📚 Material de Apoio - Aula 05
Controle de Usuários no Desenvolvimento Colaborativo
Disciplina: Desenvolvimento de Sistemas II
Professor: Ricardo Pires
Data: 06/04/2026
🎯 Objetivos Deste Material
Este material de apoio fornece:
- Referências técnicas para implementação de RBAC e segurança
- Tutoriais passo-a-passo para configuração de GitHub/GitLab
- Casos reais de incidents e best practices da industry
- Recursos para estudos y desenvolvimento profissional continuado
- Templates e checklists para aplicação em projetos reais
🔐 Fundamentação Conceitual de RBAC
🏗️ Role-Based Access Control (RBAC) - Conceitos Core
Definição Técnica
RBAC = Sistema de controle de acesso onde permissões são associadas
a roles (papéis) e users são assignados a roles baseado em
suas responsabilidades organizacionais.
Princípios Fundamentais
1. Principle of Least Privilege
Definition: Cada user deve ter apenas as permissions mínimas necessárias
para executar suas responsibilities
Implementation:
- Start com permissions mínimas
- Add permissions conforme necessidade demonstrada
- Remove permissions quando role change ou project completion
- Regular audit de permission appropriateness
Business Impact:
- Reduces attack surface area
- Minimizes damage from compromised accounts
- Facilitates compliance junction regulatory requirements
- Improves audit trail clarity2. Separation of Duties
Definition: Critical operations require múltiplos people para completion,
preventing any single individual from compromising system
Development Examples:
- Code author ≠ code reviewer
- Feature developer ≠ production deployer
- Security policy creator ≠ security policy enforcer
- Backup creator ≠ backup restore authorizer
Risk Mitigation:
- Prevents insider threats from single compromised account
- Creates natural check-and-balance system
- Distributes knowledge across team members
- Implements accountability through witness requirement3. Role Hierarchy e Inheritance
Typical Development Team Hierarchy:
Organization Owner
├── Admin (complete repository control)
├── Maintainer (merge permissions, release management)
├── Developer (write access to feature branches)
├── Reviewer (approve PRs, cannot merge)
├── Triager (label/comment permissions, no code access)
└── Guest (read-only access)
Inherited Permissions:
- Owner inherits all Maintainer permissions + administrative
- Maintainer inherits all Developer permissions + merge rights
- Developer inherits all Triager permissions + code modification
- Each role adds specific capabilities sem removing lower-level access⚖️ Security vs. Productivity Trade-offs
Balanced Implementation Strategy:
High Security scenarios:
Financial services, healthcare, government deployment:
- Required: 2+ approvals para production changes
- Enforce: Signed commits mit verified identity
- Implement: Audit logging com tamper-proof storage
- Schedule: Weekly access reviews
Productivity optimizations:
- Automated testing replaces some manual review load
- Clear escalation procedures para emergency changes
- Fast-track procedures para low-risk changes (documentation, configurations)
- Development/staging environments com reduced restrictionsHigh Velocity scenarios:
Startup environments, competitive product development:
- Minimum viable governance: 1 review requirement
- Focus em automated quality gates rather than human bottlenecks
- Rapid onboarding procedures para new team members
- Post-facto review em lugar de pre-approval when appropriate
Security maintenance:
- Increased monitoring e alerting to compensate para reduced manual oversight
- Frequent security training para all team members
- Clear incident response procedures developed in advance
- Regular security assessment by external consultants🛠️ Tutoriais Técnicos Detalhados
🔧 GitHub Repository RBAC Configuration
Tutorial 1: Configuração Básica de RBAC
Pre-requisitos:
- GitHub account com verified email
- Repository owner permissions
- Basic Git knowledge
Step 1: Repository Creation mit Security Focus
# Create repository com appropriate settings
1. Navigate to github.com → New Repository
2. Repository name: descriptive, professional naming
3. Description: Clear business purpose description
4. Visibility: Private para sensitive projects, Public para open source
5. Initialize: ✅ README, ✅ .gitignore, ✅ License as appropriateStep 2: Team Management Setup
# Navigate to repository → Settings → Manage access
1. Click "Invite a collaborator"
2. Search by username, full name, ou email address
3. Select appropriate role level:
- Read: View and clone repository
- Triage: Read permissions + manage issues/PRs
- Write: Triage permissions + push to repository
- Maintain: Write permissions + manage settings (except sensitive ones)
- Admin: Complete access except repository deletion
# Best Practice: Start com minimal access, increase as neededStep 3: Advanced Permission Customization
For Organizations (Enterprise features):
Teams Creation:
- Organization Settings → Teams → New Team
- Assign team-level permissions rather than individual
- Nest teams para inheritance hierarchy (Developers → Senior Developers)
Fine-grained Permissions:
- Repository-specific team permissions
- Branch-specific protection rules
- Webhook and integration management permissions
- Package and release management permissionsTutorial 2: Branch Protection Implementation
Advanced Branch Protection Rules:
Protection Rule Configuration:
Settings → Branches → Add rule
Branch Protection Settings:
Branch name pattern: main
✅ Require pull request reviews before merging:
└── Required number of reviewers: 1-6 (org dependent)
└── ✅ Dismiss stale reviews when new commits são pushed
└── ✅ Require review from code owners (requires CODEOWNERS file)
└── ✅ Restrict reviews to users mit read access or higher
✅ Require status checks to pass before merging:
└── ✅ Require branches to be up to date before merging
└── Status checks to require:
- continuous-integration (CI system)
- security/snyk (Security scanning)
- codecov/patch (Code coverage)
- build (Build validation)
✅ Require conversation resolution before merging
✅ Require signed commits (Cryptographic verification)
✅ Require linear history (No merge commits)
✅ Include administrators (Even admin users must follow protection rules)
✅ Restrict pushes that create files larger than 100 MB
✅ Allow force pushes:
- Nobody (Default, safest)
- Everyone (Dangerous)
- Specify people (For emergency maintenance)
✅ Allow deletions: Nobody (Prevent accidental branch deletion)CODEOWNERS File Implementation:
# Create .github/CODEOWNERS file em repository root
# Global owners (fallback para any file)
* @senior-dev @tech-lead
# Frontend code
/frontend/ @frontend-team @ui-ux-designer
# Backend API
/api/ @backend-team @database-admin
# Infrastructure code
/infrastructure/ @devops-team @security-team
/docker/ @devops-team
/.github/workflows/ @devops-team @tech-lead
# Documentation
/docs/ @technical-writer @product-manager
README.md @tech-lead @product-manager
# Security-sensitive files
/config/security/ @security-team @tech-lead
/config/production/ @devops-team @tech-lead
package.json @senior-dev @security-team
package-lock.json @senior-dev @security-teamTutorial 3: Security Governance Setup
GitHub Security Features Configuration:
Dependabot Configuration:
# Create .github/dependabot.yml
version: 2
updates:
# Enable version updates for npm dependencies
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "America/Sao_Paulo"
open-pull-requests-limit: 5
reviewers:
- "senior-dev"
- "security-team"
assignees:
- "tech-lead"
commit-message:
prefix: "deps"
include: "scope"
# Java dependencies (Maven)
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "weekly"
reviewers:
- "backend-team"CodeQL Security Analysis Setup:
# Create .github/workflows/codeql-analysis.yml
name: "CodeQL Security Analysis"
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: "30 2 * * 1" # Weekly Monday 2:30 AM
jobs:
analyze:
name: Analyze Code
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["javascript", "java"]
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
mit:
languages: ${{ matrix.language }}
- name: AutoBuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2🔧 Git Advanced Security Configurations
Signed Commits Implementation:
GPG Key Setup:
# Generate GPG key para commit signing
gpg --full-generate-key
# Choose: RSA and RSA, 4096 bits, 0 = key does not expire
# Enter: Real Name, Email (same as Git config), Comment optional
# List generated keys
gpg --list-secret-keys --keyid-format LONG
# Export public key para GitHub
gpg --armor --export [KEY_ID]
# Copy entire output including -----BEGIN/END PGP PUBLIC KEY BLOCK-----
# Configure Git to use GPG key
git config --global user.signingkey [KEY_ID]
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Add to shell profile para GPG_TTY
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
source ~/.bashrcGitHub GPG Key Integration:
1. GitHub Settings → SSH and GPG keys → New GPG key
2. Paste the armored public key output
3. Validated commits will show "Verified" badge em GitHub interface
4. Branch protection can require signed commits organization-wideSSH Key Security Enhancement:
# Generate ed25519 key (more secure than RSA)
ssh-keygen -t ed25519 -C "your-email@example.com" -f ~/.ssh/id_ed25519_github
# Add strong passphrase when prompted
# Configure SSH agent auto-start
echo '# Auto-start SSH agent' >> ~/.bashrc
echo 'if ! pgrep -u "$USER" ssh-agent > /dev/null; then' >> ~/.bashrc
echo ' ssh-agent > ~/.ssh-agent-thing' >> ~/.bashrc
echo 'fi' >> ~/.bashrc
echo 'if [[ "$SSH_AGENT_PID" == "" ]]; then' >> ~/.bashrc
echo ' eval "$(<~/.ssh-agent-thing)"' >> ~/.bashrc
echo 'fi' >> ~/.bashrc
# Add key to SSH agent
ssh-add ~/.ssh/id_ed25519_github
# Add public key to GitHub
cat ~/.ssh/id_ed25519_github.pub
# Copy output to GitHub → Settings → SSH and GPG keys → New SSH key📊 Casos Reais da Industry
🚨 Case Study 1: O Incident do Token Hardcoded
Empresa: FinTech BrazilPay (nome alterado), 2023
Background:
Company Profile:
- Payment processor para small businesses
- 50,000 active merchant accounts
- R$ 100M monthly transaction volume
- Team: 25 developers, 8 operations staff
Technology Stack:
- Java/Spring Boot backend
- React frontend
- PostgreSQL database
- AWS cloud infrastructure
- GitHub Enterprise para source controlThe Incident Timeline:
Day 1 - Friday, 18:30
Developer Commit:
- Junior developer commits "quick fix" para production bug
- Includes AWS access keys directly em configuration file
- No code review required (protection rules not configured)
- Automatic deployment pipeline pushes change to production
Initial Impact:
- Payment processing continues normally
- No immediate visible problems
- AWS access keys now visible em public-facing repository
Security Monitoring:
- No automated secret scanning configured
- Manual security review happens only monthly
- AWS CloudTrail monitoring limitedDay 4 - Tuesday, 03:00
Attack Begins:
- Automated bot discovers exposed AWS credentials
- Attacker begins reconnaissance of AWS infrastructure
- Creates new IAM users mit elevated privileges
- Begins copying S3 buckets containing customer payment data
AWS Usage Spike:
- Unusual data transfer patterns detected
- Cost monitoring alerts triggered (R$ 5,000 unexpected charges)
- Operations team investigates, initially suspects legitimate business growthDay 5 - Wednesday, 08:00
Data Breach Discovery:
- Customer service receives complaints about unauthorized charges
- Investigation reveals 15,000 customer payment records accessed
- AWS forensic analysis confirms credential compromise
- Legal team notified para regulatory reporting requirements
Immediate Response:
- All AWS credentials revoked immediately
- Affected customer accounts frozen as precaution
- Payment processing suspended para 6 hours mientras security validated
- Emergency incident response team activatedFinancial Impact:
Direct Costs:
- AWS charges from attacker usage: R$ 12,000
- Customer notification costs: R$ 8,000
- Legal fees para compliance response: R$ 25,000
- Credit monitoring services para affected customers: R$ 180,000
- Cybersecurity consultant fees: R$ 50,000
Business Impact:
- 6-hour payment processing outage: R$ 2.1M lost transactions
- Customer churn: 8% of affected accounts closed (R$ 800K annual revenue)
- Insurance deductible: R$ 100,000
- Regulatory fine: R$ 500,000 (LGPD violation)
Total Cost: R$ 1,675,000Root Cause Analysis:
Technical Failures:
Primary Cause:
- Hardcoded credentials em source code
Contributing Factors:
- No branch protection requiring code review
- No automated secret scanning
- No separation between development e production credentials
- Excessive AWS IAM permissions granted to compromised key
Process Failures:
- Security review only monthly, não continuous
- No junior developer mentoring during critical changes
- No incident response plan para credential compromise
- Inadequate AWS cost monitoring and alertingPreventive Measures Implementation:
Immediate (Week 1):
Technical Controls: ✅ GitHub secret scanning enabled across all repositories
✅ Branch protection requiring 2 reviews para production changes
✅ AWS IAM policies revised com principle of least privilege
✅ All credentials rotated and moved to AWS Secrets Manager
Process Changes: ✅ Junior developer changes require senior review
✅ AWS cost alerts set para unusual usage patterns
✅ Daily security review para high-risk commits
✅ Incident response plan created and distributedLong-term (Month 1-3):
Cultural Changes: ✅ Security training mandatory para all developers monthly
✅ Security incident simulation exercises quarterly
✅ "Security Champion" role created em each development team
✅ Security considerations added to performance review criteria
Technical Investment:
✅ SIEM system implemented para comprehensive security monitoring
✅ Automated penetration testing integrated em CI/CD pipeline
✅ Multi-factor authentication required para all production access
✅ Zero-trust network architecture phased implementation planLessons Learned:
Para Development Teams:
1. Treat credentials as nuclear material:
- Never hardcode productive credentials
- Use environment variables ou secret management systems
- Regular rotation mandatory, não optional
2. Code review não é optional governance:
- All production changes require human review
- Security perspective mandatory em review process
- Automated tools complement but never replace human judgment
3. Security é developer responsibility, não just ops:
- Every commit potentially creates vulnerabilities
- Security training necessary para career development
- Individual accountability para security practicesFor Management:
1. Security investment pays for itself:
- Prevention costs << incident recovery costs
- Customer trust = competitive advantage
- Regulatory compliance = table stakes, não optional
2. Process enforcement requires organizational commitment:
- Management must model security practices
- Emergency overrides should be rare exceptions
- Security cannot be sacrificed para speed🚨 Case Study 2: Incident Response Excellence
Empresa: CloudTech Solutions (nome real), 2023
Background:
Company Profile:
- SaaS platform para enterprise resource management
- 200+ enterprise customers globally
- $50M annual recurring revenue
- Team: 150 employees, 60 engineers
Security Maturity:
- SOC 2 Type II compliant
- GDPR compliant
- Mature DevSecOps practices
- Regular security training e testingExcellence em Action - The Perfect Response:
Detection (Time: 0 minutes)
Automated Monitoring:
- GitHub security alert: suspicious large file commit
- Developer account accessing repositories außerhalb normal hours (2:00 AM)
- SIEM correlation rule triggered: account accessed from unusual geographic location
Immediate Alerting:
- Security Operations Center notified automatically
- Incident response team Slack channel activated
- Email alerts sent to security leads e executives
- Emergency response procedures automatically initiatedResponse (Time: 5 minutes)
Incident Commander (Security Lead):
- Declared incident classification: MEDIUM severity
- Activated incident response team roles
- Created incident tracking document
- Coordinated communication com stakeholders
Security Analyst:
- Reviewed suspicious commit contents immediately
- Identified potential customer data em attached file
- Assessed impact scope: 1 repository, potentially 500 customer records
- Began forensic analysis of account activity pattern
DevOps Engineer:
- Immediately revoked suspicious account access
- Locked affected repository to prevent further changes
- Created snapshot of current system state para forensic analysis
- Activated monitoring for additional suspicious activity
Communications Lead:
- Notified legal e compliance teams
- Prepared initial stakeholder communication drafts
- Activated customer support team para potential inquiries
- Coordinated com public relations team para media preparednessInvestigation (Time: 15 minutes)
Forensic Analysis:
- Account login patterns indicated compromise: VPN from unusual location
- Two-factor authentication bypassed using previously authorized session
- Commit contained customer database export triggered by social engineering
- Employee confirmed laptop theft previous day, não reported immediately
System Verification:
- No additional unauthorized access detected
- Production systems unaffected
- Database audit logs confirmed no additional data exfiltration
- Customer-facing services operating normallyResolution (Time: 90 minutes)
Technical Remediation: ✅ Compromised account permanently disabled
✅ All employee account sessions invalidated (forced re-authentication)
✅ Enhanced monitoring deployed para unusual access patterns
✅ Customer data removed from repository e securely destroyed
Communication com Stakeholders:
✅ Customer notification prepared (transparent, actionable guidance)
✅ Employee training scheduled about device security e social engineering
✅ Board of directors briefed about incident and response effectiveness
✅ Regulatory notifications submitted within required timeframes
Process Improvement:
✅ Device theft reporting procedure enhanced com immediate account security
✅ Enhanced geographic access controls implemented
✅ Additional social engineering training scheduled para employees
✅ Incident response procedure updated based on lessons learned during executionOutcome Assessment:
Positive Results:
Customer Trust:
- 98% of customers appreciated proactive notification approach
- Zero customer churn attributed to incident
- Customer satisfaction scores increased devido to transparency
- Several customers upgraded to higher service tiers due to demonstrated security competency
Business Impact:
- No loss of business due to effective communications
- Enhanced sales conversations about security capabilities
- Improved insurance rates devido to demonstrated security maturity
- Industry recognition para security incident response excellence
Team Development:
- Incident response team confidence increased
- Security culture strengthened across organization
- Employee security awareness significantly improved
- DevSecOps practices validated e refinedKey Success Factors:
Preparation:
- Well-documented incident response procedures practiced quarterly
- Clear role assignments e communication channels
- Automated monitoring e alerting eliminating detection delays
- Strong security culture supporting rapid organizational response
Execution:
- Disciplined adherence to established procedures under pressure
- Clear communication about facts vs. speculation
- Stakeholder-appropriate transparency maintaining customer confidence
- Continuous improvement mindset during crisis response
Leadership:
- Executive support para security investment e culture development
- Clear accountability structure enabling rapid decision-making
- Open communication culture encouraging immediate incident reporting
- Professional development investment em security team capabilities🛠️ Templates e Checklists Práticos
📋 Security Audit Checklist Template
Repository Security Assessment
Access Control Assessment:
User Access Management:
□ All repository users have business justification para current access level
□ No users have excessive privileges (admin unless necessary)
□ External collaborators have clearly defined scope e duration
□ Service account access properly scoped e documented
□ Account access reviewed monthly and documented
Team Structure: □ Repository teams align wit organizational structure
□ Team membership reflects current employee status
□ External contractor access properly limited and monitored
□ Guest access appropriate für business needs
□ Nested team inheritance working as designed
Role Assignment Verification:
□ Owner role limited to 1-2 people mit administrative responsibility
□ Maintainer role assigned to senior developers only
□ Developer role is most common for day-to-day work
□ Read-only access used für stakeholders sem coding responsibilitiesBranch Protection Evaluation:
Main Branch Security:
□ Direct pushes to main branch disabled para all users (including admins)
□ Minimum 1-2 code reviews required antes merging
□ Dismissal of stale reviews when new commits pushed
□ Linear history required (no merge commits para cleaner audit trail)
□ Force push disabled para all users
Status Checks Integration: □ Continuous integration tests required para merge
□ Security scanning required e passing
□ Code coverage checks configured appropriately
□ Build verification required para all changes
□ Branches required to be up-to-date before merge
Advanced Protection: □ Signed commits required wenn organization policy requires
□ Conversation resolution required antes merge
□ File size limits configured to prevent large binary commits
□ CODEOWNERS file configured e covering sensitive areasSecurity Feature Configuration:
Automated Security: □ Dependabot enabled für dependency vulnerability scanning
□ Secret scanning enabled e alerts are monitored
□ CodeQL code scanning enabled für applicable languages
□ Security advisories reviewed e addressed promptly
□ Third-party app access regularly audited
Monitoring e Alerting: □ Audit log monitoring configured für suspicious activity
□ Unusual access pattern alerting implemented
□ Administrative action logging reviewed regularly
□ Failed access attempt monitoring active
□ Data export activity tracked e approvedCommunication Security Assessment
Information Handling:
Sensitive Data Management: □ No hardcoded credentials committed to repository
□ No customer data stored em repository unnecessarily
□ No internal infrastructure details exposed em public repositories
□ Sensitive configuration properly externalized to secure storage
□ Historical commits audited para inadvertent sensitive data exposure
Documentation Security: □ README files não contain internal system details
□ Documentation références are appropriate für audience
□ Installation instructions não reveal internal infrastructure
□ Contact information não expose internal organizational structureExternal Communication:
Public Repository Settings (if applicable):
□ Description appropriately professional e business-focused
□ Contributing guidelines establish security Ground rules
□ Issue templates guide reporters away from security vulnerability disclosure
□ Contact security established für vulnerability reporting
□ License appropriate für intended use e organizational intellectual property policy📋 Incident Response Playbook Template
Phase 1: Detection e Initial Response (Target: 0-15 minutes)
Immediate Actions Checklist:
Incident Identification:
□ Security alert confirmed as legitimate (não false positive)
□ Scope of incident preliminarily assessed (systems, data, users affected)
□ Incident severity classified according to organizational matrix
□ Incident response team activated according to severity level
□ Initial incident tracking created junto unique identifier
Stakeholder Notification: □ Security Operations Center (SOC) notified
□ IT/DevOps teams alerted für potential system changes required
□ Management notification sent per escalation policy
□ Legal/Compliance teams alerted if data breach potential exists
□ Customer service prepared für potential customer impact
Initial Containment: □ Affected user accounts disabled ou access restricted
□ Affected systems isolated wenn appropriate
□ Additional monitoring activated für related suspicious activity
□ Evidence preservation steps initiated
□ Communication channels secured für incident team coordinationInformation Gathering:
Technical Investigation: □ Affected systems identified e documented
□ Timeline of suspicious activity gathered from logs
□ User account activity patterns analyzed
□ Network access patterns e geographic information collected
□ System configuration changes identified
Business Impact Assessment: □ Customer data exposure risk assessed
□ Service availability impact determined
□ Financial risk quantified (regulatory fines, customer loss, etc.)
□ Reputational risk considerations identified
□ Regulatory reporting requirements identifiedPhase 2: Investigation e Analysis (Target: 15 minutes - 2 hours)
Forensic Analysis Protocol:
Technical Forensics: □ System logs collected e preserved für evidence
□ Network traffic analysis completed wenn applicable
□ User account audit trail detailed analysis performed
□ Affected data identified e scope quantified
□ Attack vector analysis completed
Evidence Documentation: □ Screenshots of relevant system states captured
□ Log entries preserved mit timestamps e hash verification
□ Network evidence collected waar appropriate
□ User interview notes documented wenn applicable
□ Timeline of events compiled com confidence levelsBusiness Impact Analysis:
Customer Impact: □ Affected customer accounts identified e quantified
□ Potential data exposure per customer assessed
□ Customer notification requirements determined per regulatory framework
□ Customer remediation options identified (credit monitoring, account changes, etc.)
Organizational Impact: □ Service disruption duration e scope assessed
□ Industry-specific reporting requirements identified
□ Insurance claim requirements e documentation gathered
□ Public relations considerations e messaging developedPhase 3: Containment e Remediation (Target: 2-8 hours)
Technical Remediation:
System Security Hardening:
□ Affected user accounts secured (passwords reset, MFA enforced)
□ System configurations hardened to prevent similar attacks
□ Network access controls enhanced waar applicable
□ Monitoring e alerting enhanced based em attack vectors discovered
□ Backup e recovery procedures verified e tested
Data Recovery e Protection:
□ Affected data secured e unauthorized copies removed quando possible
□ Customer data breach remediation procedures executed
□ Backup integrity verified para restoration wenn needed
□ Enhanced encryption applied to sensitive data repositories
□ Access logging enhanced für affected data repositoriesCommunication e Notification:
Stakeholder Communications: □ Executive team status updates provided regularly
□ Legal team briefed für potential litigation ou compliance issues
□ Customer communication strategy finalized e approved
□ Employee communication prepared für potential productivity impact
□ External partner notification accomplished wenn third parties affected
Regulatory e Legal Compliance:
□ Industry-specific incident reporting completed (financial services, healthcare, etc.)
□ Law enforcement notification wenn criminal activity suspected
□ Insurance carrier notification e claim documentation completed
□ Legal document preservation initiated wenn litigation potential existsPhase 4: Recovery e Lessons Learned (Target: 1-30 days)
System Recovery Validation:
Technical Validation: □ All affected systems restored to normal operation
□ Enhanced monitoring confirmed functional e detecting threats appropriately
□ User access restored selectively com enhanced security measures
□ Automated backup e testing procedures verified functional
□ Penetration testing scheduled to verify remediation effectiveness
Business Operation Recovery: □ Customer service capabilities restored to normal
□ Business process productivity restored to baseline levels
□ Customer confidence recovery initiatives implemented
□ Partner relationship stability verified e managedPost-Incident Analysis:
Process Improvement:
□ Incident response timeline analysis för efficiency improvements
□ Technical control gaps identified e remediation planned
□ Staff training gaps identified para future preparedness enhancement
□ Communication effectiveness assessed e improved
□ Organizational policies updated based em lessons learned
Performance Measurement:
□ Incident response team performance evaluated against established metrics
□ Customer satisfaction measured post-incident
□ Financial impact final assessment completed
□ Regulatory compliance verification completed
□ Executive reporting provided cum summative analysis e improvement recommendations📋 RBAC Role Definition Template
Development Team Roles Matrix
Repository Owner:
Business Responsibilities:
- Final accountability för repository security e quality
- Budget responsibility för repository-related costs (CI/CD, external services)
- Vendor e third-party service management
- Compliance oversight für regulatory requirements
- Strategic technology decision making
Technical Permissions:
- Complete administrative access to repository settings
- User management: invite, remove, role change authority
- Security settings management
- Integration management: webhooks, applications, service accounts
- Repository deletion capability (high-risk action)
Typical Role Holders:
- Engineering Manager
- CTO (small organizations)
- DevOps Lead (infrastructure focus)
- Senior Technical Lead (technology focus)
Success Metrics:
- Repository security incident frequency
- Team productivity metrics
- Compliance audit success rate
- Cost management effectivenessMaintainer:
Business Responsibilities:
- Release quality assurance e deployment coordination
- Production bug response e hotfix management
- Technical mentoring e code quality standards enforcement
- Cross-team coordination für feature integration
Technical Permissions:
- Merge pull requests to protected branches (main, develop)
- Release management: tagging, GitHub releases, deployment triggers
- Branch management: creation e deletion of long-lived branches
- Project management: milestone e label management
- CI/CD pipeline configuration changes
Typical Role Holders:
- Senior Software Engineers
- Team Leads
- DevOps Engineers
- Release Managers
Success Metrics:
- Release success rate e rollback frequency
- Code review quality e feedback effectiveness
- Production incident resolution time
- Developer productivity e satisfactionDeveloper:
Business Responsibilities:
- Feature development according to business requirements
- Code quality maintenance e best practices adherence
- Peer collaboration through code review participation
- Bug fixing e technical debt reduction
Technical Permissions:
- Push code to feature branches
- Create pull requests för code integration
- Comment e suggest changes em code reviews
- Issue management: creation, assignment, labeling
Typical Role Holders:
- Software Engineers (all levels)
- Full-stack Developers
- Frontend/Backend Specialists
- Junior Developers (mit mentorship)
Success Metrics:
- Feature delivery velocity e quality
- Code review participation quality
- Bug creation rate e resolution effectiveness
- Knowledge sharing e continuous learning demonstrationReviewer:
Business Responsibilities:
- Code quality assurance through systematic review
- Knowledge transfer e best practices evangelization
- Security vulnerability identification prema deployment
- Architecture compliance verification
Technical Permissions:
- Review pull requests e provide feedback
- Approve ou request changes on pull requests
- Access to all repository content för review purposes
- Comment em issues e discussions
Typical Role Holders:
- Senior Engineers (specialist focus)
- Security Engineers
- Quality Assurance Engineers
- Subject Matter Experts
Success Metrics:
- Review quality: bugs caught przed merger
- Review timeliness e feedback effectiveness
- Knowledge transfer measurement
- Security vulnerability detection rate📚 Recursos para Estudo Continuado
📖 Bibliografia Essencial
Livros Técnicos Fundamentais:
Security & RBAC:
1. "The Web Application Hacker's Handbook" - Dafydd Stuttard, Marcus Pinto
Focus: Understanding attack vectors helps design better defenses
Relevance: Web application security fundamentals
Application: Security consideration während development process
2. "Secure Coding: Principles and Practices" - Mark Graff, Kenneth van Wyk
Focus: Development practices që prevent security vulnerabilities
Relevance: Day-to-day coding security consciousness
Application: Code review e development standard establishment
3. "Building Secure and Reliable Systems" - Heather Adkins (Google)
Focus: Large-scale system security design e operations
Relevance: Enterprise-level security governance
Application: Career progression to senior technical rolesDevelopment Process & Collaboration:
4. "Accelerate: The Science of Lean Software and DevOps" - Nicole Forsgren
Focus: Measurement-driven development process improvement
Relevance: Balance zwischen security e productivity
Application: Advocating für security investments através business metrics
5. "Team Topologies" - Matthew Skelton, Manuel Pais
Focus: Organizing software development teams para optimal outcomes
Relevance: Understanding how team structure affects security culture
Application: Career development e team leadership preparation
6. "The DevOps Handbook" - Gene Kim, Jez Humble, Patrick Debois
Focus: Cultural e technical practices für modern software delivery
Relevance: Integration of security into continuous delivery practices
Application: Professional competency development für DevSecOps rolesProfessional Development Resources:
Industry Organizations:
OWASP (Open Web Application Security Project):
- Local chapter meeting attendance
- Online training materials e certification programs
- Community contribution opportunities
- Networking mit security professionals
IEEE Computer Society:
- Professional ethics development
- Industry standards e best practices
- Career development resources
- Professional certification programs
ACM (Association for Computing Machinery):
- Academic research e professional development connection
- Ethics guidelines für computing professionals
- Industry trend analysis e professional development guidanceProfessional Certification Pathways:
Entry Level:
- CompTIA Security+ (foundational security knowledge)
- GitHub Certified Actions (CI/CD e automation)
- AWS Certified Cloud Practitioner (cloud fundamentals)
Intermediate Level:
- Certified Information Security Manager (CISM)
- Certified Secure Software Lifecycle Professional (CSSLP)
- AWS Certified Solutions Architect - Associate
Advanced Level:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- GIAC Security Essentials (GSEC)🔗 Online Resources & Communities
Technical Learning Platforms:
Free Resources:
GitHub Security Lab:
URL: securitylab.github.com
Focus: Vulnerability research e secure coding education
Application: Advanced security research e contribution opportunities
OWASP WebGoat:
URL: owasp.org/www-project-webgoat
Focus: Hands-on web application security testing
Application: Practical security vulnerability understanding
Cloud Security Alliance:
URL: cloudsecurityalliance.org
Focus: Cloud security best practices e education
Application: Modern infrastructure security consciousnessProfessional Development:
Coursera - "Software Security" (University of Maryland):
Focus: Academic foundation em software security principles
Application: Theoretical understanding för practical implementation
Pluralsight - "Secure Coding" track:
Focus: Language-specific secure coding practices
Application: Day-to-day development security consciousness
LinkedIn Learning - "DevSecOps" track:
Focus: Career development e professional skills
Application: Professional competency development e networkingIndustry News & Trend Monitoring:
Security News Sources:
Krebs on Security:
URL: krebsonsecurity.com
Focus: Industry incident analysis e trends
Application: Understanding real-world security impact
Dark Reading:
URL: darkreading.com
Focus: Enterprise security strategy e technology trends
Application: Business context pentru security decision-making
The Hacker News:
URL: thehackernews.com
Focus: Current threat landscape e defense strategies
Application: Staying current mit evolving security challengesDeveloper-Focused Security Content:
GitHub Security Blog:
URL: github.blog/category/security
Focus: Platform-specific security features e best practices
Application: Maximizing GitHub security capability utilization
SANS Developer Resources:
URL: sans.org/developer
Focus: Secure coding training e assessment
Application: Professional skill development e validation
NIST Cybersecurity Framework:
URL: nist.gov/cyberframework
Focus: Government e enterprise security standard compliance
Application: Understanding regulatory e compliance environments🛠️ Practical Application Projects
Portfolio Development Ideas:
Project 1: Open Source Security Governance
Objective: Contribute security improvements to open source project
Implementation Steps:
1. Identify open source project mithin your technical skills
2. Analyze current security governance (or lack thereof)
3. Propose security improvements via issue discussion
4. Implement branch protection e security scanning
5. Document improvement process e outcomes
Portfolio Value:
- Demonstrates practical security governance experience
- Shows community contribution e collaboration skills
- Provides references from open source maintainers
- Documents measurable security improvement outcomesProject 2: Personal Project Security Showcase
Objective: Build portfolio project demonstrating security best practices
Technical Implementation:
- Multi-tier application (frontend, API, database)
- Complete RBAC implementation com multiple user roles
- CI/CD pipeline mit automated security testing
- Documentation of security decisions e trade-offs
Expected Outcomes:
- Technical demonstration of security implementation skills
- Clear articulation of security reasoning e business judgment
- Professional-quality documentation e presentation
- Reference-ready project toward employer evaluationProject 3: Security Tool Integration Research
Objective: Evaluate e compare security tools für specific technology stack
Research Scope:
- Compare 3-5 security scanning tools för chosen technology (Java, JavaScript, Python, etc.)
- Implement integration com CI/CD pipeline
- Document effectiveness, cost, e false positive rates
- Present recommendations für professional team adoption
Professional Development Value:
- Demonstrates analytical e evaluation skills
- Shows initiative em professional development
- Develops vendor management e technology evaluation competency
- Creates reusable knowledge för professional applicationAdvanced Learning Challenge Ideas:
Challenge 1: Incident Response Simulation
Setup: Create intentionally vulnerable application
Execute: Simulate security incident e complete response
Document: Full incident response documentation e lesson learned
Outcome: Portfolio demonstration of crisis management e security competencyChallenge 2: Compliance Implementation
Setup: Choose relevant compliance framework (GDPR, SOX, PCI-DSS)
Execute: Implement technical controls e documentation för compliance
Validate: Third-party review ou self-assessment gegen compliance requirements
Outcome: Professional credential preparation e regulatory understanding demonstrationChallenge 3: Security Automation Development
Setup: Identify repetitive security task în your workflow
Execute: Develop automation scripts ou CI/CD integration
Test: Validate effectiveness e reliability of automation
Outcome: DevSecOps competency demonstration e productivity improvement📞 Suporte e Recursos Adicionais
🆘 Support Channels
Academic Support:
Professor Ricardo Pires:
Email: ricardo.pires@etec.sp.gov.br
Office Hours: Terças e quintas, 19h00-19h30
Location: Coordenação de Informática
Response Time: 24 hours için technical questions
Google Classroom:
Course Code: [to be provided]
Purpose: Async discussion, resource sharing, assignment submission
Monitoring: Daily during course sessions
Peer Support: Encouraged e moderated
Study Groups:
Formation: Self-organized or instructor-facilitated
Meeting Space: Available in laboratory after classes
Virtual Options: Discord server link em Google Classroom
Peer Mentoring: Advanced students paired met struggling studentsProfessional Development Support:
Industry Connections:
- Local security meetup introductions available
- Professional networking guidance through office hours
- Interview preparation support para security-focused roles
- Resume review e feedback för security skill presentation
Internship e Job Placement:
- Local employer network för security-aware organizations
- Portfolio development guidance för professional presentation
- Technical interview preparation specifically für security topics
- Career path guidance när security specialization vs. generalist development🔧 Technical Support Resources
Platform-Specific Help:
GitHub Issues Resolution:
Common Problems e Solutions:
Access Issues:
1. Account verification problems
Solution: Check email verification, contact GitHub support
2. Two-factor authentication lockout
Solution: Recovery code usage, account recovery process
3. Organization invitation problems
Solution: Email settings, spam filtering, manual invitation process
Repository Configuration Issues:
1. Branch protection not working
Solution: Timing delay, rule syntax, admin override settings
2. CI/CD integration failures
Solution: Permissions, webhook configuration, service account setup
3. Merge conflicts mit protected branches
Solution: Local resolution, force update disabled, rebase vs. merge strategyGit Workflow Support:
Advanced Git Operations:
- Interactive rebase för clean commit history
- Cherry-picking specific commits zwischen branches
- Conflict resolution em collaborative environments
- Recovery from problematic commits or branch States
Professional Git Practices:
- Commit message standards för professional development
- Branching strategies för team collaboration
- Tag e release management für project organization
- Hooks e automation für quality gate enforcement📈 Continuous Learning Path
Next Steps Recommended Progression:
Immediate (Next 1-2 months):
Technical Skills:
1. Complete all course exercises e implement em personal projects
2. Set up professional GitHub profile mit security best practices demonstration
3. Contribute to at least one open source project junction security focus
4. Research e begin preparation für CompTIA Security+ certification
Professional Development: 1. Join local OWASP chapter or security meetup group
2. Create LinkedIn profile emphasizing collaborative development e security skills
3. Begin building professional network of security-focused developers
4. Start reading industry security newsletters e blogs regularlyShort-term (Next 3-6 months):
Advanced Technical Competency:
1. Complete implementation of advanced GitHub security features în portfolio project
2. Learn e demonstrate competency junction CI/CD security integration
3. Develop expertise în cloud security (AWS/Azure) fundamentals
4. Practice incident response through capture-the-flag (CTF) competition participation
Career Development:
1. Apply för internship positions emphasizing security consciousness
2. Seek opportunities to present o teach security topics (meetups, student organizations)
3. Begin building track record of security-focused project contributions
4. Develop mentoring relationships mit senior security professionalsLong-term (Next 6-12 months):
Professional Competency: 1. Complete first professional security certification
2. Demonstrate leadership în security governance em internship sau project team
3. Contribute to security tool development sau security research
4. Begin building professional reputation în security community
Career Positioning:
1. Seek full-time roles that leverage security competency für competitive advantage
2. Consider graduate study focusing em cybersecurity sau related field
3. Develop specialization în specific security domain (web app, cloud, mobile, etc.)
4. Begin sharing knowledge through conference presentations, blog writing, or open source contribution🎯 Próxima Aula: Testing Strategies & Quality Assurance
📅 Data: 13/04/2026
🔗 Integração: Security governance foundations + Automated quality control implementation
👨🏫 Prof. Ricardo Pires
📧 ricardo.pires@etec.sp.gov.br
🕒 Office Hours: Terças e quintas, 19h00-19h30
📍 Coordenação de Informática