- ๐ Pronouns: He/Him
- ๐ง๐ท I am Brazilian! Currently Living in Sรฃo Paulo
- ๐ Graduated in Computer Engineering in University of Campinas (UNICAMP), with an exchange program to Russia ๐
- ๐ป My favorite language is Kotlin, and I love to code using VIM
- ๐ถ๏ธ Fun facts:
- ๐ I'm a very proud cat dad! His name is Ravi ๐ฅฐ
- ๐ฎ I'm a fan of Dark Souls series and I'm enjoying my recently bought Playstation 5 ๐
- ๐ท I love wine and I'm starting to learn about them hehe
- ๐ข I work at Google on Google Open Source Security Team (GOSST)
- ๐ My next learning objectives are French and improving general communication/leading skills
- ๐ฌ I'd be more than happy to receive any contact through diogoteles@google.com, Twitter or LinkedIn ๐
GOSST was created as a response to the current scenario of increasing attacks on supply chain projects. The team counts with experienced open-source contributors and works alongside the Open Source Security Foundation (OpenSSF) to develop and spread solutions to make open software safer at scale. You can read more about Google initiatives on open source on this blogpost.
More specifically, I'm part of a sub-team responsible for our direct engagement with the Open Source community. We work with critical open source projects to help them increase their security, in any way we can. As a team, our goal is to:
- Build individual analyses and approaches for each project.
- Evaluate and suggest solutions or enhancements that would better fit the repository and not burden the maintainers.
- Welcome and conduct discussions about our suggestion or any security solutions the maintainers prefer, as we can surely provide specific help according to their demands.
- If possible and wanted, implement the changes ourselves via PRs to contribute with the discussed improvements.
- Collect all kinds of feedback, as we work closely with OpenSSF and any complaints would be kindly heard.
Please read more about our acchievements on our 1-year blogpost.
See below some of the tools developed by GOSST and the OpenSSF:
- Scorecard: automated checks to evaluate a project's security practices and suggest improvements as needed
- SLSA (pronounced "salsa"): a standard and protocol to ensure an artifact's provenance, guaranteeing it comes from the expected location and process. It prevents tampering and improves the integrity of infrastructure and consumed packages
- Sigstore: keyless signing and verification of artifacts
- OSS-FUZZ: automated fuzzing at scale, now fuzzing 800+ projects in 6 languages
- OSV: a precise human - and machine - readable database of vulnerabilities that maps affected software versions across open source ecosystems
- OSV-Scanner: A frontend for the OSV Database that connects a projectโs list of dependencies with the vulnerabilities that affect them
- GUAC: graph database of security metadata (in development)