responsibilities durante group exercises
- Presentation opportunities para sharing advanced knowledge
- Connection junto professional security communities
- Real project application opportunities with instructor guidance
Professional Preparation:
- Networking introduction to security professionals em local industry
- Guidance about security certification paths and professional development
- Portfolio development beyond course requirements
- Intern/job opportunity connections through instructor networking💡 Creative Problem-Solving for Common Challenges
Challenge: Students Overwhelmed by Technical Complexity
Immediate Response:
Simplification Strategy:
- Focus em one core concept per exercise segment
- Use familiar analogies: house keys/locks para access control
- Break cada configuration step em separate, distinct decisions
- Celebrate small successes to build momentum
Cognitive Load Management:
- Provide visual aids for complex workflows
- Use consistent terminology throughout exercises
- Connect each new concept to previous learning explicitly
- Allow processing time antes moving to next conceptLong-term Development:
Skill Building Progression:
- Additional practice opportunities outside class time
- Simplified practice laboratories para continued exploration
- Connection to computer programming concepts when applicable
- Gradual sophistication increase throughout remaining course sessionsChallenge: Students Question Relevance of Security Practices
Professional Context Enhancement:
Real-world Connection:
- Industry statistics about security breaches e financial impact
- Guest speaker case studies from recent graduate professional experiences
- News article discussion about security incidents em familiar companies
- Portfolio development guidance showing security knowledge as competitive advantage
Career Development Focus:
- Job posting analysis showing security skills em demand
- Salary statistics for security-aware developers vs. general developers
- Progression path illustrations from junior developer to senior technical roles
- Professional networking opportunities explicitly connected to security knowledgeChallenge: Mixed Technical Experience Levels Create Group Dynamic Issues
Inclusive Group Management:
Structured Role Rotation:
- Ensure cada student leads technical configuration durante some portion
- Assign specific expertise areas: research, communication, implementation, validation
- Build em peer teaching requirements so advanced students practice explaining
- Create success criteria que value different types of contribution
Skill Recognition Diversity:
- Celebrate different expertise types: technical, communication, business, creative
- Assessment que recognizes collaboration quality além de technical proficiency
- Multiple success paths: innovation, mentoring, thoroughness, creativity
- Portfolio development que showcases individual strengths em team context📈 Course Integration & Continuity
🔗 Curriculum Connection Map
Backward Design Integration:
Final Course Outcomes Supported by Aula 05:
Professional Readiness Portfolio:
- Security governance implementation demonstrável em GitHub
- Incident response experience documented em reflective essay
- Collaborative development process knowledge evidenced through peer feedback
- Professional communication skills demonstrated durante crisis simulation
Technical Competency Validation:
- RBAC configuration competency transferable to any Git platform
- Security risk assessment methodology applicable across domains
- Code review process understanding essential para collaborative development
- Version control governance knowledge foundational para DevOps practicesForward Design Integration:
Aula 06 - Testing Strategies (Next Week) Preparation:
Direct Connections:
- Security governance provides foundation para automated security testing
- Branch protection requires status checks que integrate com CI/CD testing
- Code review processes incorporate automated test results
- Incident response experience informs testing strategy development
Prerequisite Skills Confirmed: ✅ Git workflow understanding
✅ Repository management competency
✅ Collaborative development process familiarity
✅ Professional project management awareness
Preparatory Concepts Introduced:
- CI/CD pipeline integration points
- Automated quality gate implementation
- Testing governance para security compliance
- Integration teste em development workflowsAula 06 Opening Integration Strategy:
Session Opening (5 minutes):
"Last week você configured security governance.
Today você'll automate enforcement through testing.
QUESTION: How do we verify security policies are being followed?"
BRIDGE: Manual review → Automated verification
TOOLS: GitHub branch protection → CI/CD testing integration
OUTCOME: Complex project com multiple quality gates functioning together🎯 Professional Development Trajectory
Career Preparation Progression:
Post-Aula 05 Professional Capabilities:
Immediate Job Interview Assets:
- Demonstrate GitHub portfolio com professional security practices
- Articulate RBAC implementation experience durante technical interviews
- Explain incident response experience em behavioral interview scenarios
- Show understanding of collaborative development security challenges
Internship/Entry-level Job Performance:
- Contribute immediately to team security discussions
- Configure repository security settings independently
- Participate effectively em incident response procedures
- Advocate appropriately para security improvements em existing projects
Mid-term Career Development Foundation:
- Technical leadership track: project security governance
- Security specialization track: DevSecOps engineer progression
- Management track: technology risk assessment and mitigation
- Product track: security feature design e implementationIndustry Pathway Preparation:
Recommended Next Learning (Provide during Synthesis discussion):
Professional Certifications Worth Exploring:
- CompTIA Security+ (foundational security knowledge)
- Certified Secure Software Lifecycle Professional (software security)
- AWS/Azure Security certifications (cloud security governance)
- Certified Ethical Hacker (CEH) (security testing e validation)
Professional Communities to Join:
- OWASP local chapter meetings (web application security)
- Information Security groups en LinkedIn
- DevSecOps community forums e conferences
- GitHub security e open source security communities
Advanced Skills That Build on Today:
- Infrastructure as Code (Terraform/CloudFormation) security
- Container e Kubernetes security governance
- CI/CD pipeline security integration
- Compliance automation e regulatory security requirements📊 Long-term Learning Assessment
Portfolio Development Continuity:
GitHub Portfolio Enhancement Guidance:
Beyond This Course:
- Implement learned security practices em personal projects consistently
- Document security decisions e process improvements em README files
- Create template repositories que showcase security governance understanding
- Build track record of professional-quality collaborative development participation
Professional Narrative Development:
- Include security governance experience em resume/LinkedIn technical skills
- Develop case study narratives about specific security implementations
- Build professional References who can speak to collaborative security practices
- Document real project applications of learned security principlesContinuous Professional Development Framework:
Skills Assessment e Development Tracking:
Quarterly Self-Assessment Questions:
- What new security challenges have você encountered since this course?
- How have você applied collaborative security governance em real projects?
- What additional security learning would strengthen your current role?
- How has your security governance approach evolved junction professional experience?
Annual Professional Development Planning:
- Set specific security-related learning goals for career advancement
- Identify mentorship opportunities Junction security professionals em your field
- Plan contribution to open source projects que require security governance knowledge
- Set timeline para professional security certification acquisition📞 Administrative Excellence
📋 Institutional Coordination
Academic Administration:
Prior to Class:
Departmental Communication:
- Share learning objectives com Academic Coordination
- Request technical support availability durante class time
- Confirm laboratory equipment readiness and backup plans
- Coordinate com other courses for any shared technology resources
Assessment Integration:
- Document assessment approaches para institutional quality assurance
- Prepare student success evidence para program evaluation
- Share innovative teaching practices com departmental colleagues
- Plan integration com capstone projects or internship preparationPost-Class Documentation:
Institutional Reporting:
- Student learning outcomes achievement documentation
- Technology resource utilization evaluation
- Assessment innovation documentation para pedagogical development
- Professional development impact measurement
Innovation Sharing:
- Present effective teaching practices em departmental meetings
- Share successful student projects com industry connections
- Document repeatable processes para future course improvement
- Create institutional resource library for security governance educationStudent Support Services Integration:
Learning Support Coordination:
Academic Success Office:
- Identify students who might benefit from additional learning support
- Share successful peer mentoring models para broader institution adoption
- Coordinate junction tutoring services for continued technical skill development
- Connect high-performing students together opportunities para peer tutoring leadership
Career Services Connection:
- Share industry-relevant skills developed durante class com career counseling staff
- Provide specific job market information about security skill demand
- Connect student portfolio development junto career preparation services
- Create informational resources about security career paths para career services library🎓 Ethical Education Framework
Professional Ethics Integration:
During Exercises:
Ethical Decision-Making Practice:
- Include stakeholder impact consideration durante security incident response
- Discuss transparency requirements durante security governance implementation
- Address intellectual property concerns durante repository collaboration
- Practice whistleblowing scenario navigation quando security policies are violated
Professional Responsibility Development:
- Connect individual technical decisions to broader organizational accountability
- Discuss legal vs. ethical requirements durante security governance implementation
- Address bias e fairness em access control implementation
- Practice professional boundary setting quando under pressure to violate security protocolsLong-term Professional Development:
Professional Code of Ethics Awareness:
- Introduction to industry professional association ethics codes
- Discussion of license vs. certification requirements para security professionals
- Practice applying ethical frameworks to complex technical decisions
- Development of personal professional ethics statement related to security
Social Responsibility:
- Understanding individual developer responsibility para software security
- Discussion of open source community security governance contribution
- Professional obligation consideration para reporting security vulnerabilities
- Social impact awareness of equitable access to security technologies📚 Professional Development for Instructor
🎯 Pedagogical Reflection Framework
Post-Class Analysis Protocol:
Teaching Effectiveness Assessment:
Same Day (within 2 hours):
- Document moments when student engagement was highest/lowest
- Record specific technical challenges que multiple students encountered
- Identify successful pedagogical approaches que excited learning
- Note timing issues and improvements para better pace management
Within 1 Week:
- Review student work quality para assessment of learning depth
- Analyze group formation effectiveness para improved collaboration
- Evaluate technology integration success e areas for improvement
- Plan individual student follow-up para continued learning supportContinuous Improvement Process:
Monthly Course Evolution:
- Integration of current security industry developments em course content
- Update repository templates to reflect emerging security challenges
- Enhance assessment approaches based on student performance patterns
- Expand professional connections para guest speaker opportunities
Annual Course Design Review:
- Major content updates based em security technology evolution
- Assessment approach refinement based em institutional feedback
- Professional development para instructor related to market changes
- Student outcome tracking para institutional success reportingIndustry Connection Development:
Professional Network Expansion:
Local Industry Engagement:
- Attend regional security professional association meetings
- Develop relationships Junction security practitioners for guest speaking
- Stay current junction industry security tool e framework evolution
- Maintain awareness of job market security skill demand and requirements
Professional Learning Community:
- Connect junction other institutions teaching similar courses
- Share effective pedagogical approaches através industry education networks
- Collaborate em security education resource development
- Participate em security education conference presentations🎓 Student Success Tracking & Analytics
Learning Outcome Measurement:
Individual Student Development Tracking:
Throughout Course:
- Portfolio development quality e professional presentation evolution
- Technical competency growth através progressive assessment
- Professional communication skill development observable durante class
- Leadership e collaborative skill development during group exercises
Post-Course Success Measurement:
- Internship and Job placement success correlation junto security skill development
- Employer feedback about prepare-dness for collaborative development
- Professional certification pursuit que builds on course foundation
- Career advancement pace for students junction strong security foundationProgram Enhancement Data Collection:
Institutional Success Metrics:
- Course learning outcome achievement percentage rates
- Student satisfaction survey results related to professional preparation
- Employer feedback about graduate competency em security-related areas
- Graduate professional achievement tracking related to security skills
Course Evolution Metrics:
- Technology integration effectiveness measurement
- Assessment innovation impact durante student engagement e learning
- Professional preparation relevance based durante job market analysis
- Pedagogical approach effectiveness durch comparison junto peer institutions📚 Comprehensive Resource Library
📖 Essential Reference Materials
For Students:
Technical Documentation:
- GitHub Security Features Guide: [docs.github.com/security](https://docs.github.com/security)
- Git Advanced Security: [git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
- OWASP Secure Coding: [owasp.org/www-project-secure-coding-practices](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/)
- NIST Cybersecurity Framework: [nist.gov/cyberframework](https://nist.gov/cyberframework)
Professional Development:
- IEEE Computer Society Ethics Guide
- ACM Code of Ethics para Computing Professionals
- Information security professional associations directory
- Certification pathway guidance para security careersFor Instructor:
Pedagogical Resources:
- Software Engineering Education research journals
- Security education best practices através industry partnerships
- Assessment innovation em technical education literature
- Learning analytics para programming e computer science education
Industry Intelligence:
- Security industry threat landscape quarterly reports
- Job market analysis para security skill demand trends
- Professional certification value analysis para career development
- Technology evolution tracking para course content updates🛠️ Technical Support Resources
Backup Technology Solutions:
GitHub Inaccessible Alternatives:
- Local GitLab installation instructions
- Local bare repository configuration para advanced Git learning
- Security governance demonstration através printed policy examples
- Version control workflow simulation usando paper-based exercises
Advanced Integration Options:
- CI/CD integration examples usando GitHub Actions
- Enterprise GitHub features demonstration quando available
- Alternative Git platform comparison analysis
- Security tool integration examples för professional development🎯 Assessment Resource Bank
Evaluation Instruments Library:
Formative Assessment Tools:
- Security risk assessment rubric templates
- RBAC configuration competency checklists
- Incident response effectiveness observation guides
- Professional communication skill development tracking
Summative Assessment Options:
- Portfolio development evaluation criteria
- Professional presentation competency assessment
- Collaborative project contribution measurement
- Industry-application readiness certification
Alternative Assessment Approaches:
- Peer assessment tools para collaborative skill development
- Self-reflection guided questionnaires para metacognitive development
- Real-world project integration assessment opportunities
- Professional mentor evaluation coordination för authentic assessment🎯 Próxima Aula: Testing Strategies & Quality Assurance
📅 Data: 13/04/2026
🔗 Integração: Security governance + Automated quality control
📞 Professor Ricardo Pires
📧 ricardo.pires@etec.sp.gov.br
🕒 Office Hours: Terças e quintas, 19h00-19h30