DevSecOps

Welcome to My Engineering Blog In the fast-paced world of Cloud Computing and DevOps, theory often diverges from reality. This space is dedicated to bridging that gap. I am Gustavo de Oliveira Ferreira, a Cloud & DevOps Engineer with a passion for designing secure, scalable, and resilient systems. Throughout my career, I’ve had the privilege of working on mission-critical projects for major organizations in the financial and healthcare sectors. Why This Blog? The goal of this platform is simple: to share “war stories” and architectural patterns forged in the fires of real-world enterprise environments. ...

A practical guide for implementing SBOM generation, artifact signing, and provenance tracking in enterprise environments, aligned with Executive Order 14028 requirements. Introduction Executive Order 14028 (May 2021) mandates that federal agencies and their software suppliers implement software supply chain security measures, including: Software Bill of Materials (SBOM) generation Artifact signing and provenance verification Secure software development practices The urgency of these requirements was underscored by high-profile supply chain attacks: SolarWinds (2020): Compromised build system affected 18,000+ organizations including federal agencies Log4Shell (2021): CVE-2021-44228 exposed the challenge of identifying affected components across enterprise software portfolios Codecov (2021): CI/CD pipeline compromise demonstrated supply chain attack vectors This article provides a hands-on implementation guide based on real-world enterprise deployments in healthcare, financial services, and telecommunications sectors. ...

Implementing Pod Security Standards, Network Policies, and Policy-as-Code for FedRAMP, NIST SP 800-53, and CMMC compliance in Kubernetes environments. Introduction Organizations operating Kubernetes clusters in regulated environments face complex compliance requirements: FedRAMP: Federal Risk and Authorization Management Program NIST SP 800-53: Security and Privacy Controls for Information Systems CMMC 2.0: Cybersecurity Maturity Model Certification for DoD contractors PCI DSS: Payment Card Industry Data Security Standard HIPAA: Health Insurance Portability and Accountability Act This guide provides actionable security baselines based on production deployments in healthcare, financial services, and government-adjacent workloads. ...

Introduction The financial sector is a prime target for cyberattacks, and software supply chain security became a critical concern following incidents like SolarWinds. Ensuring the integrity and provenance of the software we use and deliver is fundamental. My experience at major financial institutions like Serasa Experian and Banco Bradesco provided insights into how DevSecOps practices, specifically Software Bill of Materials (SBOM) Generation and Artifact Signing, are crucial for building a more resilient software supply chain. ...