- 😄 Pronouns: She/Her.
- 🇧🇷 I am Brazilian! Born at Natal/RN but raised at Rio de Janeiro.
- 🔭 I’m working at Google on Google Open Source Security Team (GOSST).
- 🏫 Graduated in Computer Science at UFRJ.
- 💻 My favorite programing languages are: Python, Ruby on Rails, Angular and C#.
- 🌱 My next learning objectives are Japanese and French.
- 📫 How to reach me: You can send me an email at joycebrumu.u@gmail.com.
- ⚡ Fun fact: I love books, videogames, animes and mangas.
GOSST was created in response to the increasing supply-chain attacks on projects that consume open-source code. It works along with the Linux Foundation's Open Source Security Foundation (OpenSSF) to improve the security of the open-source ecosystem. GOSST and the OpenSSF develop solutions to make open-source software safer at scale. See here for info on Google's open-source initiatives.
I'm part of a GOSST sub-team responsible for working hand-in-hand with the open-source community. We focus on helping individual critical projects increase their security. Our goals are to:
- develop specific approaches for each project;
- suggest solutions or enhancements that fit the project's needs and don't overburden maintainers;
- talk with maintainers about our suggestion or about any other solutions they might prefer;
- implement the changes and submit them as PRs;
- collect all feedback to be shared with the rest of GOSST and the OpenSSF.
See below some of the tools developed by GOSST and the OpenSSF:
- Scorecards: automated checks to evaluate a project's security practices and suggest improvements as needed;
- SLSA (pronounced "salsa"): a standard and protocol to ensure an artifact's provenance, guaranteeing it comes from the expected location and process. This aims to prevent tampering and improve the integrity of infrastructure and consumed packages;
- Sigstore: keyless signing and verification of artifacts;
- OSS-FUZZ: automated fuzzing at scale;
- OSV: a human- and machine-readable database of vulnerabilities that maps affected software versions across open source ecosystems;
- GUAC: graph database of security metadata (in development).