Ricardo Amaro
Ricardo Amaro has a Ph.D. in Science and Technology and is a Senior Platform Engineering Manager at Acquia Inc., a company based in Boston, USA, where he focuses on large-scale software delivery performance. In Portugal, he is president of the Drupal Portugal Association, Localization lead and a Researcher in DevOps and AI at INESC/INOV.
With a diversified career in both the public and private sectors in Portugal, he promotes Agile techniques and the DevOps culture. He has led development and operations teams and projects in South Africa, Germany and the United States. An advocate of digital rights and freedoms. Ricardo is inspired by the transformative potential of OpenSource communities. Since the 1990s Ricardo has been involved with open technologies such as Linux, becoming an expert and contributor in Drupal and Cloud Native, such as Kubernetes, OpenTelemetry, and others.
Ricardo is co-author of the book "Seeking SRE", addressing the use of Machine Learning for SRE, published by O'REILLY in 2018. His published scientific articles include:
"DevOps Metrics and KPIs: A Multivocal Literature Review". ACM - Computing Surveys (2024);
"Capabilities and metrics in DevOps: A design science study". Information & Management (2023);
"DevOps benefits: A systematic literature review". Software: Practice and Experience (2022);
"Capabilities and Practices in DevOps: A Multivocal Literature Review". IEEE Transactions on Software Engineering (2022).
Sessão
Open-source supply chain threats
The open source ecosystem faces escalating supply chain threats, exemplified by the Shai-Hulud worm, a novel, self-replicating malware targeting npm maintainer credentials. The worm weaponized the trust inherent in open source, using malicious post-install scripts to steal credentials and automatically spread, threatening CI environments like Acquia’s, which manages +400 internal open source Jenkins jobs. This raised a critical question: how can an organization built on free software principles contain a threat that weaponizes the very freedom to execute code? Our preparedness was rooted in the Four Freedoms. By leveraging the freedom to study and modify, we implemented a robust defense centered on disabling the automatic execution of package installation scripts, turning open source values into our most effective shield.
Key Takeaways
- Treat the Four Freedoms as a practical security framework.
- Disable automatic package installation scripts by default in CI/CD.
- Leverage community intelligence to accelerate incident response.
- Implement global policy controls for open source dependency consumption.
- Rotate all exposed CI/CD secrets immediately after an incident.
Target Audience Relevance
This session offers a candid playbook for minimizing the blast radius of supply chain threats. DevSecOps professionals and developers will learn specific policy controls for hardening pipelines and safely leveraging open source freedoms, gaining actionable strategies to protect the software they build and depend upon daily.